The Payment Card Industry Data Security Standard (PCI-DSS) consists of a set of compliance standards containing policies on protecting consumer payment and financial data. When storing consumer payment information, companies have an obligation to comply with the PCI-DSS, otherwise they risk heavy fines in the event of a breach. Security guidelines are therefore offered for organisations to follow in order to meet the standards.
What is PCI-DSS certification?
To prove that a company is truly PCI-DSS compliant, it must obtain PCI-DSS certification, demonstrating that it meets the guidelines provided. The financial companies that control credit cards set the standards to be met, and given the speed at which the IT security landscape is evolving, they meet regularly to review their security policies and modify their requirements. The PCI-DSS defines a set of rules that organisations must follow in order to be certified. Some of the practices required for PCI-DSS certification are:
- Installation of Firewalls where necessary
- Encryption of data sent to and from vendors
- Installation of antivirus on all corporate devices
- Monitoring of access requests to network resources
- Authorisation checks on cardholder data
Payment Card Industry Data Security Standard compliance levels
Not all vendors have the same volume of business and network resources, so the PCI-DSS provides different compliance standards based on the level of the vendor. The levels are determined by the volume of Visa credit card transactions. All vendors have an obligation to comply with the PCI-DSS, regardless of size, but the level to which they belong will determine the steps they must take to achieve compliance.
PCI-DSS level 1
Those who process more than six million Visa transactions per year belong to Level 1. These are generally large global businesses, but Visa may classify a vendor at its discretion with a view to reducing risk. Once a year, compliance will be assessed by a Visa auditor and Level 1 vendors are required to submit a PCI compliance scan using an authorised body.
PCI-DSS level 2
Any vendor with an annual Visa transaction volume of one million to six million. Those belonging to Level 2 must submit a self-assessment questionnaire (SAQ) to ensure compliance with Level 2 requirements and undergo a PCI compliance scan every trimester.
PCI-DSS level 3
Those with a volume of 20,000 to one million Visa e-commerce transactions per year. Level 3 sellers are required to submit a self-assessment questionnaire (SAQ) to prove they meet Level 3 requirements, in addition to having to perform quarterly PCI compliance scans.
PCI-DSS level 4
When the number of Visa e-commerce transactions is less than 20,000 per year or up to one million standard Visa transactions per year, sellers belong to Level 4. To meet Level 4 requirements, they are required to submit a self-assessment questionnaire (SAQ) and perform quarterly PCI compliance scans.
PCI-DSS Requirements
Although most compliance regulations usually require major infrastructure changes and the adoption of special security tools, the PCI-DSS has very few, but very important requirements. Any errors or carelessness in the requirements could result in heavy penalties, so it is crucial for companies to adhere to the PCI-DSS guidelines by taking appropriate controls.
Credit card companies impose 12 requirements on companies to remain PCI-DSS compliant. The purpose of the standards is to protect cardholder data, so the requirements basically concern the protection of sensitive information against cyber threats. Any changes to the requirements are announced and made public by the Security Council, so it will be necessary for companies to review them annually to ensure that compliance requirements are still met.
The 12 requirements of the PCI-DSS are:
1- Install firewalls by configuring them to block dangerous traffic
Most companies certainly already have a firewall in their network that acts as a barrier between the internal infrastructure and the external Internet. But in larger and more structured networks, where perhaps public Wi-Fi is also offered and the various departments must be kept separate, there is a need for additional firewalls. For instance, in order to protect cardholder data, a firewall should be used to separate the financial department and its data from the sales department.
2- Do not use the default system passwords provided by device manufacturers
In order to make the work of network administrators easier, each network device is supplied already functional, with a default password set by the manufacturer. These passwords, however, are publicly distributed, which makes the network resources accessible to attackers. After connecting a device to the network, the first thing an administrator must do is to change the default password to a new secure password that is difficult to guess but easy enough to remember.
3 – Protecting consumers’ stored financial data
It may seem obvious, but not all companies store credit card data and not all of them take steps to ensure due security. For instance, credit card data must be encrypted when stored in a database and no one within the company should have free access to it. Any access request should be monitored and an audit log should be kept to be consulted in the event of a breach.
4 – Financial data moving in public networks must be encrypted
To move on the Internet and within public networks, financial data must be encrypted to avoid eavesdropping. Users enter their credit card data on an e-commerce site and this information must be encrypted. The seller sends the credit card data to a processor and this too must be encrypted. Some companies, the more structured ones, also encrypt the traffic within the corporate network.
5 – Install and regularly update antivirus software
All company servers and workstations should have antivirus software installed. Even better, antivirus should also be installed on any mobile device that stores or processes credit card data. With the growing popularity of smartphones, protecting all types of endpoints and investing in mobile security should become a priority for companies accepting payments via mobile devices.
6 – Have systems in place for integrated data protection
Systems within the network are constantly changing, and as the company grows, administrators will always add new ones. Whenever a new system is installed within the corporate infrastructure, it must be integrated with security in mind. The new infrastructure must be secure, and every resource must be configured with the goal of ensuring the security of credit card data.
7 – Using the minimal privilege standard to access data
Users should only be allowed access to credit card data if this is necessary to perform their work tasks. Credit card data are at risk of insider threats, so only employees who strictly need access to them to perform a certain task should be authorised. In certain cases, part of the credit card number is masked to increase security. For example, customer service employees can only see the last four digits of the credit card, unlike those working in the billing department who can instead see the full number in order to help customers change the card number on file.
8 – Keeping track via user ID of all requests for access to credit card data
Whether it is a compromised account or an insider threat, recording access requests with the user ID will leave a useful trace in case of an investigation. Investigators and law enforcement agencies use audit trails to identify the perpetrator of a breach, and similarly they are important in the incident response stages because they help identify the extent of the damage and which consumers have been affected by a data breach.
9 – Restricting physical access to credit card data
Servers on which credit card information is stored must have adequate physical security measures in place. For companies that store credit card data on the cloud, the cloud service providers themselves must comply with the PCI-DSS. Any request for access to the infrastructure must be logged, so that there is a trail for possible audits and investigations.
10 – Log and monitor access requests to network resources where credit card data are stored
Monitoring access to data is a common requirement in many regulations. Logs and monitoring go hand in hand in the field of data security and protection. Logs keep track of access requests, while monitoring tools use these events to identify anomalies that trigger notifications to administrators. Monitoring serves analysts to promptly identify incidents, and respond quickly to contain them and limit the damage resulting from a breach.
11 – Test security systems and procedures often
It may happen that security systems occasionally fail or do not function as they should, so it is important that administrators periodically check security controls throughout the infrastructure. Some companies organise security-focused events, offering rewards to employees who manage to find vulnerabilities in systems and resources. In addition to annual audits, administrators should periodically assess PCI-DSS compliance documentation to ensure they are always compliant.
12 – Documenting security policies and distributing them to employees
Employees cannot follow security policies if they are not aware of them. The PCI-DSS requires employers to prepare and document security policies so that employees can refer to them to clearly understand what needs to be done, and the correct way to handle customer data.
What benefits does the PCI-DSS bring?
Staying compliant undoubtedly requires a great deal of effort, but complying with the PCI-DSS standard brings many benefits in economic terms as well, so it is in your interest to follow the guidelines and comply with the security requirements set by the PCI-DSS, doing whatever is necessary to protect cardholder data.
Benefits include:
- Greater trust on the part of customers. When making payments, customers want to be sure that their data is safe. Having PCI-DSS compliance certification communicates that your business does what is necessary to protect credit card information.
- Preventing data breaches. Any organisation that stores sensitive data such as credit card data must put security first. PCI-DSS standards help organisations prevent and block cyber attacks that could cause significant damage and financial losses.
- Remain compliant with global standards. The Payment Card Industry Security Standards Council (PCI SSC) comprises the major credit card companies globally and offers updates on the latest trends in cybersecurity. Some vendors may require you to maintain PCI-DSS compliance in order to do business with them.
- It helps to implement appropriate security controls. It is by no means easy to untangle the countless security solutions on the market if you do not have a dedicated in-house cybersecurity team. The PCI-DSS frameworks offer guidance in this regard. Implementing the PCI-DSS also gives administrators guidance on the security controls to be adopted to effectively protect credit card data.
- It provides guidelines for other compliance standards. Most companies are required to adhere to multiple compliance standards. Applying the PCI-DSS standards will allow the company to be compliant with other standards as well. For example, the PCI-DSS frameworks are also important for HIPAA and GDPR compliance.
Non-compliance with the PCI-DSS
Non-compliance with the PCI-DSS carries heavy consequences. Suffering a data breach can cost a company millions of euros to repair the damage and cover the costs of litigation resulting from class actions. The five main consequences are:
- Monthly penalties: Having non-compliant infrastructure puts consumers’ credit card data at risk, which is why the PCI-DSS establishes hefty monthly penalties for breach, ranging from $5,000 up to $100,000 per month, depending on the level of the vendor.
- System Compromise and Data Breach: Insufficient security systems leave room for vulnerabilities exploited by cyber criminals to breach data, resulting in economic damages that can reach millions of Euros in response to incidents. As well as leading to lengthy investigations, loss of customer trust and likely litigation.
- Lawsuits: The most serious breaches lead customers to organise themselves into full-fledged class actions to obtain compensation for damages suffered. Companies will also be faced with the costs of legal advice and any reimbursements awarded in court.
- Damage to corporate reputation: If a company is known to pay little attention to security, customers will turn to a competitor. The resulting image damage negatively affects customer loyalty and trust.
- Economic losses: As customers flee to competitors, the company loses revenue, which is eroded even more by the costs incurred by legal action.
PCI-DSS Compliance Best Practices
Most PCI-DSS best practices follow the requirements, but companies have the option of implementing additional policies to enhance security. Here are some additional practices to consider:
- Keep software up-to-date: Developers periodically release updates that correct security problems in their software, so it is important to always apply security updates and patches to avoid leaving the infrastructure vulnerable.
- Tokenising credit card data: The process of tokenisation is similar to encryption. It replaces sensitive data with non-sensitive data while retaining only those elements of the original data that are essential to ensure the continuity of business operations.
- Assign a unique ID to each user and resource: Administrators assign unique IDs to users, but any component accessing data should also have a unique ID to keep track of access requests.
- Protect passwords: Require all users to securely store their passwords. We recommend the use of password managers to ensure password security.
- Software for Penetration Testing and Network Configurations: Hiring a white hat hacker to test your infrastructure will allow you to identify security holes and vulnerabilities in your network and software, so that you can take countermeasures to resolve them.
How 365TRUST can help you
365TRUST offers numerous solutions that enable companies to achieve and maintain PCI-DSS compliance, ensuring compliance with data protection requirements across a wide range of industries, such as PCI, HIPAA and GDPR, as well as protecting your most sensitive corporate data such as intellectual property, legal documents and Mergers and Acquisitions agreements. Our data protection tools and resources ensure the security of consumer data, protecting it from attacks.
Maintaining compliance is important for business continuity, even if being compliant alone is not enough to keep your company completely safe from all threats. Companies are generally required to comply with multiple regulations and 365TRUST will help you find the right balance between compliance and security.