Don’t Take Risks! 5 Steps to Understanding PCI Compliance
No matter how big or small your organization, whether you sell products or services or both, if you process, store or transmit credit card or payment data then it’s important to be PCI DSS (Payment Card Industry Data Security Standard) compliant. If you don’t your business could be at risk from fraud, fines, and a wrecked reputation.
- Risk from fraud
Retail Fraud surged 30% last year with merchants now paying nearly $3 for every dollar lost. As more retailers invest in anti-fraud solutions, criminals are targeting retailers with vulnerabilities they can exploit with minimal effort. If you’re not PCI compliant you become easy pickings for them. - Risk from fines
PCI compliance is not legally mandated, so there’s no criminal charges if you aren’t compliant. However, if you suffer a data breach while not in full compliance, you could be liable to a steep fine from the PCI Security Standards Council (PCI SSC), and possibly GDPR (in Europe), which holds you accountable for how you safeguard your customers’ data. - Risk from lost reputation
While your business may find it easy to bounce back financially from any criminal losses or fines, the same is not true for your reputation. Once word gets out that your systems aren’t secure, it can impact even the most loyal customers.
PCI safeguards the payment chain
Being PCI compliant means that your business is either meeting the standards and best practices as outlined within PCI DSS or outsourcing to others who are. In particular, the PCI DSS is designed to protect your key transaction systems and processes including:
- Card readers and point of sale (POS) systems (hardware and software)
- Store-based networks and wireless access routers
- Payment card data storage and transmission (e.g. payment gateways)
- Payment card data stored in paper-based records
- Online payment applications and shopping carts
The Standard specifies 12 requirements, which are organized into six control objectives relating to the storage, transmission and processing of cardholder data.
In effect this means that merchants are responsible for compliance wherever they come into contact with customers’ ‘sensitive’ data. That means keeping well documented records and ensuring staff are trained and systems and processes are maintained to PCI standards.
Five Steps to PCI Compliance
No surprise that many sales organizations, already struggling to get to grips with data security, are failing to meet their initial PCI compliance assessments.
So, what’s the best way to make PCI compliance plain sailing? Here are five key steps you can take to keep you on track:
- Understand your scope and PCI requirements
Before you start, it’s important to establish where you currently stand in terms of the PCI criteria. The applicable requirements are different for different businesses (currently 9 categories). These are determined by transaction pathway and exposure to cardholder data. Identifying all the system and components that are located within, or connected to, your cardholder data environment, will give you a good indication of your ‘scope’. - Consider how to aid compliance and reduce scope
Payment strategy and solutions can have a huge impact on your PCI scope. For example, many online merchants outsource all their data to third-party service providers. As they never touch or view customer credit cards or raw payment data, their scope is significantly reduced, leaving minimal criteria for them to follow. The risk is carried by their partner, who will be responsible for all applicable PCI requirements. Where you are responsible for customer payment data in card present scenarios, you can minimize scope using PCI point to point encryption (P2PE) in conjunction with tokenization to reduce handling of sensitive data. - Follow the PCI assessment process and use the guides to stay on track
Completing a PCI self-assessment questionnaire (SAQ) will help you assess your current compliance level. There are different versions of this depending on your type of business (see point 1). The relevant guidebook will take you through the process of identifying your current practice and what you have to do to bring your payment security into line with PCI. There are lots of merchant resources to help on the PCI Security Standards Council website. - Ensure your systems make the grade – and change them if they don’t
Any gaps flagged in step 3 should be rectified. Fixes may be easy (e.g. tweaking an audit process) or more complex (e.g. changing outdated devices, non-compliant payment platforms and even your payment service provider). You can use the SAQ to re-assess your improvements and make sure you’re ready to procced to the next stage. - Complete your AOC and inform relevant parties
Once you’re happy with your SAQ, you can complete a formal attestation of compliance (AOC). This claims your business is fully compliant with all relevant PCI standards (according to your business category). If required, now is the time to have a QSA (qualified security assessor) audit and report on your compliance to validate your own findings. Once approved, you must notify relevant credit card companies and/or banks who may request an additional external vulnerability scan to finalize the process.
The key message is “Don’t leave PCI to chance”. If you’re not certain, it makes sense to get help finding out rather than ignoring the issues and letting your security lag. Most solution providers will be happy to talk through any sticking points. Or you can contact the PCI SSC for a list of approved experts to guide you along the way.
And remember, the PCI DSS is not a tick in the box standard. It is an on-going process and checks need to be carried out regularly, which may include an annual audit, to ensure you remain compliant and your customers protected.