We all concur that rules exist to keep things in order. This is especially true in a business world where the objective is to ensure that every enterprise function runs smoothly.
For example, think of how rules can be vital in keeping your business data safe, is this possible? The answer is ‘Yes’. That is why as a small or medium business owner, you might have received an email from the bank that handles credit card process and may ask you to verify your amenability with the Payment Card Industry Data Security Standard (PCI DSS). If you have then what does this actually mean? Well, let us get into the details starting with the basics.
What is Payment Card Industry Data Security Standard (PCI DSS)?
PCI DSS is simply a set of accepted policies and procedures targeted at improving or rather optimizing the security of debit, cash and credit card transactions while also protecting cardholders from misuse of personal data. This term is not new at all. In fact, it has been around since being jointly created by major credit card companies(Visa, MasterCard, Discover and American Express) in 2004.
The Objectives of PCI DSS:
In essence, the PCI DSS specifies six major objectives pertaining to how data should be stored, accessed and even discarded:
- All transactions should be done via a secure network – this calls for the use of strong network security tools and devices such as firewalls that deliver proper security standards without causing any inconveniences to the cardholders.
- Cardholder information must be protected in every storage repository. In other words, contentious data like social security numbers, date of birth, phone number, phone address and other personal data should be secured against hacking.
- Every system should be secured using an effective software solution. Always go for robust antivirus software, anti-spyware programs, and other anti-malware solutions.
- Access to systems with operations and information should always be restricted.
- The systems in place should be tested frequently in a bid to ensure that they work properly and up to date.
- Formal security policies should be crafted and followed at all times.
Data Breaches and Penalties:
So, what happens if you do not comply? Luckily, you will not be going to jail. Of course, these are rules, not laws but that does not mean that there are no penalties! In fact, data breaches can turn out to be even worse than jail time. Companies who do not comply with these standards tend to struggle winning trust from customers. What is even worse is the amount of money you could lose from a data breach.
There are also some fines, you can incur because of non-compliance. Fines can range from $5,000- $100,000 a month or you could be imposed with increased transaction fees from banks.
Now, let’s start with what steps do you need to follow to improve the security of your customers’ payment data?
Do an Assessment
The first thing you will need to know is the Latest PCI DSS Requirements. PCI DSS 3.2 went into effect this year, so you will need to look at the detailed requirements described in this standard. In other words, the PCI security standards website should serve as a great resource when building your check-list. This is the place where you will get a proper description of a common payment card infrastructure and the process in the realm of access to the infrastructure.
You will then need to analyze the flow of cardholder data in a transaction process. Make sure you include PCs and laptops that have access to the system and the storage mechanisms. You can then move on and check the versions of the software versions used for card transactions not forgetting the PIN entry terminals-make sure they all meet the PCI compliance validation standards.
You should also make sure that third parties involved in the process flow are also compliant.
Note: If your environment is too complex then you will need a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV) to help you out with the process.
The next step is to process of fixing any vulnerability found-both technical and in practices undertaken by the organization. You can classify vulnerabilities to prioritize the process of remediating. Make sure you do a re-scan to ensure that the vulnerabilities have been fixed.
Prepare a Report
As the PCI compliance guidelines, you are required to submit reports to the acquiring bank and card payment brands you are doing business with it. If businesses with a larger flow, then you are required to do annual on-site assessments to be completed by a certified QSA and the findings submitted to all the acquirer.
What else you can do?
The above three are the main steps but there is more you can do other than just working to achieve certifications. You are advised to test regularly your systems and processes in case you want to fall prey to attackers who exploit vulnerabilities every day. You might be tempted to outsource everything but it all reduces to one thing is that your company is responsible.
You will also need to implement a training program for employee to ensure that they have the necessary security awareness levels. Research has shown that informed employees tend to make better decisions that will end up protecting sensitive data. This will reduce the risk of security breaches and increase the revenue generated by the company.
PCI compliance might not be necessarily exciting but it is one of the foundations towards mitigating breaches. After all, there is no need to invest time, money and sweat in building your business then you lose everything through a data breach! Remember, the PCI guidelines keep changing every year thus you should keep on evolving your tactics too if you are to keep up pace with smart attackers out there.