PCI standards continue to evolve, protecting against data thieves and ensuring merchants continue to have a healthy bottom line.
Any organization that accepts, stores, processes or transmits cardholder data as part of authorization or settlement is required to host data securely and maintain PCI compliance. PCI compliance is not something to take lightly, as the future of a business could depend on it.
Whether you are a merchant, POS provider or SaaS provider, you are aware of all the recent data breaches in the news. No merchant wants to be the next victim,but becoming and staying PCI compliant can also cost time, resources and money, depending on what level of security the merchant requires based on annual transaction volume and how they’re processing it.
While payments technology and data security is complicated and constantly being updated, there are some rules put in place by the large credit card brands to help merchants get or remain compliant as defined by the Payment Card Industry Security Standards Council. Observing the data security standards (DSS) put in place by the PCI SSC is something every merchant accepting credit card payments must do or they may otherwise be met with fines.
Here are some main points to keep in mind when preparing your organization to become and remain PCI compliant.
Networks can be built with compliance in mind. If you are a new business or software developer just starting out, and you expect your business to expand quickly, then you want to pay attention to how your network is being built. Business expansion can lead to the need for additional networks to support the growth, thus a potential for more complex PCI compliance management in the future. It is best to create your network in a way that reduces your PCI compliance scope, right from the start.
Having multiple networks that are talking to each other may mean your PCI scope could increase (more networks to check to ensure they are compliant). There are ways to firewall and protect your networks from talking to each other if they don’t have to. This can be built in ahead of time to ease potential pains down the road. Remember that segmentation is key. That means no communication between in-scope and out-of-scope networks.
Compliance isn’t just about checking boxes. PCI compliance doesn’t have to be just a series of checkboxes that states your organization is accepting and transmitting cardholder data securely. While it’s crucial to uphold PCI compliance standards, checking out your systems through a Self-Assessment Questionnaire (SAQ) can help shed light on things you may not be thinking about that might put you or your customers’ data at risk. Merchants can benefit by thinking about risk and filling out the self-validation tool openly and honestly.
In many cases, a network scan may be required to become PCI compliant (depending on how many payments you take in annually). Quarterly network scans should be done regardless in order to protect your data. Wrapping network scans into PCI compliance gives business owners one less thing to plan on doing separately.
You can’t just outsource PCI compliance. While merchants can certainly get help when it comes time for PCI compliance, you can’t just outsource your entire responsibility to a third party. The inspecting must happen on your networks. If some part of your network needs additional security, you will need to understand what the vulnerability is, at which point you can work with specialists who will help ensure your networks get patched. The bottom line is that at some point the merchant needs to understand PCI compliance basics and be involved in the process.
There are ways to decrease "PCI scope." If you happen to be a large enterprise or integrated software vendor, you may have additional requirements under PCI compliance. Many ISVs are not prepared for the additional work that comes along with filling out a full DSS. Compliance could require any number of things like more firewalls, policies, etc. In addition to building networks with compliance in mind, using payment security solutions like hardware protected by point-to-point encryption (P2PE) can help to reduce scope. If small businesses use P2PE-validated hardware and are not accepting card data through any other channel, this essentially eliminates much of the PCI scope (any merchant’s dream!).
How can this happen? Why don’t merchants using P2PE go through all the PCI compliance tests and checks? Data is essentially stored in code form with point-to-point encryption, making it impossible for hackers to use this information. The merchant network never sees the plain-text card data when it’s collected on a P2PE device. With P2PE, the cardholder data is encrypted immediately. The cardholder data is not seen by the merchant and it stays encrypted throughout the full life cycle of the transaction. So, the risk of stealing credit card data out of a credit card machine is minimized.
There are milestones for prioritizing PCI DSS compliance efforts. There are 12 main requirements detailed by the PCI DSS, which are detailed in this helpful guide online called the "Prioritized Approach to Pursue PCI DSS Compliance." This guide can be used by merchants who undergo on-site assessment or use the SAQ D. It can assist these merchants in understanding the most important risks, financial and operational planning, and track progress against milestones.
The Prioritized Approach was created after generating data from real data breaches as well as reactions from qualified security assessors, forensic investigators and the PCI SSC board of advisors.
You aren’t alone in this data security and compliance fight. While data thieves are getting more sophisticated in their attacks, so is PCI compliance becoming more sophisticated in its defense. There’s new research and assessments from actual breaches that allow for compliance standards to stay updated to keep merchants and their customer data safe. Small businesses can get support from their payment processor to make sure they are meeting all the PCI standards and maintaining it every year. Larger enterprises should also work with their service provider to be on the cutting edge of PCI compliance and build networks with compliance in mind.