If your business accepts credit card payments, then you need to comply with PCI-DSS standards. PCI-DSS stands for Payment Card Industry Data Security Standard. These are sets of rules established to protect against credit card fraud, hacking, and other security breaches. Credit card issuers and companies that store, process, and transmit card information implement the rules defined by the PCI-DSS. Here’s what you need to know about these standards.
Origin of PCI-DSS
The 1990s to early 2000 saw an increase in credit card fraud. Different companies that produce credit cards started to independently conduct research and development to come up with a solution to protect their payment systems. Each company created its specific security standards. The different standards created problems since entities that handled credit cards had to comply with different sets of rules laid out by each card company. To solve compliance and interoperability challenges, leading payment card companies joined hands, aligned their policies, and launched the first PCI-DSS standards in 2004.
The companies were Visa, MasterCard, American Express, Discover, and JCB. In 2006, these companies formed the Payment Card Industry Security Standards Council, which is a governing body that oversees the evolution and development of PCI-DSS. Today, these standards are used around the world, and any organization that is involved in payment processing is required to comply with these rules.
Who Is Required To Comply With PCI-DSS
Any organization that accepts, transmits, or stores cardholder information from either Visa, MasterCard, American Express, Discover, or JCB networks must comply with PCI-DSS standards. It doesn’t matter the size of your business or whether you don’t store card data. Although companies are not legally obligated to comply, parties that process card payments such as merchants and banks must enter into a contract with the card network.
The contract outlines the rules and regulations you need to adhere to. The agreement is essential when it comes to establishing liability between two parties when a security breach occurs. If it‘s established that your entity wasn’t in compliance with PCI-DSS standards at the time of the breach, you will be liable. To make sure entities comply, assessments are conducted annually. Any organization that is found to have flouted the rules of the agreement may be fined or banned from processing card payments.
PCI Compliance Levels
There are four PCI compliance levels, and the category you are in depends on the volume of card transactions you process in a year. A Level 1 merchant handles more than 6,000,000 payment card transactions annually. A level 2 merchant performs between 1 to 6 million transactions, level 3 between 20,000 to 1 million, and level 4 is for service providers with less than 20,000 transactions in a year.
Level one and two are the highest levels, and merchants here have to adhere to tighter rules. Some of the requirements in the top two categories include getting an approved scanning vendor to perform a quarterly network scan, undergoing an annual audit by an authorized PCI auditor, and completing a penetration scan to check for vulnerabilities in the network. If your business suffers a data breach, you may be placed in a higher compliance level regardless of the card payments you process in a year.
PCI-DSS Security Controls
For your organization to be considered PCI-DSS compliant, you must observe the 12 security controls below.
- Build and maintain a secure firewall. Every business is obligated to install and maintain a firewall that will protect the card holder’s data. It should also be configured to fit your system.
- Do not use default passwords and settings on any systems and devices. Most systems supplied by vendors come with default usernames and passwords, which are easy to crack.
- Protect cardholder data. Every entity should do their best to secure card information through methods like encrypting stored data, protecting encryption keys, and having a flow diagram that shows how card data moves through your organization
- Secure data overall networks. Cardholder data should always be protected when being transferred over a private or public network by using the latest encryption standards.
- Protect your system with a reliable and up-to-date antivirus. All systems should be installed with antivirus software and scanned periodically.
- Develop and maintain secure systems. All your systems and applications should be frequently updated and patched to close any loopholes that can be exploited. This includes operating systems, software, and browsers.
- Restrict access to cardholder data. Have an access control plan and document everyone who has permission to the data environment.
- Assign a unique ID to all individuals who have access to the data.
- Physically limit access to cardholder data.
- Track and monitor all access to network resources and review system event logs daily.
- Conduct tests on your systems and processes to expose vulnerabilities.
- Develop and implement a security policy.
There is no doubt that complying with PCI-DSS standards is helping to secure cardholder data. Losing customer data to a hacker because of poor security policies can have wide-reaching implications. If you want to protect your organization from breaches, it’s time to start upholding the PCI-DSS standards.PCI-DSS
- The Role PCI-DSS Plays in Security - January 21, 2020
- Your Quick Guide to SOC 1, 2 and 3 - December 13, 2019
- Using a Risk Assessment for a SaaS Company - November 24, 2019