If organizations handle and held responsible for credit or debit card information, then they are more likely to follow the PCI DSS (Payment Card Industry Data Security Standard). PCI DSS is not a government ordinance. However, it is still mandated by all major brands of payment cards, including MasterCard, Visa, and American Express; it carries as much weight as the law for a business that has to accept credit and debit cards. For newbies, PCI DSS can be difficult to understand the requirements and know what your organization needs to do to avoid fines and penalties.
Perhaps this might be the reason that only 11% of the organizations meet all the 12 PCI requirements; as per the report of Verizon Compliance.
Well, this brings us to a very important question.
What is PCI DSS Compliance, and Why is it Important?
For major card brands, the security of cardholders’ data is their utmost responsibility. That’s why they have integrated their separate security systems into the PCI DSS and created the Payment Card Industry Security Standards Council (PCI SSC) to keep it updated and imposed. Implementing such standards at your company can help in the reduction of risk of a breach involving payment gateway and required card information. In the case of Target, a massive breach of cardholder data harmed the credibility of the company with customers so severely that its profits plummeted 46 percent; resulting in the resignation of the company’s CIO and CEO.
Being a PCI compliant also lessens the risk of fines imposed by credit card brands in the event of a breach. Penalties for violating PCI are not widely known, but sometimes they can be severe. In 2010, Visa imposed a fine of $60 Million on Heartland Payment for a breach. In certain situations, when a payment brand like Visa levies a fine; they send their bill to the merchant brand that processes the credit card transactions.
In such scenarios, your bank will likely pass the bill to your company. Moreover, they may increase the transaction fee for every purchase they process on your behalf or even annul the business relationship altogether. Since breaches are no longer rare, being PCI compliant will reduce the pain of the breaches by minimizing the risk of fines or other punishments.
The 12 PCI Requirement
The PCI standards are broken down into 12 requirements. Each of these requirements contains comprehensive sub-requirements.
For instance, Requirement 3 focuses on securing stored cardholder data. But, most of the implementation details are in the sub-requirements, such as sub-requirement 3.3, which specifies organizations must mask the payment account number, showing in plain text no more than the first 6 and last 4 digits for most users.
Customer support representatives are only allowed to confirm the account number using the last 4 digits and do not need to access the full account number.
Read More: Top 6 Highlights From Latest Istio v1.5
When it comes to implementing cloud services, there are some specific steps you’ll need to follow to meet PCI DSS. First, you must verify where card data is stored and transmitted. Despite your policies, you may find users entering card numbers in cloud services as a part of their regular workflow, and you’ll need data loss prevention policies that must regulate data stored in the cloud. Moreover, only 2.9% of services use strong passwords; you would probably need a single sign-on solution that needs strong passwords for the cloud application used by your employees.
The Reporting Level of 4 PCI Compliance
There are 4 different levels you can join based on the size of your company and the volume of credit card transactions you process. The lower the level goes, PCI compliant requirement for reporting becomes more stringent. Visa classifies merchants into the levels based on their transaction volume. All companies that manage payment card information must be PCI compliant; but businesses with more than 20,000 transactions a year must also get third party validation of compliance. In this case, to carry out validation, the organization needs to recruit Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs).
PCI Compliance Table
|4||Process less than 20,000 Visa e-commerce transactions annually and less than 1 million Visa transactions annually||Annual SAQ recommended quarterly network scan by ASV if applicable compliance validation requirements set by the merchant bank|
|3||Process 20,000 to 1 million Visa e-commerce transactions annually||Annual SAQQuarterly network scan by ASVAttestation of Compliance Form|
|2||Process 1 million to 6 million Visa transactions annually (all channels)||Annual Self-Assessment Questionnaire (“SAQ”)Quarterly network scan by ASVAttestation of Compliance Form|
|1||Process over 6 million Visa transactions annually (all channels)||Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the companyThe internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certificationQuarterly network scan by Approved Scan Vendor (“ASV”)Attestation of Compliance Form|
If you suffer a data breach, you are can move to a higher compliance level with more stringent reporting requirements. However, third party validation and reporting might be time-consuming and costly. Moreover, placing yourself at a higher level after a breach can put a burden on your company because you may not have financial resources of companies that typically have reporting requirements based on the volume of their payment transactions.
Read More: PCI SSC Cloud Computing Guidelines