Cybersecurity

What is PCI Security & Compliance?

So what is PCI Compliance? Learn about The Payment Card Industry Data Security Standard requirements and the independent body that enforces the PCI DSS.

PCI DSS Meaning

So what is PCI Compliance exactly? The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that deal with branded credit cards from major card schemes. PCI DSS is a set of requirements to ensure that all companies process, store, or transmit credit card information maintain a secure environment. It was designed in 2006 and released by the PCI Security Standards Council (PCI SSC) who then manages compliance.

This article provides a comprehensive overview of PCI compliance.

  • A list of resources for understanding PCI SSC Data Security Standards.
  • PCI DSS is a set of 12 requirements that need to be met in order for your company’s data security to be up-to-date.
  • Benefits of PCI Compliance.
  • The dangers of not being compliant.
  • This article gives 18 different tips from PCS DSS experts that they collected.

PCI Standards

The PCI Security Standards Council provides all the information and resources necessary to keep card data secure.

PCI SSC offers a wide range of tools and resources to protect cardholder data.

  • Self-Assessment Questionnaires are used to prove that companies meet PCI DSS compliance.
  • There are requirements for PIN transaction security devices, and a list of approved ones.
  • If you’re a software vendor, PA-DSS and the list of Validated Payment Applications can help ensure your payment application is secure.
  • The ASV List is a public resource for people to find the best scanning vendors in their area. The list includes all of the approved qualified security assessors (QSAs) and payment application qualified security assessors (PA-QSAs).Article: I’m often surprised by how few companies are taking advantage of this opportunity, even though it’s free
  • There are a lot of people who can do this work.
  • This is not a system for reducing risk, but rather the PA-QSAs are intended to help improve it.
  • Only scanning vendors that have been approved are allowed to scan the items in this area.
  • There’s an education program for people who want to become Internal Security Assessors (ISA)

PCI DSS Compliance Requirements

1. Establish and Maintain Firewalls

Firewalls are a key component of security. They block access from foreign or unknown entities attempting to get into private data.

2. Adequate Password Protections

Too often, businesses fail to change the default passwords on devices. This can be a major security risk.

3. Safeguard Cardholder Data

The third requirement of PCI DSS compliance is to encrypt all card data with certain algorithms. This encryption must be done by creating an encryption key, which also needs to be encrypted for compliance purposes.

4. Encrypt Data Transmission

Companies should only send customer data to know locations, and not unknown ones. They also shouldn’t ever share account numbers with these places.

5. Use and Maintain Anti-Virus Software

Anti-virus software is a good practice outside of PCI compliance. However, this type of software must be installed on all devices that interact with or store PAN cards. This means you’ll need to purchase anti-virus from your POS provider and update it regularly.

6. Correctly Updated Software

It is necessary for businesses to update their firewalls and anti-virus software often. It’s also important that all pieces of business software are updated, as most will have security measures like updates or patches included in them.

7. Limit Data Access

Cardholder data can only be given to those who need it. All staff, executives and third parties should not have access to this information unless they are specifically required by PCI DSS.

8. Access IDs with Distinctive Characteristics

When working with card holder data, employees should have individual credentials and identification to access the encrypted information. There shouldn’t be a single login for multiple people that know the username and password because this creates more vulnerability in case of security breach.

9. Limit Physical Access

Any cardholder data should be kept in a secure location. Both physical, written or typed information and digital-kept (e.g., on hard drive) should be locked away in an area that is only accessible to certain personnel with limited access when the sensitive data is accessed.

10. Maintain Access Logs

I’ve seen many companies not keep proper records of how they access sensitive data. They need to document the number of times it happens and where that information is stored.

11. Perform a vulnerability scan and testing

There are many possible threats that can happen to a company and the PCI DSS requirement of regular scans and vulnerability testing helps limit these.

12. Policies should be documented.

The company will need to keep track of everything from equipment and software, to how employees use it. Any information that goes in or out should be recorded.

Pros of PCI Compliance

PCI compliance is difficult, especially for large organizations. The maze of standards and issues can be overwhelming to handle on your own.

The PCI SSC says that there are many benefits of compliance, but if you don’t comply with them it could have serious consequences. For example:

  • PCI Compliance is a measure of security for your systems, and it’s important because customers will trust you with their payment card information. And once they have confidence in you as a company, they’ll come back to do business again.
  • If you want to improve your reputation with acquirers and payment brands, it’s important that you make sure to comply with the PCI standards.
  • PCI compliance prevents security breaches and theft of customer data.
  • If you want to be PCI compliant, then there are a number of other regulations that it is best for you to comply with.
  • PCI compliance is an important part of any security strategy.
  • PCI Compliance is an important factor in improving the efficiency of IT infrastructure.

Issues Posed by PCI Non-Compliance

PCI SSC warns that failing to meet PCI Compliance after working hard to build your brand and get customers, could potentially lead you losing them. By meeting compliance requirements for the data security initiative, though, you are protecting your customer’s sensitive information so they can continue being a customer.

  • Data that is stolen from a company can be very damaging.
  • It’s important to be mindful of how damaging bad publicity can be not just in the moment, but for years into the future.
  • There are many risks associated with account data breaches, including catastrophic losses of sales and relationships.
  • All of these things happen when a company hires the wrong person for a job, and it’s costly.

Data Security is a more manageable task when you have the right software and services. Choose data loss prevention software that can accurately classify your cardholder information so you know it’s secure.

Guideline for Meeting PCI-DSS Compliance

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of guidelines for any company that accepts, stores, processes or transmits credit card information. These standards have been created to protect consumers from fraud and theft.

To learn what companies need to do and know about compliance with PCI-DSS, we reached out to a panel of InfoSec pros and asked them:
What are the most important things that every company needs to comply with in order for their customers’ data not be compromised?

What are the best steps for maintaining PCI Compliance

Have a look at our panel of security professionals and PCI-DSS experts:

  • Mike Baker
  • Cedric Savarese
  • Ian McClarty
  • Ben Zilberman
  • Steve Dickson
  • Tim Critchley
  • Jennifer Glass
  • Ellen Cunningham
  • Jake Posey
  • Evaldas Alexander
  • Dmytro Lanovskyi
  • Geoffrey Scott
  • McCall Robison
  • Gregory Morawietz
  • Carmine Mastropierro
  • Chad Reid
  • Mike Mood
  • lmie Sham Ku

Mike Baker

@Mosaic451

Mike Baker is the Founder and Managing Partner at Mosaic451, a cyber security company with expertise in building, operating and defending some of the most highly-secure networks. He has decades of experience monitoring and securing government organizations.

“PCI compliance is not a guarantee that a retailer’s infrastructure is immune to breaches…”

It’s more of a challenge to stay ahead of cybercriminals as they become increasingly sophisticated. A hacker isn’t just after your credit card number – it wants access to everything about you, including all the data that can be used against you.

To be compliant and prevent a POS system from being compromised, merchants need to take several measures.

It’s important for employees to monitor self-checkout terminals, kiosks, and other devices that may be in the store. They should make sure they are operating properly.

Thieves can get your POS data by compromising the system itself or installing card skimmers. The introduction of new chip cards will eliminate the threat of card skimmers, but many retailers have yet to update terminals that accept them because they cannot support EMV-enabled software.

I have to make sure that both the point-of-sale and operating systems are up to date.

Cybersecurity is constantly changing. Experts are finding new ways to patch vulnerabilities while hackers find new systems to hack into, so POS software releases frequent updates that address the most recent security threats.

I always change the default passwords of all my devices, and I recommend that you do too.

When installing new hardware, the default password for it should be changed as soon as possible. This is to avoid hackers from trying out passwords that are publicly available.

The POS system should not be connected to any other network, including the internet.

It’s not a good idea to hook up your POS system to the Wi-Fi or connect it with your corporate network. It can be hacked and that could affect both of them.

When purchasing POS systems, always make sure they come from a reputable dealer.

Retailers and restaurants have very tight budgets, so they should be careful about who they purchase POS systems from. It is important to buy this system only from a reputable dealer.

Cedric Savarese

@cedsav

Cedric Savarese is the CEO of FormAssembly, a company that provides enterprise form solutions. He has been in this position since 2006.

“Best practices for meeting PCI-DSS compliance include…”

The goal of the article is to provide perspective about your job, and identify goals that you can work towards.

The goal of PCI compliance is to keep cardholder data secure, not just make reports.

It’s important to make sure that your company is following all the security protocols in order to protect cardholder data. If you don’t, it could be vulnerable for hackers.

Compliance is more important than risk, security.

PCI compliance may be easy to attain, but companies need to focus on risk management. Security is the primary step in mitigating risks and achieving PCI compliance.

Frequency of audits and scans.

It is a never-ending process. You can’t just scan and monitor; you need to mitigate as well.

Ownership

The PCI compliance manager should have enough responsibility, authority and budget to do their job well.

Balancing business priorities and security costs is a difficult balancing act.

One of the biggest challenges for small businesses is balancing security while also growing. They want to make sure information security and compliance are considered an investment rather than a cost center.

Ian McClarty

@phoenixnap

Ian McClarty has been in the IT industry for over 20 years. He is currently CEO and President of PhoenixNAP Global IT Services.

“When dealing with PCI compliance…”

When it comes to protecting your cardholder data (CHD), there are a few best practices that can help you achieve PCI compliance.

  • If you want to keep your data safe, make sure that it is separated from the rest of the company’s. This way, if something happens with one cardholder environment (CHE), it will not affect all other environments.
  • Encrypt your data – All CHD should be encrypted, or tokenized. This includes encrypting the card number in storage to keep it secure.
  • You need to control access to your data. It’s important that the HR department doesn’t have any access at all and system administrators are able to do their job.
  • Monitor your data for security issues. A recent study found that attackers usually break in through the back door, so you need to be aware of everything going on with your system.

Ben Zilberman

@radware

Ben Zilberman is a product marketing manager with Radware, working on the security team. His focus has been application security and threat intelligence, because he wants to work closely with other teams in order to raise awareness of high profile or impending attacks.

“There are several practices to ensure you meet the Payment Card Industry Data Security Standard (PCI-DSS)…”

To start, you need to make sure that your security protocols are up-to-date. SSLTLS is not sufficient for PCI compliance anymore, so by June 30th of 2018 you must have upgraded to a more secure alternative. Another requirement for meeting PCI requirements is using strong access controls and creating very long passwords with different types of characters that avoid dictionary words. You also need remote communication protection against eavesdropping or other risks while keeping data safe on APIs as well as encrypted certifications and keys in order to remain compliant.

Steve Dickson

@Netwrix

Steve Dickson is an expert in information security and the CEO of Netwrix, a company that specializes in data security. He lives in Irvine.

“The Payment Card Industry Data Security Standard (PCI-DSS) aims to…”

This standard is for anyone who handles credit card information, including merchants, processors and issuers.

If you want to comply with PCI-DSS, here are three things you should do:

Conduct regular risk assessments. PCI-DSS recommends that you conduct a risk assessment in order to identify the likelihood and magnitude of harm from various threats, as well as determine whether additional controls should be put into place.

User behavior analytics can help you spot unusual user activity that might be indicative of insider misuse or hackers trying to gain access to IT infrastructure.

Data discovery and classification can help you find out where your sensitive data is in order to set appropriate levels of controls.

Tim Critchley

@Semafone

Tim is an experienced director of technology start-ups in both product and service focused sectors. He has been the CEO of Semafone since 2009, when he helped secure Series A funding from Octopus Investments.

“Complying with the complex PCI-DSS can be quite simple through a tactic called descoping…”

The PCI-DSS considers any person, system, or piece of technology that touches cardholder data as in scope. This means there are a lot more entities to be concerned about and it can get tricky.

If you have a contact center, and they accept customer payments over the phone, it’s possible to use DTMF masking so that sensitive data is out of reach from fraudsters.

Jennifer Glass

@creditcardsnj

Jennifer Glass is the CEO of Credit Cards, NJ (CCNJ) and has been recognized as an expert in the payment processing industry for more than 15 years.

“First is the obvious…”

Make sure that all people in the organization are following common sense practices and not leaving credit card data lying around. Second, if a payment processing system is connected to other systems on the same server(s), get it off those servers so malware can’t attack them.

Ellen Cunningham

@CardFellow

Ellen Cunningham is a marketing manager for CardFellow, and she enjoys the challenge of explaining complex topics. She believes in their mission to empower business owners through education.

“PCI compliance is roughly split into 6 ‘categories’ with steps in each category…”

To make sure you’re compliant, work with your credit card processor or a security company.

The six main areas of compliance are securing the processing network, protecting cardholder data from malware and hackers, using strong access control measures to protect systems against hacking or other unauthorized access by a malicious outsider. Monitoring networks for any potential vulnerabilities is also important.

Setting up a secure network with firewalls, changing default passwords to more secure options and updating other security settings is essential.

To protect cardholder data, you should encrypt the data during transmission and store it off of your servers. Most processors offer a secure vault for digital storage to help with compliance.

To protect your system, you should install and regularly update antivirus software as well as patch any vulnerabilities.

Strong access control is when employees are only given the information they need to do their job, and not more. It also includes limiting physical access so that cardholder data isn’t stolen.

Tracking and testing networks includes monitoring who has access to cardholder data on your network, as well as finding out what they’re doing with that information. It also means checking for security flaws or vulnerabilities.

Creating an information security policy involves stating how your company will handle PCI-DSS and who is responsible for which components of it.

Jake Posey

@jacobposey

Prepaid Program Management LLC is a company that teaches FinTechs and entrepreneurs how to launch prepaid card programs. They also offer training for people who are interested in the industry.

“There are three areas I recommend companies focus on…”

The first way to avoid waiting until annual reviews is by doing mini audits. I’ve seen too many companies wait until the last minute and then find out they’re not PCI compliant.

Second, companies should make sure that their employees are restricted to the job they were hired for. This is especially important in Fintechs where rockstars can do many jobs.

Training is important, but companies need to invest in industry-specific training so that employees can understand the nuances of their work. Otherwise, they may not be able to fully grasp what was taught.

Evaldas Alexander

@rankpay

Evaldas Alexander is the CTO of RankPay, a company that helps small businesses get higher rankings.

“PCI-DSS compliance has several different Self Assessment Questionnaires (SAQs) that must be followed to be compliant…”

A shorter SAQ is better because it’s less likely that you have to deal with a customer service rep updating credit card information on behalf of the client. The wiki should be documented and audited so employees can’t break any policies.

Dmytro Lanovskyi

@intellias

Dmytro Lanovskyi, who is a CISSP on one of Intellias’ client projects.

“The best practices for meeting PCI-DSS compliance include…”

First, you need to assign someone who has experience with the compliance process and security. This person would be responsible for coordinating all of your company’s security activities.

You need to start building your architecture with PCI-DSS requirements in mind. You can’t just build something and then try to fit it into the framework afterwards.

You need to do an in-depth risk assessment before you can determine what security needs are.

Make sure you have control over how and when monitoring systems are used.

Make sure you have a security system in place and know what to do if anything goes wrong.

It’s important to set some goals before you start the hiring process.

The PCI-DSS certification process is expensive and time intensive, so be ready to put in the work.

The list of documentation you need to prepare includes:
-A description of your company and services
-An overview about the business, including what you do best

  • Antivirus Policy
  • Cardholder Data Policy
  • Firewall and Router Policy
  • Information Security Policy
  • Password Policy
  • Physical Security Policy
  • System Configuration Policy
  • This policy is to help maintain a safe and secure environment for all employees.
  • The company has a process for testing systems and processes.
  • To combat security breaches, companies should have a policy in place that defines the steps to take when an incident occurs.
  • We have a policy that states what is owned by the company and how it should be used. Anyone who breaks this rule will face disciplinary action.
  • Company policy on developing and designing new software for employees
  • The company has a policy on how we should manage our service providers.
  • Access Control Policy
  • A program is in place to make sure employees are aware of information security risks.
  • This policy statement covers the responsibilities of information security for employees.
  • This template is a contract that guides the relationship between an individual and their company.
  • Data Classification Policy
  • Data Protection Policy
  • Data Management Policy

PCI-DSS compliance is a daily requirement, even after the successful audit.

The CISSP is a certification that allows people to control all security activities.

Geoffrey Scott

@PayMotile

Geoffrey Scott, a consultant at PayMotile.com works to find the perfect payment processor for each individual company.

“PCI-DSS compliance is standard practice for payment processors…”

If you’re just starting out with card transactions, it might be difficult to comply. Here are a couple things that will help:
– You should always use strong passwords and change them often.
– Always keep your system updated so hackers can’t access any information.

2. Stop collecting customer information.

The more data you collect, the harder it is to protect. For instance, e-commerce businesses who collect and store user data have to fill out a robust form of compliance called PCI SAQ (self-assessment questionnaire). If they leave such collection up to third parties then their compliance will be easier with less questions on the SAQ.

In light of the GDPR, it’s a good idea to limit and closely monitor data collection. You want to reduce your company’s liability in case there is an error or lawsuit.

If you’re not sure what the best payment processor for your company is, then it’s important to communicate with them. You can’t start a business without knowing how payments work.

PCI-DSS compliance is governed by a standard set of rules, but your payment processor may have additional measures that you’ll need to follow. The last thing either party wants is for there to be any uncertainty about PCI-DSS compliance.

McCall Robison

@BestCompanyUSA

McCall Robison manages the Merchant Accounts Blog for BestCompany.com and she is a Content Specialist.

“What some people don’t realize about PCI-DSS compliance is that…”

You can’t just do it once and think you’re done. You have to keep doing this periodically so that your business is compliant with the PCI-DSS standards.

You need to make sure you are complying with PCI-DSS standards. If not, you must take the necessary steps and eliminate any vulnerabilities.

Gregory Morawietz

@SinglePointOC

Gregory is the VP of Operations at Single Point of Contact. He has over twenty years experience in IT Security and consulting, along with hundreds of firms to show for it.

“The best practices for meeting PCI-DSS compliance are to…”

Always have the right tools to protect your cardholder data, including a vulnerability management program and an access control system. Keep on top of any potential problems by monitoring networks regularly, testing them often, and implementing security policies.

Carmine Mastropierro

@mastro_digital

Carmine Mastropierro is a self-made man who has created three successful businesses, and he’s written for GQ Magazine, Postmates, Marketo.

Article: A new study published in the Journal of Business Ethics found that people with multiple jobs were more likely to experience burnout.

“To meet PCI-DSS compliance…”

If you want to keep your customer data safe, first make sure that the website uses SSL certificates. This is an extra layer of security for customers and it’s required by major payment gateways. Secondly, once this has been taken care of, ensure that you have policies in place for keeping customer data secure (e.g., regular updates). Finally PCI compliance should be updated systems – databases need to be modernized with browsers and firewalls.

Chad Reid

@JotForm

Chad Reid is the Director of Communications at JotForm, which provides form software that complies with PCI-DSS standards.

“I think one of the most important aspects of meeting PCI-DSS compliance as a service provider is…”

It’s important to have a top-notch, 3rd party security assessment. This will ensure you can show customers tangible proof of your compliance and go a long way in terms of their trust.

Mike Mood

@LamoodBigHats

Mike is the founder of Lamood Big Hats and WalletGear. He started making hats for people with large heads, as well as wallets.

“One of the best practices in meeting PCI-DSS compliance is to…”

You should never store credit card information on your servers. Use a third-party payment processor that is already PCI compliant like Paypal, Authorize.net, etc., to make sure the data is safe and avoid vulnerabilities.

You will need to make sure your e-commerce software is up-to-date with the latest patches. If you have a physical retail store, you will need to make sure that it’s not connected wirelessly and maintain a list of wireless access points. You should also consider having strong security measures in place for customer data.

Ilmie Sham Ku

@BlueLinkERP

Ilmie Sham Ku is in charge of content marketing for Blue Link ERP.

“More and more retail businesses are beginning to…”

If your company deals with cardholder data, you need to be very careful when it comes to security. PCI-DSS standards are in place for this reason and ensure that the customer’s information is kept safe.

  • Employees may put credit card information in unencrypted fields just because it’s a habit. It could also be that they don’t have easy access to an encrypted database, so the only choice is to save the information on their computer.
  • Data migration: transferring your company’s credit card information from an unsecure database to a secure one can be time-consuming and tedious, but it is necessary.

To avoid this type of situation, companies must have proper process for accepting credit card information and train their employees on PCI Compliance. Companies should also use accounting software that includes separate databases to store sensitive data like credit cards.

Maintaining PCI-DSS compliance is an important task for any business. If you are not compliant, then your company will have to deal with fines and other consequences.

Protect Your Organization from Cybersecurity Threats

SecurityStudio helps information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

S2PCI
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

education
Industry insights
NEWS & EVENTS