6 Payment Card Industry Security Standards You Need to Know
The payment card industry, or PCI, accounts for billions in financial transactions worldwide. So if you accept and process plastic as a form of payment, you're not alone.
While credit and debit cards represent the ultimate in convenience for consumers and merchants, they also provide thieves and scammers opportunities to exploit stolen or compromised card information.
It happens more than you would expect. In fact, it seems the news cycle isn't complete without a report of the latest data breach that's leaked cardholders' personal information into the hands of potential thieves.
Because of this, it's essential to understand the Payment Card Industry Data Security Standards, better known as PCI-DSS. These guidelines were developed to protect cardholder and transaction data from falling into the wrong hands.
Suppose your business facilitates payment card transactions and stores, transmits, or processes cardholder data. In that case, these standards apply to you, and the ramifications for not adhering to PCI-DSS standards can be significant.
These may include data breaches, financial losses, fines, loss of shareholder and consumer confidence, and revocation of card processing privileges in the most severe cases. For cardholders, it can mean identity theft, financial loss, and damaged credit.
We look at the components of PCI-DSS here so you can uphold them in your business.
1. Build and Maintain a Secure Network
A secure network includes a variety of technical controls designed to protect the cardholder data environment. Firewalls, intrusion detection systems, and security incident and event management systems are some of the most common.
Since every business is unique, there is no one-size-fits-all definition of what's secure. However, this comprehensive merchant security guide from Netsurion outlines various scenarios and factors you may want to consider.
When creating any network, it's important to remember to change vendor-supplied defaults for system passwords and other security parameters. Criminals can easily hack default credentials, accessing them through shared cybercriminal networks.
2. Protect Cardholder Data
When transmitted across open, public networks, cardholder data must be encrypted. Encryption makes it virtually impossible for cyber thieves to decode the information and commit identity theft.
Furthermore, all paper copies of cardholder data should be stored securely and shredded when no longer needed. Cross-cut shredders, the type that turns paper into confetti-like pieces, are recommended. This makes reconstructing discarded documents all but impossible.
Moreover, all conversations about cardholder data should be kept private—out of earshot of customers, vendors, and employees who could harvest this information for illicit purposes.
3. Continuously Monitor Security Controls
Regularly update all applications and hardware devoted to protecting the cardholder data environment and ensure physical security vulnerabilities are also addressed.
As technology continues to evolve, the demands of keeping payment card systems current can seem daunting if you're doing it yourself, especially if you're not tech savvy or inclined.
Relegating these tasks to an employee or IT consultant as part of an overall technology plan may be an option. This blog from BoTree Technologies outlines how to go about it.
4. Maintain a Security Awareness Program
Most data breaches involve some level of social engineering. Often referred to as the 'art of hacking the human mind,' social engineering makes even the most impenetrable technical barriers vulnerable because it exploits human nature to bypass all of them.
Employees can be unwittingly fooled into helping scammers access cardholder data by falling for phishing emails that can lead to a data breach. They may even provide physical access to this information by unknowingly providing thieves access to secure areas where payment card data is kept.
PCI-DSS requires a security awareness program that includes new-hire and annual training to help employees understand how to identify these threats. Implementing a program doesn't have to be complicated or expensive. For your convenience, a list of firms that provide security awareness training is provided here.
5. Enact Strong Access Control
Restrict access to digital cardholder data on a need-to-know basis and assign a unique ID to each employee with computer access. This way, you can track and manage access logs and know precisely who is doing what.
Physical access to cardholder data should also be restricted. This could mean creating a secure environment or using tamper-proof storage.
6. Establish and Maintain a Robust Information Security Program
Create a program that outlines and supports information security policies for employees, vendors, and contractors. Ensure guidelines are clearly communicated and resources available to help clarify, educate and answer questions.
Implementing, adhering to, and upholding PCI-DSS is everyone's responsibility. As standards are updated annually, it's important to know where to turn if you have questions. A Qualified Security Assessor can be a valuable ally in staying compliant.