What you need to know about PCI DSS
(Payment Card Industry Data Security Standards)
It could be the make or break moment for your business!
PCI DSS and Managing your Business
PCI DSS are the guidelines that have been set in place to protect you and your customers if your business ever accepts/transmits card information. These guidelines help ensure you’ve put necessary security measures in place to prevent things like identity theft or compromising your business or customer data. Compliance not only protects your customers, it protects your business’ reputation.
We know, it’s a dense topic. But we’ve outlined the basics for you:
- Why PCI DSS is important
- How it impacts each department of your business
- The cost of maintenance
- Applying it to your business
- Purpose of this article: The purpose if this article is to provide managerial insight into PCI DSS. (This is no time for the “Who’s on first” style confusion.) Here, we present the importance, effects, liability and outcomes of PCI compliance.
This article is based on our conversation with Gurpal Singh, Head of Compliance and Data Protection at Finix Payments. Finix Payments provides enterprise-level payments processing software and infrastructure, allowing payment facilitators and ISVs to accept all forms of payment.
Importance of compliance
Ultimately, compliance standards are in place to protect all parties involved. You could imagine how it’d be hard to run a business if your customers couldn’t trust you to protect their information. (Hello, Equifax?!)
Ignoring it could cost you business with certain customers. But from a legal standpoint, your business can be fined, lose credit card privileges and you could even end up having to close your doors.
If you’re not paying attention yet, this may help put things in perspective: GDPR (General Data Protection Regulation) non-compliance can carry a penalty of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year (whichever is higher). This particular fine would be in euros because the GDPR is enforced by European authorities.
You can review the PCI basics, such as who is required to comply, here.
Effect on enterprise
The PCI standard is mandated by the major card brands (e.g., Visa, MasterCard, American Express, and Discover) and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud and prevent security breaches where card data can be compromised/stolen.
Validation of PCI compliance is performed annually by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (RoC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Gurpal used his company, Finix, as an example: “Finix is classified as a Level 1 Service Provider, because we store, process, and/or transmit over 300,000 transactions annually. Level 1 Service Providers cannot simply submit a SAQ, but must undergo a full external audit involving a PCI QSA. PCI compliance entails a strict adherence to stringent data security, encryption, logical and physical access controls that collectively secure and protect card data.”
We should also note that just because policies and procedures are in place, passing an audit is not ensured. That is because everyone in the organization must follow policies and procedures verbatim. Everyone in the organization must be on the same page.
Therefore, the company needs to show documentation that demonstrates processes are followed. A good example is the daily review. When a company does a daily review, suspicious behaviors can be identified (ex: several login attempts can be detected and shut down).
Then there are procedures that are done throughout the year. i.e. firewall, internal penetration test … If any issues are detected, they must be remediated with documentation. (I’m sure by now you can see that a dedicated person is needed.)
Outcomes of a PCI audit
All partners will be interested in your Attestation of Compliance (AoC) summary of requirements and results. This could be the foundation for their due diligence.
There is another report from the audit- the Report of Compliance (RoC). This is a proprietary internal document and should only be shared with the company’s engineering lead, executive management, and internal compliance officer. Since this report has many details about the information security system, it is not available to customers. As a rule, it is never sent as a digital file.
If you are using a third party service organization, build a requirements matrix. This is a document that details who is responsible for each component of the information security system. Remember…even when using a third-party service, you are responsible. So read the reports!
So, does passing the audit mean your job is done? Certification does not mean you are impervious to breach. Think of certification as the starting point, and consider working with a PCI compliant group to help maintain your compliant activities.
Get in sync
A good takeaway from this discussion is that compliance and engineering systems are coordinated. Maximize the coordination between the compliance lead and the engineering system lead.
An example of this coordination is tokenization. When presented with the card number or Personal Account Number (PAN), wouldn’t it be great if it was replaced with a new set of numbers that you can reference, but not transmit the PAN?
Tokens can be used to replace this sensitive PAN data. Credit card tokenization refers to a process that randomly generates a value to replace credit card data. The only way to see the related card number is through the use of a data vault. The beauty of this system is that the merchant never has visibility to the actual credit card information. If stolen, they can only see the token, which is just a useless string of numbers. The compliance exposure is reduced because the personal information was not transmitted.
When it comes to personal information, especially when the information has to do with someone else’s money, you’re going to carry a heavy load of liability. Ask yourself, was the due diligence done with personnel, maintenance and using PCI standards? Was a mature infrastructure built on top of these requirements?
Simply stated, if you collect the information, you need to protect the information. This is not a one-time effort. Some have said it is harder to maintain some systems than it was to initially implement them.
When it comes to handling sensitive credit card data, you have the option to either outsource the work or do it in-house. Some businesses are better suited to handle the demands of managing this information in-house.
However, if you operated a food truck, for instance, you may be better suited to outsource this task of protecting cardholder information. Managing this effort in-house would require you to install several data servers and the personnel to manage this process for you. This is both a costly and cumbersome undertaking. We don’t imagine this is a level of control to be of interest to this particular business, nor would it really benefit them to gain such control. But every business is unique.
Think becoming a payment facilitator could be the right route for you? Make sure your company meets the requirements to make that transition worthwhile.