The Payment Card Industry Data Security Standard (PCI DSS) establishes compliance regulations that affect businesses accepting credit, debit, or prepaid cards as payment online, by telephone, or by individual terminals.
Because so many businesses use credit, debit, and prepaid cards as a core business function, the standards and regulations set forth for PCI DSS compliance are especially important to understand and follow. Unfortunately, victims of recent, high-profile credit card breaches such as Home Depot and Target have failed to maintain these high standards to the tune of heavy fines, loss of reputation, and — if the breaches were to become recurring — the loss of vendor relationships with major credit cards.
Both the Home Depot and Target security breaches were the result of poor security practices. In the case of Home Depot, an outdated antivirus software, the failure to continuously monitor their network, and the lack of vulnerability scans all contributed to customer information being stolen unnoticed for months. In the case of Target, an unidentified employee installed malware that captured critical consumer card information during each retail transaction.
Home Depot and Target are not the only retail chains to suffer recently. Jimmy John’s and Goodwill also faced situations in which hackers gained access to vulnerable data over a long period of time. All four brands may have been able to prevent these unfortunate scenarios if they had spent more time assessing and testing the PCI DSS compliance of their security environments.
About PCI DSS Compliance
PCI DSS is the result of a 2006 collaboration among major credit card providers to protect customer data from the vulnerabilities that come with small-scale, regional resellers. The regulation is made up of twelve requirements that set the standard for all entities processing, storing, or transmitting cardholder data.
These common sense steps aim to mirror security best practices and provide a universal standard for how businesses interact with vulnerable data. They also cover technical and operational system components, characteristics and management of devices used in transmitting payment processing-related activities, and standards that inform software developers and integrators of payment applications.
Tips for Remaining PCI DSS Compliant
Maintaining PCI DSS compliance can prove difficult for large organizations because of the amount of data and processes to evaluate. However, it’s possible to implement organizational changes that bring the focus back to compliance. Use the following three tips to organize your approach to compliance and prevent a significant security event.
- Perform adequate background research
PCI DSS standards are set by the PCI Security Standards Council, but each major credit card brand maintains its own compliance program. Use Page 9 of the PCI DSS Quick Reference Guide to review each brand’s unique compliance requirements and identify your classification or risk level.
- Assess and validate existing processes and scope
Examine the compliance of your current system and consider alternative technologies and processes that can bring you closer to compliance. Start by reviewing the standard Self-Assessment Questionnaire (SAQ). Depending on the current state of your compliance, you may want to pull in a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV) to assist with on-site security assessments.
- Implement regular assessment and reporting
Moving forward, regular assessment, auditing, and reporting will allow you to verify compliance with PCI DSS, financial institutions, and major card brands. Depending on the requirements for each brand, you may need to submit an SAQ or an annual or or quarterly report.
PCI DSS compliance is a major step in maintaining the security of vulnerable customer data. For more information about how Netwrix Auditor integrates PCI DSS compliance solutions for companies that accept credit cards, click here.