SBN

Quick Tips for PCI Compliance

If you process payments in any capacity in your business, you’ve likely hear of PCI DSS. PCI stands for Payment Card Industry Data Security Standards, and it is a critical component of any organization’s security program operating in the payment sector. If you store, process, or transmit credit card information, PCI compliance is required and can provide greater assurance to your customers and partners that you run a strong security program. Violation of PCI requirements can lead to many negative consequences including fines, damages to brand reputation, and exposed risk to data breaches. 

Here’s what you need to know about PCI and PCI compliance, and why each is so critical in modern payment processing.

The Payment Card Industry Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The PCI DSS provides a rigorous security framework and best practices for protecting sensitive cardholder data from malicious software and individuals.
This security framework applies to all organizations that store, process, or transmit cardholder data. The PCI DSS and related security standards are administered by the PCI SSC, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The current iteration is version 3.2, which was released in May 2018.
 

PCI Compliance Requirements

Wondering what it takes to become PCI-compliant? Here’s a complete checklist for 2019:
  • Create and maintain a firewall configuration for the purpose of protecting cardholder data
  • Avoid using vendor-supplied defaults for passwords and security parameters throughout your system
  • Take steps to protect all stored cardholder data
  • Encrypt transmission of cardholder data across both open and public networks
  • Use antivirus software and update it regularly
  • Develop secure systems and applications and maintain them accordingly
  • Restrict all access to cardholder data to only key roles within your business
  • Assign a unique ID to each person using a computer within your system
  • Restrict all physical access to cardholder data
  • Track and monitor any and all access to network resources and cardholder data
  • Test security systems and processes regularly
  • Maintain a comprehensive security policy and ensure that all personnel are on board
For additional information on each point above, visit the PCI Security Standards Council website.
 

What Happens in Cases of Non-Compliance?

As you can probably imagine, failing to comply with the PCI standards is a serious problem. In fact, the fines alone could be enough to put your company out of business. Here are a few of the risks of non-compliance:

Fines and Fees

When you fail to comply with PCI guidelines, you risk fines ranging from $5,000 to $10,000 per month, depending on both the severity and length of your non-compliance. As if that weren’t bad enough, credit card companies will likely also raise your transaction fees following a bout of non-compliance. You may also incur additional costs, like client compensation, forensic investigation and remediation costs, or increased bank rates.

Restrictions

During non-compliance, payment brands may place restrictions on your organization’s ability to process card transactions. In some severe cases, your servicer may terminate your transaction services completely, until you reinstate compliance.

Data Breaches

Finally, falling out of compliance with PCI creates a risk of data breaches, which can have a pronounced negative impact on your brand reputation and security. Often, data breaches create pronounced public backlash and lost customers, as well as ongoing reputation issues. Here’s what The PCI Security Standards Council has to say about the impact of data breaches:

“The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected — there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.”

Quick Tips for PCI Compliance

Want to be proactive about your PCI compliance every day? Here are a few tips directly from The PCI Security Standards Council:
  • Buy and use only approved PIN entry devices at your point-of-sale
  • Buy and use only validated payment software at your POS or website shopping cart
  • Do not store any sensitive cardholder data in computers or on paper
  • Use a firewall on your network and PCs
  • Make sure your wireless router is password-protected and uses encryption
  • Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe
  • Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices
  • Teach your employees about security and protecting cardholder data
  • Follow the PCI Data Security Standard
 

Ensuring PCI Compliance at All Business Phases

  • PCI DSS Overview and History
  • Risks of Non-Compliance
  • Understanding Merchant Levels
  • Stakeholder Roles and Responsibilities
  • PCI DSS Requirements
  • Scoping and Descoping Methods
  • PCI Audit Process
  • Milestones for Prioritizing PCI Compliance Efforts

Click to document to download

PCI DSS Guide

Apptega provides software that can help you build, manage and report your cybersecurity program based on PCI DSS or12+ other standards.  Apptega helps to simplify the complexity of PCI DSS, eliminate spreadsheets and help you document and report on an organization’s change and configuration management as part of its overall plan.  Plus, with Apptega’s Harmony you can see how your PCI controls overlap other frameworks you are required to follow likeISO 27001,SOC 2, NIST, HIPAA, GDPR,CCPAand more.

We’d love to show you more on how we could help.

Get Demo


*** This is a Security Bloggers Network syndicated blog from Apptega Blog authored by Apptega. Read the original post at: https://blog.apptega.com/why-pci