How All Stakeholders Can Achieve Compliance
By the year 2000, cybersecurity threats were evolving at a record pace and an increasing number of data breaches were headline news. Online business and buying were on the rise, with smartphones fast becoming the access vehicles of choice.
In response to this global shift, some 15 years ago the payment card industry (PCI) established a set of data security requirements to ensure that all companies who accept, process, transmit, or store credit card information, including user cardholder data, do so securely.
Today, this Data Security Standard (DSS) is truly universal in scope. Applicable to all members of the payment card industry, it has proven effective in reducing the incidents of data breaches and cardholder data theft and loss in the industry.
Payment Card Industry Structure
The payment card industry is an enormous global community, whose constituents include:
- Merchants of all sizes who accept credit cards in payment for goods or services
- Financial institutions who process those transactions
- Point-of-sale vendors who supply the card processing equipment and systems
- Hardware and software developers who create and operate the underlying global infrastructure.
The payment card industry is governed by the PCI Security Standards Council. The Council was founded in 2006 by recognized industry leaders American Express, Discover, MasterCard, Visa Inc., and JCB (formerly Japan Credit Bureau) International. These founding members share equally in the ownership, governance, and execution of the Council's work.
With a commitment to inclusiveness, the Council offers four levels of membership based primarily on transaction volume, and all members of the industry are encouraged to join the Council. A key benefit of membership is the opportunity to contribute to the ongoing maintenance and development of the PCI Security Standard, and to have a voice in the global community.
Over time, the Council has defined cohesive set of standards, and continued to evolve and refine them by welcoming feedback from this international community. This enables the Council to assist the two segments of this community by:
- Helping merchants and financial institutions understand and implement standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and cardholder data from theft or loss.
- Helping vendors and developers understand and implement standards for creating secure payment solutions for the industry.
The Data Security Standard governs the entire cardholder data environment, from merchant to bank to card company and all along the underlying infrastructure. For merchants, as an example, this environment may include a payment terminal, an electronic cash register, other devices or systems connected to the payment terminal (such as a laptop used for inventory management or a Wi-Fi system for connectivity), and the connections out to a merchant bank.
Full compliance with the Data Security Standard helps to protect more than 374 million cardholder accounts in the United States alone.
Responsibility for Compliance Enforcement
It is important to note that the Council itself does not enforce compliance with the Data Security Standard. This is done by individual payment brands (i.e., the card companies), such as American Express and Visa to name just two. Individual financial institutions who process data, such as Bank of America to name one of many, may also enforce compliance.
As marquee members of the Council, the individual card companies have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for each of their data security compliance programs, and to validate compliance among their various constituents.
Further, the card companies can impose fines on both merchants and financial institutions for non-compliance or its consequences. Financial institutions are responsible for enforcing compliance among the merchants they serve and can also determine penalties for merchant non-compliance.
Generally, fines by the card companies to their banks are not publicized and are not required to be reported outside this self-governing industry. In turn, the banks generally pass their fines along to their merchants in the form of increased transaction fees or contract terminations.
Requirements of the PCI Data Security Standard
The Council’s mission is to enhance the security of global payment account data by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.
There are six fundamental principles the Council promulgates throughout the industry in support of payment account data security. As you will see, they are not onerous or unusual and are based on security best practices established across numerous industries in recent decades. These six principles are:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Monitor and test networks regularly for security
- Maintain a documented information security policy.
Stemming from these principles, 12 requirements provide a clear roadmap for securing payment card data from breach, loss, or theft, and thus becoming PCI DSS compliant. In order to achieve compliance with the Data Security Standard, a stakeholder must:
- Install and maintain a firewall configuration to protect cardholder data
- Replace vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data based on a business need to know
- Assign a unique ID to each individual who has computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel.
It seems straightforward and clear enough. And companies who maintain extensive IT teams and robust security programs generally have no difficulty implementing the PCI security protocols. But is it that straightforward for all stakeholders? Can all members of the industry, both large and not so large, achieve compliance? Are they required to do so?
Five Myths that Mislead PCI Compliance Decisions
MYTH ONE: Compliance is Not Mandatory
It is not unusual to find members of the payment card industry who believe that compliance is not required, simply because PCI DSS is not part of federal law or regulation and is not governed by a federal regulatory agency.
While the above is true, all industry members are in fact required to comply. The PCI Data Security Standard globally applies to any company that accepts, stores, processes, or transmits cardholder information. The aim is to secure the entire supply chain and network—and this includes all merchants, all financial institutions, all POS equipment vendors, and all hardware and software solutions providers who are involved in any way with the handling of cardholder data.
MYTH TWO: Compliance is Easy
There is no shortage of vendors who offer a selection of hardware, software, and services for PCI-compliant cardholder data security. And it’s tempting to hope for a single vendor who can meet all 12 requirements, or to offload your responsibility for PCI compliance to an expert third party.
However, read through the 12 requirements carefully and you will realize there is no single solution that can possibly address all of them. There are internal actions that only you can take, and internal security controls only you can implement, for example. As a member of the payment card industry, you must accept responsibility for implementing a holistic security strategy that meets all 12 requirements in addition to addressing the overall intent of the Data Security Standard. While this may not be easy, there is a path and assistance is available.
MYTH THREE: Compliance is Too Hard
Indeed, digesting six principles and understanding and implementing the 12 security requirements seems overwhelming, especially when you’re running a business, wearing many hats, and focused on profits. But the fact is that your customers count on you to maintain effective security for their personal data. And they assume you do.
There’s no need to feel overwhelmed. Remember that the journey of a thousand miles begins with a single step. One way to take that vital first step is to hire an experienced, credentialed security firm to assess your security, and point out all of the gaps between your current security and the 12 requirements. Do your homework to be certain they are experienced in PCI DSS assessments, and able to recommend compliant products and services that can help you effectively and efficiently achieve PCI DSS compliance. Once you get started, the rest will not be difficult. And you’ll sleep better knowing that you’re not jeopardizing your customers’ data.
MYTH FOUR: Compliance is Too Expensive
Complying with federal regulations, laws, and universally accepted standards comes at a price, of course. Every business, of every size, has expenses directly and indirectly related to complying with regulatory and legal requirements. Accounting expenses related to filing proper IRS tax returns. Administrative expenses related to complying with EEOC requirements. It’s a long list, and likely to become longer still, in this digital age.
On the flip side, the risks to your business and the potential costs of non-compliance can far exceed the cost to implement the PCI Data Security Standard. Following are a few of the costs associated with failing to comply and suffering a security violation or data breach:
- Legal fees to settle a breach or disclosure of cardholder data
- Penalties or fines that can range from $5,000 to $500,000 depending on the scope and severity of the breach
- Declines in stock equity or valuation
- Damage to reputation and good name
- Lost business and revenue
- Red flags on merchant account at banks and card companies
- Prohibition from continuing to accept or process card payments.
Implementing PCI DSS must become an integral part of your business plan, your basic data security strategy, and your budget.
MYTH FIVE: Our Credit Card Volume is Too Small to Comply
The family-owned restaurant on Main Street, the independent hardware store down the block, the dry cleaner with three locations in town—these and other small merchants take credit card payments, provide receipts, and send transactions to their banks for processing. Regardless of volume, these merchants are all governed by PCI DSS requirements.
This is why the Council recognizes four different levels of merchants, primarily based on transaction volumes. And why it offers reasonable compliance alternatives to accommodate each level. The reality is that the scale and impact of a security violation or data breach at a small merchant is likely to be less severe than at a large chain retailer or regional bank.
A Level-4 designated merchant, for example, is able to attest to a basic level of PCI DSS compliance at virtually no expense. Instructions and forms are available in the PCI library. The simple process involves completing a Self-Assessment Questionnaire, completing and proving you have passed a security vulnerability scan or penetration test, completing an Attestation of Compliance, and then submitting this documentation to your merchant bank.
Achieving compliance with the PCI Data Security Standard is vitally important for all members of the payment card industry, as well as for the consumers and businesses who use credit cards to pay for goods and services. Substantial guidance is available to assist all stakeholders in securing their card data environments, including hardware, software, and systems, against unauthorized intrusions, data breaches, and security violations.
Myths surrounding PCI DSS compliance cause some stakeholders to resist adopting the Data Security Standard. However, the consequences of non-compliance can be far more burdensome than the cost of implementing the 12 security requirements. With accommodations for smaller merchants, the PCI Council has made it easier for all members of the payment card industry to comply with the universal Data Security Standard, and thus secure card data for cardholders worldwide.