PCI Security Compliance Challenges and Best Practices

Today’s economy is a digital one, and a big part of that is thanks to the emergence of credit and debit cards. We may not yet be an entirely cashless society, but try to book a concert ticket in advance or order a product from the other side of the world. It will soon become apparent how much we rely on these small pieces of plastic for our everyday purchases. Likewise, if you have a business with an online presence, or if you want to grow your business, you will almost certainly need to offer a cashless payment option.

Begin FREE PCI/DSS Course >>

Payment cards are a convenient and efficient way to make transactions, but they can also be a liability. If you use a payment application, or if you handle payment card information, you need to ensure that this information is protected. The reason for this is to protect your customers but also to cover your legal obligations to comply with policies such as the PCI DSS. Failure to comply could result in devastating consequences, and could even mean the end of your business.I’ll be discussing the challenges involved in complying with PCI security standards and offer some best practices that can help you meet your obligations.

What Is PCI and What Does It Mean for Your Business?

PCI DSS stands for Payment Card Industry Data Security Standard, which is an industry-standard developed in 2006 to protect credit card data over transactions. The PCI Security Standards Council (PCI SSC) enforces these guidelines, which includes major credit card companies like Visa, MasterCard, American Express, Discover, and JCB. Compliance with PCI standards is of the utmost importance for merchants. The consequences of using a non-PCI certified provider could amount to thousands of dollars in fines as well as class action lawsuits. Nowadays, credit card fraud is the most common kind of security crime, costing billions of dollars to organizations each year. Compliance with PCI DSS is a must for every company that accepts credit card payments, no matter how small, to protect customer data and payment information.

How Do You Comply with PCI?

To become PCI-certified, a payment provider must follow a plan consisting of twelve requirements to cover six general goals. To validate the PCI compliance, a company has two options, complete the self-assessment questionnaire (SAQ) or contract with a qualified security assessor (QSA). SAQ is a list of questions to evaluate your compliance level, after which you submit it with your quarterly reports to the relevant organization. QSAs are trained professionals that evaluate PCI compliance through security assessments. Keep in mind, that each credit card company has its policy regarding compliance validation levels. New Guidelines for Software VendorsIn January 2019, the PCI SCC released new guidelines for software providers that develop payment applications. The new PCI software security framework will replace the current requirements of the PCI payment application data security standard (PCI PA -DSS).These PCI software standards include security requirements and assessment procedures to protect the transactions information and cardholder data, and guidelines to improve security across software development.

5 Challenges of PCI Compliance

For companies looking to comply with the PCI standard, adherence to each of the twelve steps can present some challenges. The Security Standards Council addresses the most common problems and risks in its information supplement¹. Let’s delve into the five most common issues and how to solve them:

1. Defining the scope of business—PCI requirements vary according to the company transaction activity. The standard defines four levels ranging from fewer than 20,000 transactions a year to more than six million card transactions a year. The first thing to do is to determine which category your company belongs. The difference goes from validating compliance through an SAQ to a quarterly network scan along with an annual audit.
2. Addressing the technical aspects—the technical complexity of the compliance process can be burdensome even if your organization does have a dedicated team to manage PCI compliance, details can be easily overlooked. Getting external support can help speed up the compliance process by giving an extra hand to your team.
3. Non-compliant payment collection systems—can be a problem for companies trying to comply with requirement 7 of the PCI DSS standard. Ideally, a payment solution keeps cardholder data encrypted during traffic and hidden while in storage, and that is compromised when using legacy systems to collect ad-hoc payments. The only solution is to use a collection system that is compliant from the start.
4. Not testing the systems regularly—many organizations need to designate a team to comply with requirement 11. This requires organizational changes, including schedule testings and reporting. Thus many companies find it challenging to implement.
5. Lack of control on the traffic and usage of cardholder data—issues as allowing third parties access to cardholder data without checking their compliance, storing card data when not necessary.

5 Best Practices in PCI Compliance

The consequences of not maintaining compliance can mean hundreds of thousands of dollars in losses from an attack or a credit card fraud. PCI compliance is your first line of defense in your payment system security. Fortunately, there are a few best practices you can use to minimize risk and protect your customers’ data:

1. Check and control point of sale (POS) terminals—controlling your point of sale terminal means to check for card skimmers, who usually operate in self-checkout kiosks, update the software regularly and only buy the terminals from known vendors.
2. Change manufacturers passwords—not only is a requirement of PCI compliance, but it makes sense as manufacturers passwords are meant to be used only for installation.
3. Use compliance as an aid to security—the goal is to minimize threats, compliance helps to mitigate risks associated with credit card transactions. You can achieve this by following the requirements and everyday common-sense practices as using credit card data only on a need-to-know basis.
4. Secure your networks—control access to the data, encrypt the data in traffic. Control that third party access also complies with the requirements, and in doubt, isolate them, to avoid cases like the Saks Fifth Avenue/Lord &Taylor hack². When working with a container configuration, control that inter-container traffic is encrypted, and how the different containers can talk to each other.
5. Assess, remediate, and report—compliance is an ongoing process, and it requires remediation measures, such as an incident response policy³. Monitor regularly the PCI DSS standards to confirm compliance, if not, remediate the problem, and report the case in a compliance statement.
 

Start Learning PCI/DSS Today:

• PCI/DSS
• PCI/DSS Training Course
• PCI/DSS Test
 

Conclusion

Whether your company is a small business or a large organization processing millions of transactions a year, protecting your customers’ data is a must to avoid hefty fines and costly attacks.I’ve discussed how compliance with PCI standards help organizations to stay ahead of attackers and protect their customers’ trust. Now you are equipped with tips and best practices to implement the compliance requirements smoothly.  References:1. https://blog.pcisecuritystandards.org/update-to-maintaining-compliance-information-supplement2. https://www.nytimes.com/2018/04/01/technology/saks-lord-taylor-credit-cards.html3. https://www.exabeam.com/incident-response/incident-response-policy/