PCI Security Compliance Challenges and Best Practices
Payment cards are a convenient and efficient way to make transactions, but they can also be a liability. If you use a payment application, or if you handle payment card information, you need to ensure that this information is protected. The reason for this is to protect your customers but also to cover your legal obligations to comply with policies such as the PCI DSS. Failure to comply could result in devastating consequences, and could even mean the end of your business.I’ll be discussing the challenges involved in complying with PCI security standards and offer some best practices that can help you meet your obligations.
What Is PCI and What Does It Mean for Your Business?PCI DSS stands for Payment Card Industry Data Security Standard, which is an industry-standard developed in 2006 to protect credit card data over transactions. The PCI Security Standards Council (PCI SSC) enforces these guidelines, which includes major credit card companies like Visa, MasterCard, American Express, Discover, and JCB. Compliance with PCI standards is of the utmost importance for merchants. The consequences of using a non-PCI certified provider could amount to thousands of dollars in fines as well as class action lawsuits. Nowadays, credit card fraud is the most common kind of security crime, costing billions of dollars to organizations each year. Compliance with PCI DSS is a must for every company that accepts credit card payments, no matter how small, to protect customer data and payment information.
How Do You Comply with PCI?To become PCI-certified, a payment provider must follow a plan consisting of twelve requirements to cover six general goals.
PCI DSS Compliance 12 step plan
Secure network and systems
1 - Install and maintain a firewall
2 - Don’t use vendor-supplied defaults for passwords and other security criteria
Cardholder data protection
3 - Protect the cardholder data in storage.
4 - Encrypt all transmissions of cardholder data.
Security and vulnerability protection
5 - Deploy and maintain anti-malware and antivirus protection
6 - Install and update secure applications and systems.
Access control measures
7 - Control access to cardholder data on a need-to-know basis
8 - Authenticate access assigning a single ID to each user with entry permission.
9 - Control physical access to sensitive information.
Network monitoring and testing
10 - Monitor and track all user access to cardholder data and network resources
11 - Test security systems and processes regularly
Information security policy
12 - Develop and maintain an information security policy for all staff with access to data.
5 Challenges of PCI ComplianceFor companies looking to comply with the PCI standard, adherence to each of the twelve steps can present some challenges. The Security Standards Council addresses the most common problems and risks in its information supplement1. Let’s delve into the five most common issues and how to solve them:
- Defining the scope of business—PCI requirements vary according to the company transaction activity. The standard defines four levels ranging from fewer than 20,000 transactions a year to more than six million card transactions a year. The first thing to do is to determine which category your company belongs. The difference goes from validating compliance through an SAQ to a quarterly network scan along with an annual audit.
- Addressing the technical aspects—the technical complexity of the compliance process can be burdensome even if your organization does have a dedicated team to manage PCI compliance, details can be easily overlooked. Getting external support can help speed up the compliance process by giving an extra hand to your team.
- Non-compliant payment collection systems—can be a problem for companies trying to comply with requirement 7 of the PCI DSS standard. Ideally, a payment solution keeps cardholder data encrypted during traffic and hidden while in storage, and that is compromised when using legacy systems to collect ad-hoc payments. The only solution is to use a collection system that is compliant from the start.
- Not testing the systems regularly—many organizations need to designate a team to comply with requirement 11. This requires organizational changes, including schedule testings and reporting. Thus many companies find it challenging to implement.
- Lack of control on the traffic and usage of cardholder data—issues as allowing third parties access to cardholder data without checking their compliance, storing card data when not necessary.
5 Best Practices in PCI ComplianceThe consequences of not maintaining compliance can mean hundreds of thousands of dollars in losses from an attack or a credit card fraud. PCI compliance is your first line of defense in your payment system security. Fortunately, there are a few best practices you can use to minimize risk and protect your customers’ data:
- Check and control point of sale (POS) terminals—controlling your point of sale terminal means to check for card skimmers, who usually operate in self-checkout kiosks, update the software regularly and only buy the terminals from known vendors.
- Change manufacturers passwords—not only is a requirement of PCI compliance, but it makes sense as manufacturers passwords are meant to be used only for installation.
- Use compliance as an aid to security—the goal is to minimize threats, compliance helps to mitigate risks associated with credit card transactions. You can achieve this by following the requirements and everyday common-sense practices as using credit card data only on a need-to-know basis.
- Secure your networks—control access to the data, encrypt the data in traffic. Control that third party access also complies with the requirements, and in doubt, isolate them, to avoid cases like the Saks Fifth Avenue/Lord &Taylor hack2. When working with a container configuration, control that inter-container traffic is encrypted, and how the different containers can talk to each other.
- Assess, remediate, and report—compliance is an ongoing process, and it requires remediation measures, such as an incident response policy3. Monitor regularly the PCI DSS standards to confirm compliance, if not, remediate the problem, and report the case in a compliance statement.