What is PCI DSS Compliance?
Payment Card Industry Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The latest update of the standard, known as PCI DSS 3.0, took effect January 1st 2014, but will not require full compliance until the beginning of 2015. Although the PCI Security Standard Council (PCI SSC) manages and administers the PCI DSS it is not tasked with enforcing compliance. This is primarily the duty of the payment card brands and the acquiring banks, along with retailers and small businesses themselves.
The standards apply to all organisations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.
The idea behind PCI DSS Compliance is to ensure that customer’s credit card information is always kept as safe as possible during processing.To learn what your specific compliance requirements are, check with your card brand compliance program:
The PCI DSS follows common-sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process. First, Assess — identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyse them for vulnerabilities that could expose cardholder data. Second, Remediate — fix vulnerabilities and do not store cardholder data unless you need it. Third, Report — compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.
The PCI SSC created 6 control objectives and 12 specific requirements for protecting credit card data. The entire process of PCI DSS Compliance can be quite overwhelming to merchants and it’s for this reason that merchants often look to gain assistance from a Payments Specialist to help them achieve PCI DSS Compliance.
PCI Data Security Standard – High Level Overview
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
All major credit card companies have mandated that members, merchants and service providers who store, process or transmit cardholder data must demonstrate how they follow the requirements. Failure to do so may result in fines or termination of credit card processing privileges.
So what’s new with 3.0?
Of the 98 items listed in a summary of PCI DSS 3.0, 74 of them are described as “clarification,” while only 19 are “evolving requirements” and five are “additional guidance.”
One of the most significant additions to the standard is the idea of making compliance a daily event, or business as usual (BAU), instead of an annual audit event. The new section provides “business as usual” guidance for implementing security into business-as-usual (BAU) activities to maintain on-going PCI DSS compliance. Compliance in the past had a tendency to be reactive since it was normally done in order to meet the annual or point-in-time obligation or review.3.0 makes specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance.
Outsourcing in general is a guiding theme in the new version, security is a shared responsibility, even if a third party is doing data storage or payment processing so it’s up to both parties to make sure checks are in place.
Specific new requirements in PCI DSS include:
- Req. 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affected
- Req. 8.2.3 – combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
- Req. 8.5.1 – for service providers with remote access to customer premises, use unique authentication credentials for each customer
- Req. 8.6 – where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
- Req. 9.3 – control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
- Req. 9.9 – protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
- Req. 11.3 and 11.3.4 – implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
- Req. 11.5.1 – implement a process to respond to any alerts generated by the change-detection mechanism
- Req. 12.8.5 – maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
- Req. 12.9 – for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2
Whilst this may look complex and costly many companies learnt in 2013 that the cost of compliance was far less than the potential cost of fines for noncompliance, which can be tens of thousands of dollars per month, or the cost of a major breach, which easily run into the hundreds of millions, as in the cases of TJX ($256 million), Sony ($171 million), and Heartland Payment Systems ($140 million). Current estimates of the cost of a breach run between $200 and $300 per compromised card, which would mean Target (USA) could be looking at as much as $8 billion on the low end for their breach in late 2013. And that’s not taking into account the lost clientele and headaches for all involved.
Looking at the Ponemon Institute 2013 Costs of Data Breach report, Australia is also experiencing significant losses from cybercrime:
- The average cost per compromised record is $141 (up from $138 in 2011)
- The average total organisational cost was $2,720,000 (up from $2,160,000 in 2011)
- The average notification cost was $88,000 (up from $76,000 in 2011)
- The average flow-on cost (ex-post) was $810,000 (up from $470,000 in 2011)
- The average lost business costs was $780,000 (down from $840,000 in 2011)
- Australia experienced the highest average number of breached records at 34,249.
- Australia had the second highest detection and escalation cost of $1,400,000 (up from $770,000 in 2011)
- Australian businesses experienced 2nd highest customer churn rate of 4.0% after a data breach, second only to France.
So if you’re wondering “What is PCI DSS compliance?” — the answer is this. PCI compliance is a means of building customers’ trust and protecting your business against damaging leaks of confidential customer information. Looking after your customers by being PCI compliant will help to ensure continued growth of your business and reinforce goodwill with your customers.