Every year, businesses are in danger of data breaches that compromise customer information. According to an annual report by Risk Based Security, last year saw a new peak in breach incidents: 3,930 occurrences resulting in over 736 million exposed records.
Data security is a serious business concern, especially considering that nearly 60% of small businesses go bankrupt after a breach.
If your business accepts debit/credit payments, you may be familiar with Payment Card Industry (PCI) compliance, the security requirements, and measures instituted by the industry. However, many new businesses (and some well-established ones) are unfamiliar with PCI compliance altogether.
Familiarizing yourself with PCI standards is a critical component of modern business.
PCI compliance refers to a set of mandatory standards and rules written and enforced by the Payment Card Industry, namely Visa, MasterCard, American Express, and Discover.
Any company that stores, processes or transmits credit and debit card payments is required to meet the PCI Security Standards Council (SSC) guidelines and annually demonstrate compliance or else face expensive fines and the possible loss of the authority to process transactions.
SSC Data Security Standard Requirements
The SSC has laid out twelve broad requirements for PCI compliance. While these requirements must be met, they do not detail specifically how your business must meet them. For example, companies must use and update anti-virus software, but the SSC does not specify which software must be used.
In order to implement these standards, the SSC provides a Prioritized Approach to PCI Compliance guide.
Data Security Standard Requirements:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
The 3-Step Compliance Process
The purpose of assessment is to identify vulnerabilities posing a risk to the security of customer payment data. Assessment should be comprehensive in nature, analyzing your company's entire transaction process from beginning to end. This includes not only digital networks but all areas where customer payment data is stored, such as physical laptops, desktops, and paper receipts.
If a third-party is part of your payment flow process, you are required to assess their procedures and systems too.
QSA's assess your data security and prepare evidence to submit as proof of compliance.
ASV's provide commercial software tools which can analyze your data systems for weaknesses.
Remediation is the process of addressing and correcting any vulnerabilities found during your assessment.
Many remediation strategies are simple: update anti-virus software, add locks to doors where company servers are located, adopt new passwords that update every 90 days.
Where many companies struggle, however, is in the creation and implementation of corporate security policies and procedures. Without well-crafted policies and procedures that are clearly communicated throughout the company, most businesses will eventually fail at maintaining compliance.
Every company is unique, and for this reason, remediation is highly-specific to each business. No two remediation strategies look exactly alike.
A Report on Compliance (ROC) must be submitted in order to demonstrate that your business has met the SSC requirements. An ROC is not a single document, but rather a summary of evidence collected during the assessment and remediation stages.
ROC documents may include detailed work papers from a qualified assessor, results of system testing, configuration data, interview notes, screenshots, and many other pieces of evidence.
The SSC has provided a detailed 113-page Reporting Instructions document which can be reviewed to guide the reporting process.
PCI compliance is an ongoing process. A single assessment or annual validation is not the end of the process. Instead, compliance is the continuous implementation and monitoring of numerous strategies to ensure data remains safe and secure.
If I don't store credit card information, PCI doesn't apply to me.
PCI compliance applies to companies that store debit/credit card payment information and companies that process or transmit those payments. Whether you store the data or not, if you accept debit/credit payments, PCI compliance applies to you.
I only process a small number of transactions, and PCI only applies to huge corporations.
PCI compliance is for all companies that store, process or transmit even a single debit/credit payment. The only exemption is for businesses that have turned over the entire transaction process to a third party.
After I've reported and validated compliance, PCI is over and done.
PCI compliance is an ongoing process, not a once-a-year event. Validation should be seen as snapshot in time, not a blanket stamp of approval. It is common to find companies that were validated during an annual assessment but later experienced a security breach due to a lapse in compliance.
Other merchants haven't been fined, and even if I'm not compliant, the fines are no big deal.
The fines for non-compliance are hefty, ranging from $5000 to $100,000 per month. Businesses may also lose the right to process debit/credit payments altogether until compliance is demonstrated and confirmed.
I passed my ASV scan, so I'm in the clear.
ASV scans are only a single step in continual process. Consider them a single tool among many in the ongoing effort to maintain compliance.
Copyright © 2023 SCORE Association, SCORE.org
Funded, in part, through a Cooperative Agreement with the U.S. Small Business Administration. All opinions, and/or recommendations expressed herein are those of the author(s) and do not necessarily reflect the views of the SBA.