PCI DSS Compliance
Any business or company that stores, processes, or transmits payment cardholder data is required to adhere with the Payment Card Industry Data Security Standard (PCI DSS).
The Payment Card Industry Data Security Standard is an industry-led global standard that specifies an array of technologies and practices that are required to protect valuable cardholder data.
With rules governing everything from data encryption to network segmentation, meeting PCI DSS requirements can be difficult to achieve, let alone maintain. It is a continuous effort that can be both time-consuming and laborious.
Failure to follow PCI DSS requirements may leave you (and the companies do business with) exposed to potential litigation and fines.
The goal of the Payment Card Industry Data Security Standard (PCI DSS) is to protect cardholder data wherever it is processed, stored, or transmitted. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. Merchants and other service providers involved with card payment processing must never store sensitive authentication data after authorization. This sensitive data includes:
- information printed on a card
- information stored on a card’s magnetic stripe or chip
- the personal identification numbers entered by the cardholder
It is important to protect cardholders from fallout of a data breach. Organizations also have self-interest at heart because penalties for non-compliance can be significant. An organization could end up prohibited from processing payment card transactions. If they aren’t prohibited, they may end up with higher processing fees to run any transaction at all.
The penalties can be limitless.
-
discovery and containment
-
investigation of the incident
-
remediation expenses
-
attorney and legal fees
-
loss of customer confidence
-
lost sales and revenue
-
brand degradation, etc.
PCI DSS adherence and applying it to your payment card transaction environment applies globally to all entities that store, process, or transmit cardholder data.
PCI DSS and its related security standards are administered by the PCI Security Standards Council. This council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating Organizations include merchants, payment card issuing banks, processors, developers and other vendors.
For companies to adhere to the regulations that have been set by the PCI Security Standards Council, there are three steps that can be taken:
- Assess – Companies should identify cardholder data, taking an inventory of IT assets and business processes for payment card processing. Analyze them for vulnerabilities that could expose sensitive data.
- Remediate – If vulnerabilities are found they should be fixed. It is important for companies to not be storing cardholder data unless it is needed at that time.
- Report – Submit required remediation validation records and compliance reports to the acquiring bank and card brands that the company does business with.
Cube 6 Development’s PCI DSS solutions will help your company fulfill the requirements that are necessary to be in compliance with the standard.
The PCI DSS requirements apply to all payment card network members, merchants, and service providers that store, process, or transmit cardholder data. The main requirements are as follows:
Build & Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor & Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security