PCI DSS Compliance

PCI DSS Compliance

According to MasterCard’s “The Global Journey From Cash to Cashless” article, the percentage of large cashless payments in the US is 80%. Besides, almost every company keeps personal customer data, including SSNs, credit card numbers, especially with the growth of e-commerce. Online payments for services and goods becomes a primary payment channel. Thus, online payments are a must for almost all companies regardless of their size, whether they are large corporations or family shops.

The number of attacks on companies to gain unauthorized access to sensitive data such as payment card data and other personal information is growing. Such actions lead to financial losses and reputational issues for businesses. PCI DSS compliance was developed to prevent unauthorized disclosure of credit card data and financial fraud.

According to the IBM report “Cost of a Data Breach Report 2019”, data breaches can be particularly acute for small and medium-sized businesses. Based on in-depth interviews of companies that employ fewer than 500 people and generate fewer than $50M in revenues, on average, they suffered more than $2.5 million in losses due to data breaches. According to the same report, the average amount of damages could be as high as $3.92M after the cost of investigations, damage control, repairs, lawsuits, and fines. The average amount of damage to companies in the healthcare sector was $6.45M, which is 65 percent higher than the average total cost of data breaches. Failure to sufficiently protect credit card data by Home Depot resulted in a data breach of 56 million data records. Home Depot paid over $200M in fines and payments to banks and customers. 

Often, data breaches are caused by or through contractors or third parties, as in the case with Quest Diagnostics. In June 2019, the company announced it had discovered a data breach affecting its billing and collections vendor, the American Medical Collection Agency (AMCA). As a result of the breach, medical, financial, and personal information of about 11.9 million customers were disclosed. That includes credit card numbers, bank account information, medical information, and Social Security numbers. The AMCA hack also affected LabCorp, which reported that personal and financial data of  7.7 million of their customers’ were stolen by hackers. The company notified its customers of the breach, and several of its largest customers had ceased operations. Just weeks after the breach was announced, AMCA filed for bankruptcy, citing “enormous costs.” LabCorp and Quest Diagnostics dropped AMCA after learning of the breach, as well as Conduent and CareCentrix.

Compliance with Payment Card Industry Data Security Standard (PCI DSS) helps companies prevent data breaches. PCI DSS is a set of requirements for merchants who process, transmit, or store credit card data. PCI DSS merchants are divided into four levels depending on the volume of annual credit card transactions. Based on the level, PCI DSS merchants have different compliance requirements.

Level 2 through 4 merchants must perform annual self-assessment for PCI DSS compliance using the Self Assessment Questionnaire (SAQ). Level 1 merchants are required to undergo an annual PCI audit that can only be performed by a Qualified Security Assessor (QSA).PCI assessments are carried out annually.  So how to ensure PCI DSS compliance? The PCI DSS compliance checklist consist of 12 sections:

  • Protect the Computer Network
  • Configuration of Information Infrastructure Components
  • Protect Stored Cardholder Data
  • Protect the Data transmitted about Cardholders
  • Antivirus protection of Information Infrastructure
  • Development and Support of Information Systems
  • Manage Access to Cardholder Data
  • Authentication Mechanisms
  • Physical Protection of Information Infrastructure
  • Reporting Events and Actions
  • Control of Information Infrastructure Security
  • Information Security Management

Protect the Computer Network

The key element of computer network protection is a firewall. The firewall provides traffic control between an entity’s internal (trusted)  and external (untrusted) networks. Further, firewalls are used for segregation within internal networks with different security levels. All firewalls or other system components of the cardholder data environment that can provide firewall functionality should be implemented and compliant with PCI DSS.

Configuration of Information Infrastructure Components

For all systems and components, organizations must develop configuration standards to avoid using vendor’s default system components settings or passwords. Default settings and accounts are well known in hacker communities and must be changed to prevent unauthorized access.

Protect Stored Cardholder Data

Develop and implement information protection methods, such as encryption, restriction, truncation, or hashing of data. Also, avoid saving cardholder data unless it is necessary.

Protect Transmitted Cardholder Data

Malicious individuals will quickly gain privileged access to cardholder data through misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols. PCI assessment helps find and exclude those vulnerabilities.

Antivirus Protection of Information Infrastructure

Antivirus software must contain the latest updates to protect from current and evolving malicious software threats. Antivirus protection must be used on all systems.

Development and Support of Information Systems

All systems must have appropriate security patches from the vendor that fixes known vulnerabilities to avoid a data breach.

Manage Access to Cardholder Data

Restrict access to cardholder data based on the “need to know” principle, e.g., access must be granted to the least amount of data necessary to perform the job.

Authentication Mechanisms

Set rules for authentication mechanisms, including secure methods for protecting user accounts at the point of entry, password storage security, password transmission security, and blocking accounts after a number of failed login attempts.

Physical Protection of Information Infrastructure

Physical protection is about the restriction of physical access to data or systems that store cardholder data. These rules help minimize the risk of physical damage or copying of hard disks, paper copies, or any other electronic and physical data format.

Reporting Events and Actions

Logging mechanisms are critical in preventing, detecting, or minimizing the impact of a data breach, due to the ability to track user activities. It is complicated to determine the reason for an incident or a breach without system activity logs.

Control of Information Infrastructure Security

Malicious individuals and organizations are continually discovering new vulnerabilities in software or systems and trying to access cardholders’ data. In the face of new threats, the security of cardholder’s data needs to be continuously improved through frequent tests of systems, its components, processes, and custom software to ensure security controls continue to remain effective in a changing environment.

Information Security Management

Information security management sets a framework for managing information security risks. Management and employees must be aware of the importance of protecting sensitive data, know how to handle and protect sensitive data, and understand their responsibilities within the company’s information security management process.

Additionally, all merchants are required to conduct quarterly security vulnerability scans using Approved Scanning Vendor (ASV) scanning tools. Identified vulnerabilities must be timely addressed.

PCI DSS security assessment procedures are necessary for absolutely all companies engaged in online payments, regardless of the type of activity and size of the organization. Requirements for merchants to comply with the PCI DSS depend on the entity and amount of transactions. For entities processing smaller amounts of transactions, conducting a self-assessment is sufficient, while the requirements for large companies is more significant and requires a PCI audit to be performed by QSA. Compliance with the PCI DSS security assessment procedures, passing an audit and strict observance of the rules will help the business to keep clients’ data safe and avoid losses such as investigation cost, damage control, repairs, lawsuits, and fines, and possibly even more serious consequences like bankruptcy. However, PCI DSS requirements set the minimum level of necessary controls and activities. Organizations must conduct periodic risk assessments to identify and address risks to credit cards and other types of sensitive data.  

Leave a Reply