As bestselling author Maria Konnikova writes, humans are inherently poor in detecting or anticipating fraud. Meanwhile, computers are far better at protecting us from all manner of security threats because of the absence of emotion and biases; yet technology itself is a fraudster's Disneyland.
Today's organizations, whether big or small, are vulnerable to data breaches just as merchants decades ago were advised to look out for embezzlers and gun-toting thugs. In fact, worldwide fraud losses on card payments hit $16.31 billion on a total card sales volume of $28.844 trillion in 2014, increasing by 19 percent from the previous year.
PCI-DSS to the Rescue
To address the growing threat of payment card data breaches, major card brands came up with the idea of creating universal standards for securing cardholder data through the Payment Card Industry – Data Security Standard (PCI-DSS)The main goal of these standards is to protect cardholder data from possible compromise and threats. It still has a long way to go, with recent figures demonstrating that 61 percent of merchants still store unencrypted payment card data. In this blog post, you will learn about the most common questions asked about PCI compliance and its overall impact on your business.
What Is PCI Compliance?
Also known as PCI-DSS Compliance, PCI compliance is a set of requirements put together by the PCI SSC and is required of all businesses that store, process, and transmit payment card data.
PCI Compliance is not a government regulation such as HIPAA or FISMA. According to the PCI SSC:
"PCI compliance is a set of operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions."
Since its introduction more than a decade ago, its latest version – PCI-DSS 3.1 – covers an extensive base of processes, requirements, and technology such as access control, encryption, and vulnerability scanning.
Who Runs the PCI SSC?
The PCI SSC (Payment Card Industry Security Standards Council) is an independent organization founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc. to regulate and implement cardholder information security.
Their website describes their organization as, "an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection."
By and large, the council provides recommendations, guides, and documents to help businesses and organizations become PCI compliant.
Currently, PCI-DSS has 12 core security requirements covering various facets of network data protection and application security.
What Types of Organizations Are Subject to PCI Compliance Standards?
An organization of any location, type, and size handling cardholder data is subject to PCI compliance standards. There are no exceptions. It also applies to businesses using third-party processors. Typical organizations include retail businesses, hotels, financial organizations, schools, universities, eCommerce, and health care.
What's in It for My Organization?
Some organizations consider PCI compliance a huge undertaking. The truth is it elevates an organization's status by instilling trust among clients and customers. Being compliant means your organization is serious about protecting customers' sensitive data. Furthermore, it is slowly becoming a golden standard for organizations to prove that proper security controls are in place with potential business partners and external stakeholders.
The whole process in itself may look complicated, but all it takes is to find a partner who will not only help you comply with PCI but also continuously monitor your payment card system to ensure compliance.
As Verizon research data in 2014 demonstrates, the majority of organizations are still not sufficiently mature in their ability to maintain a sustainable PCI compliance program. Yes, they may be compliant but they are not as consistent in monitoring critical changes and keeping security measures updated.
What Fines Are Involved if I'm Not PCI Compliant?
Aside from the possibility of losing clients or diminished stock values, fines and legal fees for not being PCI compliant can range from $5,000 to $500,000. Fines and liability for damages also apply to organizations that are already PCI compliant but failed to stop a breach from occurring.
Is There a Single Tool that Will Help Me Become PCI Compliant?
No. PCI Compliance is an ongoing process. No single tool can help you meet all of the requirements of PCI-DSS. However, some tools can help you satisfy multiple requirements simultaneously. Compliance with PCI-DSS should be viewed as temporary, a “snapshot” of your systems at a given moment. By and large, PCI compliance is subject to change at any moment.
Continuous PCI Compliance with CimTrak
As mentioned earlier, there are 12 key requirements of PCI-DSS. CimTrak helps with several of these. Requirements 10 and 11 are the ones that we most strongly align with: tracking and monitoring access to all data resources and cardholder data, as well as regularly testing security systems and processes.
PCI-DSS 3.1 requires that you implement a change detection mechanism such as File Integrity Monitoring within your organization as defined in Requirements 10 and 11. CimTrak empowers your organization through complete integrity monitoring, automated configuration monitoring, and complete perimeter protection of routers and firewalls. All this without disrupting critical systems from continuously running.
If you'd like to learn how to ensure integrity and maintain compliance with regulations such as PCI-DSS, a consultation with a PCI compliance expert should be in order today!
March 15, 2016