If You Handle Payment Cardholder Data, PCI Compliance Is a Requirement, Not an Option
You’ve probably read news stories about data breaches involving major brands and the exposure of credit cardholder data. Just this year, Sears, Macy’s, Panera Bread and Under Armour reported hacks that compromised customer data.
However, most data breaches don’t make headlines because they involve much smaller businesses. In fact, according to the Verizon Data Breach Investigation Report, more than six in 10 breaches involve small businesses. UPS Capital reports that 60 percent of smaller businesses close for good within six months of a data breach.
To reduce the risk of breaches, every merchant that accepts credit card payments or stores, processes, transmits or in any way handles credit cardholder data is now required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
What Is PCI DSS?
PCI DSS is a set of security controls that businesses and organizations are required to implement, at the minimum, to protect cardholder data. Originally developed by the major credit card companies and released in 2004, PCI DSS has been incrementally updated to account for new risks, clarify certain requirements, and close common security gaps.
For years, compliance with PCI DSS typically was the sole responsibility of the IT department and involved an annual audit. Newer versions released during the past few years have focused on making security and compliance part of day-to-day business operations and a shared responsibility across the organization.
In 2016, PCI 3.2 was introduced. PCI 3.2 provisions were considered best practices until February 1, 2018. At that point, those provisions became requirements. PCI 3.2.1 was introduced in May of this year with several updates. Key provisions include but are not limited to:
- Following an industry-accepted methodology for performing penetration tests and vulnerability assessments to ensure cardholder data is isolated from other areas of the network.
- Maintaining a comprehensive inventory of all system components used when handling cardholder data, including an explanation of the purpose of all hardware and software.
- Maintaining and routinely inspecting all point-of-sale equipment.
- Implementing a process for analyzing how changes to any network system that handles cardholder data would impact security controls.
- Using multi-factor authentication by certain users to access certain systems that handle cardholder data. For example, multi-factor authentication might involve both a password and biometrics, such as a fingerprint or retina scan.
- Masking of primary account numbers to minimize the number of payment card digits that are displayed.
- Implementing advanced data encryption protocols to prevent cardholder data from being stolen while in storage or during transmission.
There are also legal requirements to consider. For example, if a third-party service provider processes card payments for you or handles your cardholder data, you need a contract that shows exactly who is responsible for all compliance-related tasks. Assigned responsibility doesn’t necessarily indicate liability, so your contracts may need to address the limitations of liability.
Keep in mind that you’re responsible for data breaches involving cardholder data, even if you outsource payment card processing to a third-party service provider. That means you’re subject to legal action, regulatory penalties, and fines, etc. before the service provider. That also means you should vet providers carefully, make sure they are in compliance with PCI standards and have all contracts reviewed by an attorney.
If any or all of this information seems unfamiliar or overwhelming, it’s a good idea to seek the assistance of an outside consultant. Penalties for noncompliance can be severe, but the consequences of a data breach in terms of lost customers and damage to your reputation can be devastating. In many cases, a data breach is fatal, especially for small to midsize businesses.
Compliant Does Not Equal Hack-Proof
There is no combination of security tools and/or experts that will eliminate the risk of a data breach. Although PCI compliance might help you from a legal standpoint, it doesn’t make you immune to a hack.
The point here is that many businesses and organizations make sure they check all the boxes when they’re audited so they can become certified for PCI compliance. Then they become complacent. The PCI folks have worked to make compliance an ongoing effort rather than an occasional exercise, but they can’t force companies to take security seriously.
The unfortunate reality of today’s cyber threat landscape is that you should operate under the assumption that a data breach is a matter of “when,” not “if.” It’s your responsibility to implement security defenses that minimize the risk of a breach involving payment cards, as well as an incident response plan to minimize the impact of any security incident.