Payment Card Industry Compliance: How to Be Safe (Without Being Sorry)
Overall consumer spending is at an all-time high. This is in spite of worldwide inflation, supply chain shortages, and evolving shopping preferences. Experts now anticipate that consumer demand will only continue to rise, especially in the U.S. In an effort to capitalize on today’s increasing shift to online shopping, many businesses have prioritized e-commerce or omnichannel strategies in new and more expansive ways than ever before. In fact, according to a Verizon Small Business Survey, 40 percent of small businesses report that as a result of COVID-19, they increased their digital and online operations.
While this reality has created an incredible opportunity for stronger sales, a pathway to international trade, and a minimized need for costly brick-and-mortar storefronts, the surge in the use of digital technology and online platforms has brought with it an increased need for vigilance regarding the safety of customer credit card data and security of transactions.
The Challenges of Credit Card Data Protection
One of the most critical facets in keeping merchants afloat is the ability to accept credit card payments via merchant gateways and point-of-sale (POS) systems. After credit card data is accepted, it's then stored in the cardholder data environment (CDE) within the POS.
If not optimally protected, however, threat actors and hackers can access the data within the CDE. Any failure to adequately secure card data poses a risk to a company, and can result in lost customer trust and damaged reputations, remediation costs, settlements with customers, as well as hefty monetary fines and penalties that can ultimately sink a company, especially smaller to midsized brands.
Of course, even larger companies aren’t exempt from these risks either. In March 2019, hackers accessed the personal data of over 100 million people in the U.S. and Canada by breaching Capital One’s firewall to steal customer data stored on servers. In August 2020, Capital One was fined $80 million for its “failure to establish effective risk assessment processes prior to migrating significant information technology operations” to a cloud storage system and “failure to correct the deficiencies in a timely manner,” notwithstanding Capital One’s efforts to notify customers and remedy the breach.
Target’s 2013 data breach also resulted in the theft of credit and debit card records of 40 million customers and other information relating to 70 million customers. Weeks before, security experts found evidence of a possible breach and notified the company, but it failed to respond. The fallout: over $200 million in legal fees have been paid and the CEO was forced to resign.
The Solution of Compliance
In 2006, the Payment Card Industry Data Security Standard (PCI-DSS) was issued to protect cardholder data. Administered by the PCI Security Standards Council — formed by Amex, Visa, Discover, Mastercard, and JBC International — the goal is to secure credit and debit cards from certain types of fraud and data theft. Adhering to PCI-DSS isn't a surefire guarantee that the POS will always be secured from breaches, but it’s an incredibly important starting point. By implementing it, organizations can be confident that, at the very least, they have a secure baseline when it comes to their POS.
PCI-DSS applies to all entities accepting, processing, storing or transmitting credit card data. Compliance with PCI-DSS is compulsory to those entities it applies to and any merchant of any size that accepts or processes credit cards must comply and ensure that relevant third parties are also compliant. Merchants and POS systems found to be in violation are subject to fines and penalties.
An organization's initial attempt to comply can take up to six months if done via manual effort, and while PCI renewals are somewhat easier, the particular rules can shift, depending on altered circumstances for the business. But PCI is checklist-based, which can help make requirements somewhat easier to understand and achieve.
- Set up and maintain firewalls.
- Ensure you're not using default settings.
- Protect cardholder data stored on systems.
- Encrypt cardholder data transmissions.
- Install and regularly update anti-malware software.
- Build and maintain systems that are secure.
- Make cardholder data accessible on a need-to-know basis only.
- Ensure users with access utilize unique identifiers.
- Limit physical access to cardholder data.
- Log and monitor access to the network.
- Ensure continuous testing of all processes and systems.
- Build and manage robust information security policies.
Implementing PCI-DSS is also just the beginning; consistently proving compliance can bring its own challenges. The assessment and audit process requires the regular participation of internal stakeholders, which can interfere with their day-to-day job performance, or the added expense of hiring a team to help meet auditors’ requests. Companies that view gathering compliance evidence each year as one-off, siloed projects may have an especially hard time keeping up. Not to mention that an organization may have many different compliance regimes and individual requirements beyond just PCI compliance, and if not optimized and strategically addressed, can cause significant friction with the company’s overall technology practices.
PCI-DSS Compliance Automation: Compliance and More
The majority of companies are still reliant on old school methods and manual efforts of screenshots and spreadsheets. These methods are tedious, resource-heavy, and typically don’t offer 360-degree visibility into compliance frameworks across the company. However, there are ways brands can overcome these hurdles and successfully mitigate future risks. Leveraging the right technology to support these efforts is one essential element to make this happen. With automation, businesses can set up guidelines and best practices for how to properly store their customers’ data.
By eliminating the use of manual efforts and implementing automation into these processes, companies can more seamlessly collect evidence, analyze data, and continually replicate this activity to meet, and stick to, standards like PCI with greater ease. In turn, these optimal solutions help reduce the effort invested in compliance and evidence gathering activities overall, they remove cross-organization dependencies, and they ensure a robust and increasingly mature approach. Automation is the key to enabling businesses to scale their compliance requirements as their systems become more nuanced and complex.
In an ever-changing world, anticipating the next “what-if” is critical to survival. With the right solutions in place, businesses can ensure they’ll always be making the right moves towards building a robust PCI and compliance ecosystem, now and in the future.
Yair Kuznitsov is CEO and co-founder of anecdotes, the first Compliance OS.
Yair is CEO and co-founder of anecdotes, the first Compliance OS and he's on a mission — to remove the frustration that typically accompanies Compliance and in the process, save InfoSec teams millions of hours per year collectively. After building and managing teams in different units across the IDF Intelligence Corps, Yair became the head of the hardcore R&D section of the IDF’s elite 8200 unit. After leaving the army, he led the Innovation Group at Intsight, where he successfully brought new products into a highly competitive market. In 2020, he started anecdotes with Roi and Eitan to re-build the InfoSec Compliance ecosystem to fit the Cloud era. Yair is an avid skier, piano player, and builder.