PCI Compliance: What, Who, and How?

Posted on May 12, 2016 by lexi

Admit it, you’re a little confused.

Everybody talks about PCI compliance, and you’re happily nodding along… but do you really know exactly what you’re obligated to do about it?

Put another way, are you sure you’re doing everything you’re supposed to be doing?

Well, fear not. Thankfully it isn’t all that complicated.

Over the next few weeks we’ll be covering the ins and outs of PCI and explaining what you’ll need to do in order to become (and stay) compliant.


PCI… What’s the Point?

The point of PCI, or more accurately the PCI DSS, becomes more obvious when you know what it stands for.

It’s the Payment Card Industry Data Security Standard.

Put simply, the PCI DSS is a set of requirements designed to ensure every company that processes, stores or transmits payment card information can do so securely.

That makes sense, right? Nobody wants their credit or debit card information accidentally leaked or stolen by cybercriminals.

The flip side, of course, is that it’s an extra set of hoops for your organization to jump through. If you want to take card payments of any sort (credit cards, debit cards, and so on), you’ll have to be compliant.


The Data Security Standard

Let’s have some historical context.

In the wake of some fairly serious credit card fraud, the big payment card brands (Visa, MasterCard, JCB, American Express, and Discover) jointly setup the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to develop, manage, and administer the PCI DSS.

Significantly, though, it’s the payment card brands themselves that are responsible for enforcing compliance.

If you aren’t compliant with the PCI DSS, your financial institution will be first to know. The big payment card brands can fine financial institutions from $5,000 to $100,000 per month for compliance violations, which will likely be passed on to you in the form of increased transaction fees (at best) or even termination of your relationship with them (at worst).

That may all sound a bit harsh, but it’s not without cause.

Credit card fraud costs the U.S. economy billions every year, with card issuers and vendors themselves taking by far the biggest hit. In reality, if you’re regularly taking payment via credit or debit cards and you aren’t PCI compliant… there’s a good chance you’ll have more to worry about than increased transaction fees.

With that out of the way, let’s take a deeper look at the PCI DSS.

First, it’s important to recognize that the PCI DSS applies to everyone (regardless of size and number of transactions) that processes, transmits, or stores cardholder data.

But what, then, does that actually mean? What do you have to do?


Taking Action

First, and most importantly, you have to develop and maintain a secure system for accepting payment cards. This could be an entirely proprietary system of your own creation, or it could be heavily based on third-party systems and software. Either way, there are a whole range of requirements and specifications that will have to be considered.

You can find the most up-to-date version of the PCI DSS on the PCI SSC website.

The thing to remember here is that having a secure system for accepting digital payments is not just about becoming PCI compliant. Yes, there are a series of hoops you’ll have to jump through, and yes, you do have to be PCI compliant.

But more importantly you need to keep your own systems and your customers’ data, safe. Harsh fines are leveled at organizations that fail to keep customer data safe, not to mention the impact of breaches on customer loyalty, so it’s best to think of PCI compliance as a checklist of vital security measures.

Beyond simply having a secure payment system, you’ll also need to demonstrate your compliance with the PCI DSS on an annual basis.

Essentially, this involves completing either a self-assessment questionnaire (SAQ) or working with a Qualified Security Assessor (QSA) to complete a Report on Compliance (ROC).

If you electronically store, process or transmit cardholder data, your organization must undergo quarterly internal and external vulnerability scans. You can handle the internal scans in-house (so long as you have the expertise), but your external scans must be completed by a PCI SSC approved vendor.

If your organization’s network undergoes significant changes, you will need to perform additional scans.

Financial crime has been on the rise for decades, and with dramatic advances in the sophistication of malware and exploit kits, it pays to go above and beyond to make sure your payments systems are airtight.


Proactive PCI

In our opinion, if you take a sensible and long-term approach to information security and risk management, the official requirements for PCI compliance will be in line with many of the practices you already have in place. If you’ve already implemented sensible controls to protect the information and systems used to process card payments, you should fly through your assessment.

Not only that, you’ll be in a far safer position than the vast majority of your competitors, who are most likely doing the bare minimum required to remain compliant.

To help you navigate the requirements of the PCI DSS and ensure your organization stays well ahead of the compliance curve, we’ll be writing more about PCI over the coming weeks. From risk assessments and security policies to training and penetration testing, this series will cover many of the tasks you’ll need to complete in order to stay (or become) fully compliant with the PCI DSS.

More importantly, by taking the actions laid out in this series, you’ll be giving your organization a much better chance of keeping your customers’ data secure.

And in the end, that’s much more important than simple compliance.



How can we help?

Discover how TraceSecurity’s suite of consulting and professional services can help your organization comply with PCI Compliance requirements and ensure customer data remains secure.

Schedule Now

Posted in Information Security