The continuation of massive credit card data breaches at many high-profile organizations prompted the development of the Payment Card Industry Data Security Standard (PCI DSS), which standardizes how credit card data should be protected. Under the PCI DSS, a business or organization should be able to assure their customers that its credit card data / account/transaction information is safe from hackers or any malicious system intrusion, whether from those outside the organization or from within:
65 percent of financial services institutions worldwide experienced repeated external breaches within the past 12 months.
30 percent of these global institutions suffered repeated internal breaches during the same timeframe.
Under the PCI DSS, a business or organization should be able to assure their customers that its credit card, account, and transaction data is safe from hackers or any system intrusion, whether malicious or accidental, and whether from outside or within the organization.
The Cost of Non-Compliance
Non-compliance with PCI DSS can result in financial penalties levied against any vendor/service provider or even the denial the merchant’s ability to accept or process credit card transactions. Costs also include:
Monthly fines for noncompliance - ranging from $5,000-$25,000.
Lost business - if acquirer refuses to process card payments for a merchant after data breach occurs.
Damaged reputation - consumers prefer to conduct business with companies whose reputation is untarnished from a data breach.
Getting to PCI DSS Compliance
To achieve compliance with the PCI DSS, vendors and service providers must adhere to six major categories of requirements, with a total of twelve PCI-required controls, covering access management, network security, incident response, network monitoring, and testing and information security policies.
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
Requirement 3: Protect stored data.
Requirement 4: Encrypt transmissions of cardholder data and sensitive information across public networks.
Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement strong access control measures
Requirement 7: Restrict access to data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly monitor and test networks
Requirement 10: Restrict access to data by business need-to-know.
Requirement 11: Assign a unique ID to each person with computer access.
Maintain an information security policy
Requirement 12: Restrict physical access to cardholder data.