The number of identities exposed in corporate data breaches is on the rise. Credit bureau Equifax recently admitted that hackers made off with sensitive data on 145.5 million Americans in mid-2017. And according to Symantec’s 2017 Internet Security Threat Report, more than 1.1 billion identities were compromised last year — putting not just individuals, but the companies they buy from, at risk.
A data breach is never good for business, but when your revenue depends on the ability to take card payments, a breach can threaten your ability to process those payments and possibly expose you to fines. That’s why it’s critical to follow the card industry’s PCI requirements. PCI compliance doesn’t have to be onerous, however, and the requirements provide a map that not only safeguards customer data, but brings your IT environment into line with solid security practices.
Start by reviewing PCI compliance's key facts and standards checklist below.
What is PCI?
PCI is the common shorthand for the Payment Card Industry Data Security Standard, a set of information security standards that are meant to reduce the risk that cardholder data is compromised. It’s administered and managed by an independent group but enforced by the major card brands.
Businesses that take card payments but don’t comply with the standard can be hit with non-compliance fines that range from $5,000 to $100,000 per month, and in the event of a breach, an additional $50 to $90 for each cardholder whose data was compromised. The consequences may also include losing the ability to process credit card payments — as well as losing customers’ trust and loyalty.
PCI compliance involves:
- Building and maintaining a secure network and systems
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
Review the checklist below to learn more about each of these steps, but don’t let the prospect of compliance overwhelm you — there’s help available to assist your business in working through the process. Read on and learn how.
How to Tackle PCI Compliance
First, check with your bank and payment processor to find out what they offer. Some partner with — or can refer you to — vendors that specialize in this area. Your web hosting company may also be able to contribute to your PCI solution. While all of these experts can help simplify the process, you should understand what PCI compliance involves so that you can be sure the solution you choose will meet your needs.
Once the required safeguards are in place, you’ll have to validate your compliance. How you do this varies based on your so-called merchant level (more on that below) and might mean completing an annual self-assessment questionnaire or enlisting a qualified security assessor to conduct an on-site audit of your information security practices. You may also need to partner with an approved vendor to run a quarterly network vulnerability scan and submit a form attesting to your compliance.
Your merchant level is determined by a number of factors, but primarily by how you accept payments (i.e., e-commerce or card-not-present vs. card-present transactions) and the volume of card transactions you process. Talk to your bank, payment processor or security solution provider to find out how your business is categorized. There may be other considerations that affect merchant level, such as if your business has previously suffered a data breach.
Ensuring your business is PCI-compliant requires an investment in time and resources, but can protect your business from the financial risks of a data breach. Requirements, compliance guidance and updates are available in the standards group’s latest Quick Reference Guide for the current version, PCI DSS 3.2.
For more information on PCI compliance, contact me or your SVB Global Treasury and Payments Advisor.
Checklist: Your 6 Key Tasks to Meet the PCI DSS 3.2 Standard
1. Build and maintain a secure network and systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
3. Maintain a vulnerability management program
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
4. Implement strong access control measures
- Restrict access to cardholder data on a need-to-know basis
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
5. Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
6. Maintain an information security policy
- Maintain a policy that addresses information security for all personnel
- Make the policy accessible for all employees to reference as needed