Skip to main content

Demystifying data security standards



You hear news about data breaches, fraud, and online security almost every day. You know you need to take steps to keep your customers and your business safe, but you’re far too busy to become a security expert. This article helps demystify data security standards for businesses that accept credit cards.

The Payment Card Industry Data Security Standard (PCI DSS) protects consumer credit card data by reducing the risk of data breaches and payment fraud. Major payment schemes including Visa, Mastercard and American Express established PCI DSS as a security baseline for merchants using their credit card networks.

If your business accepts credit cards, you need to be in compliance with PCI DSS. Failure to comply with PCI mandates leaves businesses vulnerable to a data breach and the potentially devastating financial impacts of fraud.

Beyond the requirements, PCI DSS standards represent common sense best practices that reduce security risk and save your business money. This primer will demystify the standards, explain how they protect your business, and offer resources to help you stay in compliance.

Why do we need data security standards?

Credit card fraud that results from data breaches costs businesses and consumers billions each year. Data security standards help to mitigate those losses by shoring up the weakest links in the payments ecosystem.

The PCI DSS are requirements for merchants, software developers and payment device manufacturers that aim to protect cardholder data and reduce credit card fraud. DSS standards are developed and maintained by the PCI Security Standards Council that includes founding members American Express, Discover, JCB, Mastercard and Visa. The current PCI DSS standard is v3.2.1, released in May 2018.

Previous to the existence of the Council, each card scheme had its own security standards for network participants resulting in a patchwork of burdensome regulations. The current PCI requirements make compliance centralized, consistent, and transparent for businesses that accept credit cards.

What are the PCI DSS standards?

The PCI Security Standards Council has issued 12 PCI DSS requirements and testing procedures spanning six groups:

Build and maintain a secure network and systems

#1. Deploy firewalls to protect vital systems. Firewalls segregate traffic between trusted internal systems and untrusted external computer systems. The cardholder data environment is sensitive data that must be protected by a firewall.

#2. Don’t use vendor-supplied defaults. Network systems are often provided by vendors with default passwords. Default passwords represent low-hanging fruit for criminal fraudsters. Use password best practices and always change vendor defaults before installing network systems.

Protect cardholder data

#3. Protect cardholder data at rest. Protection methods include encryption, truncation, masking, hashing, and tokenization. This requirement stipulates policies and procedures that minimize retention of sensitive data and govern its storage as well as deletion.

#4. Encrypt cardholder data in transit. Hackers are particularly skilled at identifying and exploiting security vulnerabilities of data in-motion between systems. This requirement seeks to reduce those vulnerabilities through strong encryption policies for sensitive data in transit.

Maintain a vulnerability management program

#5. Protect systems against malware. Malware (malicious software) represents a broad class of tools used by hackers to gain access to systems containing sensitive credit card data. Anti-virus software must be installed and, critically, maintained to detect and prevent malware threats.

#6. Develop secure systems and applications. Network, software, and communications vendors are continuously deploying patches and upgrades to combat criminal activity. This requirement seeks to enforce that those upgrades are deployed in a timely manner to combat the latest threats.

Implement strong access control measures

#7. Restrict access to cardholder data to need-to-know. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job. This requirement stipulates procedures to protect sensitive data only to those who require it to perform their job.

#8. Authenticate access to system components. Anyone with network access should be individually identified in order to create a transparent record of actions within systems containing sensitive credit card data.

#9. Restrict physical access to cardholder data. Even the most secure networks in the virtual world also require security in the physical world. Any networks and systems containing sensitive credit card data should be physically secured with access rights based on authenticated need-to-know.

Regularly monitor and test networks

#10. Track and monitor all access to network resources and cardholder data. Logging all activity in systems that store or come in contact with sensitive credit card data is essential to maintain the highest levels of security.

#11. Regularly test security systems and processes. Security threats are constantly evolving and ongoing. The efforts to protect business and their customers must be similarly robust. Testing and monitoring of all security processes and procedures should be a continuous process.

Maintain an information security policy
#12. Create information security policies for all personnel. Anyone who comes in contact with any systems containing sensitive credit card data should be trained in your security policies. This requirement helps your business stay secure through transparent and meaningful communication.

How do I ensure my business is compliant?

Becoming PCI compliant is a three-step process:

Assessment. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.

Remediation. Fixing vulnerabilities and eliminating the storage of unprotected cardholder data.

Reporting. Compiling and submitting required reports to the appropriate acquiring bank and card brands.
Qualified security assessors and approved scanning vendors can help evaluate your procedures, scan your systems for vulnerabilities, and determine if your business is compliant. The PCI SSC offers a list of approved vendors to get you started.

Another option is to perform a self-evaluation to assess your compliance. The PCI SSC offers a self-assessment questionnaire to help you understand areas where you're compliant and where you might need additional support.

Do I have to validate compliance?

While every merchant that processes, stores or transmits cardholder data must comply with PCI DSS standards, not every merchant has to validate compliance. The credit card brands have their own rules about what “level” of merchants must validate compliance. These four compliance levels are based on the number of annual transactions the merchant processes.

PCI compliance: Where regulations meet best practices

Security systems are only as strong as their weakest link. Fraudsters seeking to steal credit card data often find that weakest link in the computer systems of small merchants. If you own or operate a business that accepts credit cards, you need to protect yourself, and your customers.

Many businesses use services offered by their credit card processor or merchant bank to achieve compliance. Vantiv, now Worldpay, offers OmniShield Assure to help businesses of all size achieve and maintain PCI DSS compliance. In addition to EMV and tokenization technology, OmniShield Assure also provides financial protection to help cover costs if you do experience a breach.

PCI DSS helps build trust in the credit card ecosystem by establishing a common baseline of security policies and procedures for all participants in the respective networks. As a merchant that accepts credit cards, it’s your responsibility to stay compliant. Doing so instills security best practices and helps protect your business and your bottom line.

#awepay #datasecurity #incidentresponseplan #dilbert #help #databreach #databreaches #hacked #personaldata #sensitivedata #dataprivacy #dataprotection #datacompliance #data #privacy #security #privacyaware #digitalworld #infotech #infosec #infosecurity #staysafeonline #cybersecurity #like #l4ls #f4fs #followtrain #scottadams #funnycartoon #dataremoval

Comments

Post a Comment

Popular posts from this blog

12 Startups Utilizing Blockchain Technology in New Ways

Author: Awepay Cryptocurrency created quite the buzz this past year. Although the technology has been around for a few years, 2017 was the year it really took off. Bitcoin, the first application of cryptocurrency technology, hit $20,000 a coin, while coins like Ethereum also saw their prices increase. However, the technology behind these tokens, blockchain, has far more applications than just cryptocurrencies. Through a network of smart contracts that operate utilizing decentralized information on a ledger, blockchain is able to provide unmatched security and speed for data transfers. This means that blockchain technology has an application in nearly every industry where value is exchanged. For this reason, many startups have started to explore how this technology can change the way the world works. Here are twelve of those startups, each of which are utilizing blockchain technology in new ways. Related: 10 Reasons Why Good Customer Service Is Your Most Important Metric ...
6 comments
Read more

4 Trending Digital Payment Methods: Is Your Business Ready For Them?

Businesses and consumers alike are interested in faster, safer, and more convenient payment methods. Are you ready to go digital?   Demographics across the world are shifting. Millennials are now the most diverse and prominent generation in the US population.   As a generation heavily influenced by technology, their buying habits and expectations are all formed via the immediacy that smartphones, Internet, and modern conveniences engender.   Businesses and consumers alike are interested in faster, safer, and more convenient payment methods, as cash is becoming obsolete and credit cards are being phased out. Mobile and social payment options could be the future of millennial-driven purchasing, creating the sort of instant gratification that millennials expect.   Here are a few trending digital payment methods that Millennials will prefer to use in the coming year.     1. Mobile In-Store Payments & Apps...
Post a Comment
Read more

EMV transactions: Is it time for you to upgrade?

Even if your business has not yet adopted an EMV-enabled solution, you’re probably somewhat familiar with the technology since it's among the most talked about developments in payments. EMV has proven to be an effective tool to fight card present payment fraud in Canada and many European countries. While EMV is new to the U.S., payment card fraud is not, with nearly $8.5 billion in fraudulent transactions in the U.S. in 2015 alone. What’s more, the U.S. represents nearly 40 percent of worldwide fraud, despite having less than 25 percent of transaction sales volume. EMV defined So what is EMV? EMV technology is based on specifications developed to ensure worldwide acceptance of secure payments by an organization called EMVCo, a group of leading companies in the payments industry including American Express, Discover, JCB, MasterCard, UnionPay, and Visa and supported by dozens of other companies in the industry. EMV has become the global standard for authenticating credit...
Post a Comment
Read more