Do you know everything you need to about the Payment Card Industry Data Security Standard (PCI DSS)? There are a lot of misconceptions about what does or doesn’t ensure compliance and we’re here to help you sort through them so you’re better prepared to meet those requirements.
PCI DSS is but a piece of a much larger, complex puzzle that is the payments space. But, it is a necessary piece — the glue, if you will — that holds it all together. While maintaining continued compliance can seem daunting at times, you’ll be happy the effort was made.
Without further ado, here are five common misconceptions about PCI DSS that need to be cleared up to help you, your customers, and your business avoid questionable activities when it comes to payments security to help protect you and your customers.
A Single Vendor or Product Can Ensure PCI Compliance
You know what they say…never put all your eggs in one basket. That also applies when choosing third-party vendors who make bold claims about security and compliance. Make sure you ask plenty of questions concerning exactly how they would help you achieve various degrees of compliance and how they would address the 12 PCI DSS requirements specifically.
Don’t expect or rely on a single vendor to guarantee PCI compliance for your organization.
Instead, take more of a holistic approach to your security strategy. Focus on the big picture of the overall security concerns that need to be addressed and how you can accomplish that through a mix of technology and personnel resources.
Outsourcing to a Third-Party Vendor Automatically Guarantees Compliance
There are loads of benefits to outsourcing certain aspects of card payment processing. Making the assumption that outsourcing automatically guarantees compliance not only offers zero benefits, but it could also land you in hot water due to non-compliance. It is your responsibility to protect cardholder data when you receive it, in addition to when you process refunds and chargebacks. It is also your responsibility to ensure third-party partners/vendors you do business with are complying with PCI DSS requirements, not the other way around.
PCI DSS Will Make Us As Secure As We Need to Be
Digital technology, including payments and security measures and threats, is constantly evolving. Each new day brings with it new technology and security challenges because nothing ever stays the same for very long. That security update you or your IT team installed on your system three weeks ago was great then, but in the time since then hackers and online threats have already figured out a way around those new updates and security patches.
The battle for security and compliance in the payments space is an ever-evolving and constantly tumultuous one. You always need to keep one eye on what security measures you currently have in place and the other on new and emerging industry online threats.
We Process Too Few Credit Card Transactions to Worry About Compliance
If you process even a single credit card transaction you must comply with PCI DSS. Failure to comply could result in steep financial penalties to the tune of $5,000 to $100,000 per month until compliance is achieved, with the fines being at the discretion of the card brands and acquiring banks. While big banks and major financial institutions could easily absorb such penalties, smaller mom-and-pop shops could find themselves in dire straits if required to pay such penalties.
The financial penalties issued are light in comparison to the hit organizations take to their reputation and the lawsuits that could be filed.
PCI DSS is Too Hard to Comply With
PCI DSS is actually pretty straightforward in the requirements. How you address those requirements is really up to you. The six core goals of securing payments are broken out around the specific action you must take. Here are those goals, as well as the requirements to achieve them and full compliance per the PCI Security Standards Council.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
As you can see from the core goals and requirements associated with meeting these standards, there’s nothing on this list of requirements you wouldn’t (or shouldn’t) be doing anyway. Whether you handle it all in-house with your own IT and security team, outsource your security needs to third-party vendors, or take a hybrid approach (seemingly the most popular and effective approach), the requirements are laid out clearly.
The Bottom Line
The bottom line is you must protect cardholder data and related payment information for all transactions/interactions. Failing to do so could cause catastrophic damage to your company’s reputation, customer retention, revenues, and above all else — it could cause lasting damage to the customers whose private data you’re responsible for protecting.
If you have questions or any uncertainty related to managing PCI compliance, there are a lot of really good resources on the PCI Security Standards Council website itself, or you could also speak with a payments industry professional at Forte who would be able to answer your questions.