From local coffee shops to international e-commerce giants, the widespread adoption of credit card payments online and through mobile applications continues to grow. Such popular credit card transaction practices raise pressing questions about the overall security of online payments and ban card transactions in particular.
The mid-1990s were a period when a global wave of bank Trojan attacks made fortunes for cybercriminals exploiting weak online banking systems and vulnerable end-point systems of clients conducting card payments online.
Inevitably, the founders of the non-governmental Payment Card Industry Security Standards Council (PCI SSC) convened in 2006 and adopted rules for safe and secure credit card payments, which is known as the Payment Card Industry (PCI) Data Security Standard (DSS), or PCI DSS.
Members of the Council, which enforce and monitor the adoption of this global standard, include the five major credit card companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
As credit card usage continues to rise and the methods of payment grow with online retailers and processors, security remains a top priority for banks, businesses, and consumers.
A 2017 report by Statista found that 42% of consumers preferred paying with credit cards during online shopping. Electronic payments such as PayPal and Debit Cards rank close behind and often require credit card and bank account information to process.
So what is PCI DSS?
The PCI Data Security Standard covers any entity whose business operations involve storing, processing, and transferring cardholder data and extends to organizations that store such data on paper-based systems.
Any sole proprietor, corporation, or organization that accepts or processes both debit and credit payment cards should adhere to the requirements of the PCI standard, as it is widely known.
Further regulations are accompanying the PCI DSS standard, such as the PIN Entry Device Security Requirements, or PCI PED, that stipulates the rules for manufacturers involved in the creation and implementation of device features for terminals that require the entry of personal identification number (PIN) for conducting payment card transaction.
Another related regulation is the Payment Application Data Security Standard. The PA-DSS provides the requirements towards software developers and application integrators who are involved in the creation, commercial distribution, and integration of applications that store, process or transmit payment card data.
Core PCI DSS Requirements for Merchants and Card Processors
If you are an entity that processes cardholder data or if you run business operations involving card payments, you should comply with a total of 12 PCI requirements.
By complying with the set PCI DSS requirements, you should be able to achieve six primary goals set by the Payment Card Industry Security Standards Council. Below is a summary of all the goals defined by the PCI SSC and their corresponding PCI requirements.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
While the above security measures look quite comprehensive, logical, and easy to implement, achieving full compliance with the PCI DSS standard poses a real challenge for organizations, especially small businesses, and even medium-sized enterprises.
Challenges for Organizations to Comply with PCI DSS
To comply with the PCI standard, an organization should devote itself to completing all the required steps and meet all the requirements. Full compliance requires an organization to put significant efforts and set aside marked financial resources to implement all the measures and then to maintain PCI compliance.
That is why, for instance, e-commerce platforms such as BigCommerce and Shopify, as well as payment processors like PayPal or Stripe, are getting the burden of PCI compliance off the shoulders of merchants and services by covering the PCI compliance requirements on their behalf.
Nonetheless, larger businesses and multinational corporations usually need to comply with PCI DSS internally.
Any organization faces PCI compliance challenges such as:
- Meeting a total of no less than about 250 requirements, no exceptions allowed. The certification lasts for 12 months, during which you need to retain full compliance with all these requirements or face fines or revocation of your certification.
- Adopting a cyber-security strategy that involves lots of technicalities related to the installation of secure hardware, software, and networks and protecting your entire IT and paper-based infrastructure.
- Lack of adequate expertise, as well as pressure from third parties such as card processors or contractual partners, may result in poor PCI compliance implementation, which in turn puts at risk an organization's business operations and reputation.
PCI DSS compliance has different rating levels, and determining the correct scope of PCI compliance can be difficult to identify and then achieve.
Finally, failing to comply with the PCI DSS standard's requirements can result in many negative consequences, such as:
- Credit card companies can penalize a company with fines ranging from $5,000 to $100,000 a month, depending on several factors like the period of non-compliance and the number of clients serviced.
- Penalties ranging from $50 to $90 per cardholder whose data is leaked in a data breach
- Penalties by the Federal Trade Commission, which monitors organizations that do not comply with PCI-DSS
There are also indirect but still negative financial consequences pertaining to damaged brand reputation if you lose your PCI certification, or you can face legal action resulting from loss of payment card data due to the inability to comply with the PCI DSS requirements.
Maintaining PCI Compliance
PCI compliance is a process and not one-time adoption of a number of cybersecurity and document security measures. While maintaining PCI compliance in the long-term requires a comprehensive and evolving security strategy, you should take a few necessary yet strategic steps.
Make sure your entire transaction life cycle meets the PCI requirements, including processes you perform internally and transactions involving any third party such as banks, partners, or payment processors.
- Draft and adopt comprehensive security policies and adhere to them continuously while checking and testing the policies in place regularly.
- Identify all sensitive data you collect and store and then implement end-to-end encryption for any data in transit while encrypting any data in residence. Assign proper access rights for data by implementing a Zero-trust policy approach.
- Set a schedule for vulnerability checks that cover each and any of your systems, including end-point devices. You should perform penetration tests and vulnerability scans at least quarterly or even more often, bearing in mind that cyber threats evolve very rapidly, and new threats emerge daily.
The PCI DSS was created to protect consumers and organizations against cyber criminals. Datashield's role is to help our clients understand the different compliance requirements and implement tools and protocols to best suit their organization based on their budget, needs, and goals.