The case for PCI Compliance

Cybercriminals love cardholder data. It’s relatively easy to steal and even easier to convert into cash. In fact, cardholder data is the single biggest global source (or target) of cyber-attacks.

This puts considerable pressure on high-transaction-volume retailers even restaurants. Due to shear exposure, they bear substantial risk from hacking and other forms of payment card fraud, and thus substantial responsibility. They must not only deliver careful and attentive customer service, but continually ensure the protection of their customers’ data and privacy, on both a real and perceived basis. It’s a big deal.

According to Verizon, only seven percent of retail customers would remain faithful to a goods or services provider if it suffered a data breach, while 69 percent would avoid said company altogether after a breach, even if it offered a better deal than its competitors. So, there is a need for security.

The PCI DSS stands for Payment Card Industry Data Security Standard. This is actually a regulatory, policy and certification system set up by the PCI Security Standards Council major (PCI SSC), a coalition of global credit-card networks, or brands. The council members are: American Express, Discover, JCB International, Mastercard, UnionPay and Visa Inc.

This coalition is chartered to help retail merchants and other commercial organizations prevent payment data breaches and payment card fraud. According to the council’s website, the PCI SSC mission is to “enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry.”

Ok. That’s industry-speak for setting security requirements for companies that make a market in the payment card ecosystem: retailers, restaurants, electronic payment transaction processors, and cloud-based ecommerce platform providers. 

There are four levels of compliance, each designed for the number of transactions an organization performs each year. They are as follows:

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

The specific requirements associated with each level are developed by the Council and vary according to business volume. However, there are 12 fundamental requirements that include the following:

1. Implement firewalls to protect data

2. Appropriate password protection

3. Protect cardholder data

4. Encryption of transmitted cardholder data

5. Utilize antivirus software

6. Update software and maintain security systems

7. Restrict access to cardholder data

8. Unique IDs assigned to those with access to data

9. Restrict physical access to data

10. Create and monitor access logs

11. Test security systems on a regular basis

12. Create a policy that is documented and that can be followed

It’s fairly simple.

You start by assuming responsibility for the protection of your customers’ data. In doing so, you will securely transmit and process payments and therefor build trust with your customers.

You will prevent data breaches by properly managing your IT infrastructure. In addition to absolute prevention, your properly firewalled infrastructure is also a deterrent. Consider a criminal’s cost-benefit analysis.  

You join a global community, members of which are looking out for all of us who store, process, and transmit cardholder data. PCI compliance means that you stand among others who are committed to data security and consumer data protection.

Finally, PCI Compliance lifts your reputation with payment-card companies, who can become more profitable business partners.

There are some pretty serious consequences that stem from not complying with PCI DSS standards. Non-compliance sends a message to your customers that you haven’t taken the steps to ensure their safety. That’s a perception problem. Now let’s get to the functional problem.

When customer data gets breached, it means that merchants and financial institutions, as well as consumers, are compromised. This can be severely damaging to businesses, reputationally as well as financially. There is loss of sales, loss of trusted relationships, lawsuits, insurance claims, fines, and more. 

According to Verizon’s 2019 Payment Security Report, 18 percent of organizations surveyed had no defined data protection and security program. That’s despite the fact that PCI DSS compliance is, for all practical purposes, a fairly binding expectation. Though it is not law, PCI compliance is mandated by major card brands and the banks that handle payment processing. For merchants, these are essential business partners because they literally enable payment for goods and services.

According to Verizon, retail has done well with encrypting data in transit (PCI DSS Requirement 4) and protecting against

malicious software (Requirement 5). Retailers also scored well in authenticating access

(Requirement 8) to prevent data theft.

Unfortunately, retailers fall short of meeting the full PCI DSS requirements, especially for security management.

Retail scored the lowest of all industries studied in data breach incident preparedness, such as:

• Identifying users and ensuring that they had the right level of privileges
• Following due diligence when engaging service providers
• Detecting unauthorized wireless access points
• Maintaining an incident response (IR) plan

Payment security is a global challenge with global consequences.  Being compliant is not only good for business but also saves time and money.