Ignorance is not an excuse for failing a PCI DSS audit or, worse yet, being victimized by a data...
PCI Compliance Regulations: 5 Things to Address When Assessing Your Liability
Recent advancements in technology have, in many ways, made our on-the-go lives easier and more flexible. But at the same time, our private data has become more and more vulnerable to data breaches.
That’s because of consumer preference, the frequency of online transactions, and the fact that private data storage regulations are only recently beginning to come under the magnifying glass and mature.
If your organization stores or in any way processes consumer card data, it’s critical to examine your Payment Card Industry security processes and posture. Chances are very good that you or a vendor with whom you have a business relationship will be breached.
The PCI Data Security Standards and the audits that evaluate your businesses security practices are there to prevent you from incurring a data breach, but they can only reduce your exposure and vulnerability, not provide ironclad protection.
If your business is breached, you could face financial liability from a number of different organizations, including card issuers, acquiring banks, customers, and government agencies. Knowing PCI compliance regulations and ways to identify your liability is a positive, proactive approach to preventing data breaches and the associated liability that accompanies them. Here’s how.
Know What Level of Compliance You Fit Into
Luckily, the PCI DSS council has made it fairly easy for merchants to figure out what category of compliance they fit into. It’s all generally based on the number of transactions a merchant processes.
There are currently four levels of PCI compliance:
Level 1: Merchants processing over 6 million card transactions per year.
Level 2: Merchants processing 1-6 million transactions per year.
Level 3: Merchants handling 20,000-1 million transactions per year.
Level 4: Merchants handling fewer than 20,000 transactions per year.
Knowing what level of compliance your business fits into should be near the top of your list of concerns if you process card data.
All four levels require merchants to undergo a self-assessment questionnaire (SAQ), a quarterly network scan by an approved scanning vendor, and an attestation of compliance form. Level 1 requires all of the above plus a report on compliance by a qualified security assessor (QSA).
Do you Store Card Data?
Not all merchants store customer card data, primarily either because of the inherent breach risk or because it is not necessary to meet the needs of the business. However, if you do store card data—even for short periods of time—it’s essential that you know exactly where that card data flows during the entire transaction process. Make sure you know if your payment card terminals comply with PCI requirements governing PIN and personal entry device (PED) requirements.
Likewise, terminals should never print out personally identifiable card data; it should always be truncated. Most payment terminals in use today do truncate customer card data, but there are some legacy machines in use that may not.
More importantly, ensure that third-party vendors also comply with the highest PCI compliance standards that pertain to them. Even if your business is extremely diligent in protecting customer card data, third-party vendors can be costly Achilles’ heels when it comes to compliance failures and the associated penalties.
Small Business Concerns
Although most of the highly publicized data breaches that make it into mainstream media front pages are on large organizations, experts say that 60 percent of SMBs will fail within six months as a result of a cyberattack.
SMBs are actually favored targets of cybercriminals because they typically lack the resources enjoyed by larger enterprises to lock down their servers and other network entry points. Breaches on smaller businesses can be unrecoverable if they are financially suffocating.
Many of these merchants are likely to fall into level 3 or 4 classification, but that doesn’t mean they should not adopt the security standards used by bigger industry players.
Enterprise Business Concerns
Enterprise organizations clearly have the most to lose after a cyberattack based on their sheer size alone. In 2017, the Equifax breach resulted in at least 143 million consumer records exposed and most likely headed for sale on the dark web.
The breach cost stockholders an estimated $4 billion in stock market value. In addition, the credit reporting giant had to pony up for credit monitoring services for consumers who were affected. Read this breach as an event likely to be eventually passed onto consumers as an added cost of doing business.
Service Provider Concerns
As a service provider, you should be concerned that your business partners that handle your customer card data have robust security practices in place and have had a recent PCI compliance audit reporting favorable results.
You have every right to ask your third-party vendors for PCI compliance audit reports. If they are hesitant, you may want to consider shopping around for other organizations with higher security standards to process your customer card data.
If you are a business of any size and are concerned about whether you meet PCI DSS compliance regulations, seek out a qualified vendor to perform a PCI DSS assessment of your card payment security systems. You’ll be able to identify potential security vulnerabilities and be more prepared to prevent a costly data breach.
Our team also recently released The PCI DSS Compliance Guide: What You Need to Comply. In this comprehensive guide, we cover important topics such as:
Who needs to be PCI DSS compliant
The main goals and checklist requirements of PCI DSS
Where sensitive data loss occurs
What you can do to prepare