Any business that stores, transmits, or processes payment card data has a responsibility to ensure that those transactions are secure. The Payment Card Industry Data Security Standard (PCI DSS) has a path for that.
The PCI DSS issued a set of 12 high-level requirements known as the PCI compliance checklist. These requirements apply to merchants of all sizes that accept consumer credit and debit cards. At its core, the PCI compliance checklist is designed to protect consumer card data from fraud and data breaches. Although the requirements mandated by PCI DSS are not law, there are hefty fees and fines for non-compliance.
Here is an overview of the checklist requirements that payment card companies require merchants to to comply with in order to protect customer financial information:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a security policy and ensure that all personnel are aware of it.
What Is PCI DSS Compliance?
An organization that is PCI compliant has committed to keeping cardholder data secure and safe from data breaches and fraud.
Although there is no official certification, merchants that accept cardholder data must prove to payment card companies that they have systems in place to identify cyberthreats, remediate vulnerabilities, and report breaches before they cause significant financial damage.
There is also another element called PIN Transaction Security (PTS), requiring financial institutions and merchants to use payment processing devices that have been tested and approved to process card transactions.
The Payment Application Data Security Standard (PA-DSS) mandates that payment processing software be tested and approved as secure.
PCI DSS Compliance Process
PCI DSS compliance is a continuous process that takes place on three different levels.
- Assessment: the financial organization or merchant takes inventory of their IT assets and processes for processing payments and attempts to identify vulnerabilities.
- Remediation: this step involves fixing vulnerabilities and establishing processes and policies whereby customer card data is stored for as little time as possible because of the risk of a breach.
- Report: the merchant is required to keep remediation records and submit compliance reports to banks, card processors, and other relevant financial organizations.
All of these processes mirror cybersecurity best practices and have overlapping features inherent to other compliance regulations, such as GDPR, for example.
The Cost of Non-Compliance
In addition to the consumer, there are typically three major players involved in the card payment process: the payment brands (Visa, MasterCard, American Express, etc.), the acquiring bank, and the merchant.
If non-compliance is discovered, the payment brands may fine the acquiring banks anywhere from $5,000-$100,000 per month—most of which is passed down the line, ultimately impacting the merchant in the form of increased fees and transaction costs. In some instances, the bank may decide to terminate the relationship with the merchant.
Why It All Matters
Financial damages attributed directly to cybercrime are expected to reach $6 trillion annually by 2021.
To shed some light on that number, it is larger than the annual GDP of Japan, which has the third largest economy in the world after the U.S. and China.
Businesses that handle payment card transactions—financial organizations and retail—are the most targeted groups by cybercriminals, according to a 2017 Verizon report.
The virulence of this type of crime, which is persistent and getting worse in both the number of incidents and the financial costs to enterprises, highlights the urgency of compliance with the 12-point checklist.
If trends in the cybercrime landscape continue to escalate at the current pace—and consumers begin to lose confidence in the safety of their card data—it’s foreseeable in the near future that best practices associated with the PCI DSS compliance checklist will be inherently woven into payment processor business models to stem financial losses, if nothing else.