In my last blog, I noted that I would be posting installments in a series about information security compliance protocols. The first protocol is a written technical standard and compliance program that applies to any company, regardless of size, that stores, processes and transmits credit card holder data. Cardholder data includes the primary account number (PAN), cardholder name, expiration date or service code (3-4digit security code). I’m referring to the PCI-DSS or the Payment Card Industry Data Security Standard.
The Standard was devised and founded by five credit card companies – AMEX, Discover, JCB, MC and Visa. These five companies make up the SSI (Security Standards) Council. They created the Standard to inform merchants, acquiring banks (the banks that process the credit card information) and other service providers how to protect cardholder data. This is why the PCI-DSS is considered a security compliance protocol. It’s because businesses must maintain an information security program to comply with the Standard to protect cardholder data from cyber criminals.
What I mean by information security is how your business electronically or through your information technology (IT) system, protects data from breaches. Your information security can be as elaborate as servers maintained at data centers around the world, or as basic as a router and its included firewall. The point is that if you are processing, storing or transmitting credit card holder data, your security has to at a minimum be PCI-compliant.
The Standard came out in 2006 and has been revised a few times since then. The last revision was in 2018. Companies affected by the Standard typically have 18 months in which to comply with the revisions. The Standard contains 12 security requirements with 280-sub-requirements. There are also test procedures included in the Standard which gives businesses direction as to how to test their security infrastructure.
Briefly, the following are the 12 security requirements:
- Maintain firewalls to protect your network and other networks.
- Remove all default configurations and passwords.
- Protect any stored cardholder data you have.
- Encrypt transmissions of cardholder data over public networks.
- Ensure you have, maintain, use and implement anti-malware and antivirus solutions.
- Use and maintain secure applications and operating systems and write secure
- Restrict access to cardholder data to people who really need to see it and implement a user privilege policy.
- Identify and authenticate all users individually.
- Protect physical locations where cardholder data resides.
- Log and monitor access to systems.
- Test security on a regular basis to prove all the requirements or controls are actually
- Create, maintain and implement policies and procedures that your users know and
Now, before you start thinking – “12 security requirements with 280 sub-requirements? I’m a small business how can I meet all those requirements and comply with this Standard?” If you take a look at the 12 security requirements, they are minimal components of any information security program. But more importantly, the volume of credit card transactions your business conducts in a year, dictates how exactly you have to comply. For example, for businesses that transact 20,000 card holder transactions in a year, or less, only have to supply responses to the Self-Assessment Questionnaire annually. However, as will be discussed, your business would benefit by doing more.
Is the Standard Legal?
Before I explain how compliance with the standard works, it’s important to know that the Standard is not a regulation or legally required. It’s a contractual requirement. What I mean is that the credit card companies contract with processing banks to manage their card holders’ information and how to process /protect the information. The acquiring banks in turn have contracts with the merchants as to how to manage the credit card holder data. Then, the merchants have contracts with the service providers to protect the cardholder data. At a minimum, merchants should communicate to their service providers about their responsibility for the credit card holder data. If a merchant has closely read the contract, they know they are agreeing to comply with the PCI standard and failure to comply results in legal action.
How to Comply
One of the ways cybercriminals cause a data breach is through Point-of-Sale (POS) terminals. A POS terminal is the credit card machine at a merchant’s store used to buy goods. Another POS is at gas stations. You know, swiping/inserting your card at the pump. POS terminals are common ways that cybercriminals breach data. You’ve heard it in the news. Remember Target in 2018? They experienced a POS breach when 110 million customers’ credit card data were stolen.
An Example of a Breach
In this regard, the standard’s security requirements strive to prevent these types of breaches. The Standard’s compliance obligations require merchants to annually validate that their information security complies with the 12 security requirements and the 280 sub-requirements. In most circumstances, if a business suffers a breach to cardholder data, and can show that it did all it could to comply with the Standard, but was a victim of an unfortunate circumstance, the credit card companies will be more lenient. However, if a merchant’s card holder data was breached for failing to comply with a specific security requirement in the Standard, that merchant will most likely suffer serious fines, intrusions in their business operations and possibly face legal action.
For example, another avenue where cyber criminals can hack cardholder data is through a merchant’s information security infrastructure. What I mean by that is your network. Remember, your network can consist of several servers or a small business router and firewall. As you know, your router/firewall comes with a default password to activate the router. In turn, a password is necessary to access your network. If you fail to change the default password to something more intricate, this is a violation of the Standard and you would be non-compliant. Specifically, one of the 12 security requirements are to “Remove all default configurations and passwords.” If you failed to change the default password, and this failure resulted in opening the door to a hacker, this would be a direct violation of the Standard and you and your business would suffer repercussions. However, let’s say that you followed the Standard and did use a strong and intricate password and had a formidable firewall, but the breach still occurred, the credit card companies may be more lenient with you. You, of course, would have to report the breach immediately and allow the investigators to access your business security infrastructure.
Fines for non-compliance with the PCI-DSS is $5,000-$10,000 a month, until the business gets compliant. This doesn’t include any breach of contract claim. But worse, you could lose the relationship with the credit card companies, the processing bank and your service providers. This could be catastrophic for any small business.
Complying with the Standard is no joke! As noted above, your non-compliance can have drastic consequences. There are some workable and mitigating items that you can do to minimize the possibility of a breach:
- Don’t be relaxed about your security!
- Take the time to know your security environment!
- Try to create layers of protection.
- Test your security regularly, and more than one-time a year!
Finally, for those of you who use PayPal or other financial services like PayPal, or use mobile card readers, you would still have some responsibility to comply with the Standard.
Remember, compliance is attainable and necessary to protect your business operations and profits.
We wish you “Infinite Success!”