Written by Channin Gladden (December 12, 2019)
Running a business in the digital age is no easy feat. This is especially true nowadays, when consumer data security is at the forefront of the conversation.
Data breaches have hit even some of the biggest multinationals out there, enabling the exposure of sensitive user data and compromising the privacy and trust of their customers. When it’s payment card data that leaks on a large scale like this, the damage goes far beyond consumer confidence.
Individual customers’ financial lives can be severely hurt when their sensitive data gets into the wrong hands.
That’s why it’s
incredibly crucial to secure cardholder data, which is what PCI DSS aims to do.
Like many
compliance programs, the Payment Card Industry Data Security Standard (PCI DSS)
is designed to ensure a more stable and secure vendor, which leads to a more
reliable payment card industry overall. PCI DSS ensures that you, your fellow
merchants, and all the stakeholders in the payment card industry are held to a
rigorous industry standard for security.
But what about
your business - do you need to be PCI DSS compliant?
If you store, process, or transmit cardholder
data, the short answer is yes, but let’s go over a few things for you to
understand exactly why this data security regulation is so vital and why it’s
so important for your business.
What is PCI DSS?
All merchants and service providers that process payment card information must comply with PCI DSS, which is a set of controls and obligations that reduce the likelihood of cardholder data being compromised.
What is PCI DSS?
All merchants and service providers that process payment card information must comply with PCI DSS, which is a set of controls and obligations that reduce the likelihood of cardholder data being compromised.
To put it
simply: PCI DSS is a set of requirements that businesses who touch payment card
data must follow as part of an industry-wide program against credit card fraud
and loss.
The most recent
DSS version from the Security Standards Council (SSC), which is a consortium of
payment card brands like Visa and MasterCard, contains 12 requirements that merchants and
service providers must implement.
A dozen boxes
to tick doesn’t sound too difficult, right?
Not so fast: within
these 12 requirements are hundreds of sub-requirements. Installing firewalls,
encrypting cardholder data, performing patch management and maintaining
traceable records are just a few of the requirements for PCI DSS compliance,
many of which are complex and can require an entire cross-functional team to
tackle.
Some of these requirements may be especially
difficult for smaller organizations to meet, particularly without any expert
help.
Who needs to comply with PCI DSS requirements?
So, how do you know if your business needs to worry about attaining and maintaining compliance?
Who needs to comply with PCI DSS requirements?
So, how do you know if your business needs to worry about attaining and maintaining compliance?
PCI DSS applies
to any organization, without regard to size, value, or number of transactions,
if that organization collects, transmits, maintains, or transfers cardholder
data. Anyone who transacts a major brand card such as American Express,
Discover, MasterCard or Visa must comply with the PCI DSS requirements.
In other words,
if payment card data touches your network at any point, you must comply.
For smaller organizations out there, the
journey to reaching full PCI DSS compliance without any help may seem
incredibly daunting - but failing to fulfill the requirements can and does lead
to hefty consequences.
What happens when you don’t comply with PCI DSS?
Like GDPR and CCPA requirements, non-compliance is not an option for PCI DSS requirements. While it is technically not a law, like GDPR and CCPA both are, businesses agree to adhere to PCI requirements when they engage in any activity related to the payment card industry.
What happens when you don’t comply with PCI DSS?
Like GDPR and CCPA requirements, non-compliance is not an option for PCI DSS requirements. While it is technically not a law, like GDPR and CCPA both are, businesses agree to adhere to PCI requirements when they engage in any activity related to the payment card industry.
Failure to
comply with PCI DSS could cost you dearly, particularly if you ever have a
breach of payment card data. The penalties for non-compliance range from
sizable monetary finesto getting your ability to process payment cards revoked
- both of which can be detrimental for an early-stage company.
These can be
just the tip of the iceberg compared to the total financial harm caused by
non-compliance.
From there,
businesses may have to pay to inform every individual impacted by the data breach,
reissue cards, pay legal fees - the list goes on. The fines for non-compliance
are just the start, and don’t even factor the brand damage a data leak causes
and the loss of consumer trust that follows. Brand image is, in fact, one of
the biggest vulnerabilities when it comes to data security.
According to
research from the Ponemon Institute, 61% of Chief Marketing Officers believe
that the largest cost of a security incident is the erosion of brand value.
Not only should
you, as a business leader, want to maintain a secure cardholder data environment (CDE) for your
customers, but you should also want to avoid the liability of not implementing
these compliance requirements.
The question,
therefore, should not be “is PCI compliance mandatory” (it is), but rather “why
would you take the risk of not implementing it?”
Understanding that PCI DSS compliance is
absolutely vital is the first step - but how would a business go about becoming
compliant?
The DIY approach to PCI compliance
To build a PCI compliant network you will, at a minimum, need to follow the following steps.
The DIY approach to PCI compliance
To build a PCI compliant network you will, at a minimum, need to follow the following steps.
Step one: Download and review
the PCI DSS details from the Security Standards Council and study it. There are
resources that will help you understand how to comply. Read through them and
understand the challenges ahead.
Step two: Conduct a risk
assessment to determine the robustness of the controls and how you will
mitigate the risks. Not every control applies to every environment. Use your
risks to find the gaps you need to fill. It can be helpful to work with an
expert for this step. Budget-busting solutions often exceed the needs of most
smaller businesses, but untrained personnel often struggle to identify which
controls do not apply, or how to compensate for them.
Step three: Determine which of
your current resources can be leveraged for one or more of the controls
indicated by your risk assessment. Identify any gaps that will require new
resources, including servers, routers, communication equipment, physical
security, and full-time employees.
Step four: Create a project plan
with budget and timeline/milestones. Be careful with how long you take to get
compliant, as your risks don’t drop until you are compliant. For many smaller
businesses, this process will take 3-6 months, usually requiring significant
consultation from experts as well as costly technology, including firewall(s),
access control systems, vulnerability scanning services or tools, and more.
Step five: Gather your resources
and build or rebuild your network. It is likely you will need at least one
full-time employee to manage your network for PCI DSS compliance.
Step six: Test and verify that
your controls reduce the risks you identified as expected. Controls do not
always work as intended, since technology changes rapidly, so the method you
chose a few months ago may have been circumvented in the intervening time.
Step seven: Go live with your
solution and hope it works as designed. It might not but you will tweak it
until it does.
Step eight: Have your system
audited by a Qualified Security Assessor listed on the PCI Security Council
website. You won’t really know how well you have done until you are audited
(that is unless you have a breach, in which case, you did poorly).
Step nine: Revise your controls
or infrastructure based on the audit findings.
Once all nine steps are completed, constant
vigilance, testing and reworking are required on a regular basis.
The human
resources and funding required to complete all of the above is, unfortunately,
out of reach for many younger companies.
For this reason, many small-and-medium-sized
organizations opt to work with a trusted third-party data security partner to
manage all their PCI compliance needs.
The easiest and fastest path to PCI compliance
Rather than have a cross-functional team undertake the arduous process of gaining PCI DSS compliance the DIY route, the fastest and simplest way to become compliant is to make sure payment card data never touches your business’ servers.
But how can you possibly transact payment cards and run an online business without ever touching cardholder data?
The solution is an innovative approach called data aliasing, during which sensitive user data - like cardholder information - is redacted in real time and replaced with a synthetic data alias so that none of the original data ever passes through your system.
Data aliasing is the foundation of Very Good Security’s Zero Data solutions, which enable businesses to collect, store and transmit any sensitive data they want without ever coming into possession of it.
This effectively removes most of your business systems from PCI DSS compliance scope, so your burden is drastically reduced - and your risk of data breaches plummets to almost zero.
Very Good Security offers nearly instant compliance for smaller merchants and service providers upon integration. For organizations that are PCI Level 1, either because of transaction volume or because their bank or partners require it, compliance can be achieved in as few as 21 days.
By taking the DIY path, the same result can take several months - after you’ve already poured a substantial amount of human and financial capital into securing your databases and processes.
Very Good Security is a completely scalable solution that grows with your business, and can take your PCI burden off your plate almost entirely.
Interested in descoping your company’s networks from PCI requirements and achieving compliance the simple way? Try a demo of VGS by clicking here.
The easiest and fastest path to PCI compliance
Rather than have a cross-functional team undertake the arduous process of gaining PCI DSS compliance the DIY route, the fastest and simplest way to become compliant is to make sure payment card data never touches your business’ servers.
But how can you possibly transact payment cards and run an online business without ever touching cardholder data?
The solution is an innovative approach called data aliasing, during which sensitive user data - like cardholder information - is redacted in real time and replaced with a synthetic data alias so that none of the original data ever passes through your system.
Data aliasing is the foundation of Very Good Security’s Zero Data solutions, which enable businesses to collect, store and transmit any sensitive data they want without ever coming into possession of it.
This effectively removes most of your business systems from PCI DSS compliance scope, so your burden is drastically reduced - and your risk of data breaches plummets to almost zero.
Very Good Security offers nearly instant compliance for smaller merchants and service providers upon integration. For organizations that are PCI Level 1, either because of transaction volume or because their bank or partners require it, compliance can be achieved in as few as 21 days.
By taking the DIY path, the same result can take several months - after you’ve already poured a substantial amount of human and financial capital into securing your databases and processes.
Very Good Security is a completely scalable solution that grows with your business, and can take your PCI burden off your plate almost entirely.
Interested in descoping your company’s networks from PCI requirements and achieving compliance the simple way? Try a demo of VGS by clicking here.
This article was originally posted on Very Good Security.
هیچ نظری موجود نیست:
ارسال یک نظر