What is PCI-DSS & How Does It Work?

pci-dssFor any business that stores, processes, or creates digital data, they require a PCI-DSS compliance. Essentially, this is a system put in place to protect both businesses and their customers. PCI-DSS stands for the Payment Card Industry Security Standards, and has a checklist of requirements to enhance security for companies that process credit and debit card transactions.

2014 reported 16.31 billion dollars taken due to payment card fraud, with expectations for this to raise up to 35.54 billion by 2020. This is all from companies and businesses with little to no control over their secure data.

Do I Require PCI-DSS For my Business?

It is required that all businesses that handle sensitive card information must abide by these rules to keep everyone involved safe. The intention is to protect sensitive card information. Should a business push card data out to a third-party, it is the responsibility of that business to protect that data via the PCI-DSS requirements.

The PCI-DSS ensures that all parties have adequate control over their information that is traded around. Sensitive data is as follows:

  • Any data that includes a Primary Account Number (PAN) a Cardholder Name, an Expiration Date, or a Service Code.
  • Sensitive data received by a magnetic stripe or equal data one would transmit via a chip. This could be anything from CVC2, CAV2, CVV2, CID, or PIN information.

PCI-DSS Requirement Checklist

There are 12 steps provided by the PCI-DSS that a company must adhere to to ensure a secure network and privacy systems:

Create and Hold a Secure System and Network

  1. A business must install and upkeep a firewall to keep cardholder data behind.

    Firewalls sift through all users on the network and prevents any bad actors from getting access to sensitive information.

  1. Refuse to use default vendor settings for passwords and other security layers.

    Default settings are the first things that a criminal will target. It is the companies responsibility to change these.

Protect Cardholder Data

  1. Keep cardholder data secure.

    Keeping data secure is essential. One can encrypt, mask, hash, and use other ways to protect the data of users.

  1. Encrypt all information that is transferred via a public network.

    All sensitive information is required to be encrypted regardless of the network. Hackers and bad actors will do their best to target an open network. This information should be kept as secure as possible.

Manage a Vulnerability Program for Customers

  1. Protect and and all established systems against hacks and malware, and must keep all security systems updated.

    Malware is a consistent threat across the internet. Any and all security systems and preventions should be used to protect against it.

  1. Create and upkeep quality security applications and systems.

    Bad actors will do their best to gain access to sensitive data. Testing and keeping up with the latest issues will keep that data as secure as possible.

Implement Powerful and Secure Means of Control

  1. Keep sensitive information on a “need-to-know” basis

The less eyes and hands on sensitive data, the better.

  1. Keep all parts of the system under authentication access.

    Only specific administrative users should have access to data and information.

  1. Do not allow for physical access to cardholder information.

    Data should never be accessed physically except in a major case.

Monitor and Handle Test Networks on a Regular Basis

  1. Maintain and handle all test networks and cardholder information.

    It is imperative that a network keeps a log of all changes on a network to point out the origin point of a breach.

  1. Test these systems and their security on a regular basis.

    Systems should constantly be tested for bugs and vulnerabilities.

Keep a Secure Information Policy Available at All Times

  1. Provide and upkeep a data policy for all persons.

    All employees should be aware of these rules and what to do to keep the risk of data breach to a minimum.

How to Reach This Level of Compliance

In order to be recognised by the PCI-DSS, a business must consistently build and implement systems that work towards these six high-level goals. All of these goals are broken down into steps to ensure easy implementation. Once in place, a user must test on, report, upgrade, and consistently monitor these systems for maximised efficiency.

Where Sensitive Data Loss May Occur

There are multiple areas where sensitive data loss could occur:

  • Card reader has been compromised
  • Point of Sale system has been tampered with
  • Storage networks have been compromised
  • Main database has been compromised
  • Online portals are taken advantage of
  • Wireless routers have been intercepted
  • Filing cabinet broken into
  • Eavesdropping via a security camera or a wiretap

On top of this, there are a few other issues that prevent clients from staying with businesses that don’t meet PCI-DSS requirements:

  • Client simply loses confidence after learning this information
  • Payment card costs go up
  • Compliance costs go up
  • Costs of legal fees, settlements, or judgements are high
  • Penalties and fines are raised
  • Client can no longer accept credit cards
  • Business goes out of business