The Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard that’s designed to protect credit card information. With the proliferation of online payments and eCommerce, ensuring strong PCI-DSS compliance has become a significant source of concern for small and midsized businesses in New York.
The primary reason the standard causes so much anxiety is that it’s long and complex, totaling about 130 pages. The requirements document opens with 12 high-level objectives, which seem easy enough to understand. However, those objectives are composed of over 300 separate controls for the monitoring and reporting of IT systems, all highly technical in nature, making them almost impossible for a layperson to understand. Want to give it a try? You can browse the complete document here at the official site.
So, what’s the best way to achieve full PCI-DSS?
Which Level of Compliance Do You Need?
The PCI Compliance standard is broken down into four levels, depending on how many credit card transactions a business processes per year and the size of those transactions.
- Level 1 – Businesses that do $6 million or more in transactions, accept global transactions, or a business that’s experienced a serious data breach in the past.
- Level 2 – $1 to $6 million in transactions
- Level 3 – $20,000 to $1 million in e-commerce transactions
- Level 4 – Less than $20,000 in e-commerce transactions and up to $1 million in transactions for other businesses
Naturally, Level 1 certification is the most rigorous, requiring a yearly compliance check with a security professional who possesses PCI DSS training, known as a Qualified Security Assessor (QSA). Most SMBs fall into Level 3 and Level 4. Businesses in those categories can perform their own internal PCI-DSS audits and self-report their compliance.
Some businesses think self-assessment leaves wiggle room for “good enough” compliance. That’s far from the case. Any business that’s caught out of compliance faces thousands of dollars in fines per day and might lose the right to process credit card transactions entirely.
The Consequences of Not Being Compliant
Failing to remain PCI compliant can result in severe damages and penalties for businesses. Fines levied can be thousands of dollars depending on the size of the business. Separately, card brands might impose their own fines on businesses if there is a data breach. In case of a data breach where credit cards and other PIDs might be compromised, businesses are required to issue breach notifications in most states in the US. All these issues can pile on the financial penalties and costs businesses will incur.
The 3 Steps to Reliable PCI Compliance
Building robust PCI compliance systems and processes requires three phases: assessment, remediation, and reporting. Each step of that process revolves around a few central concerns. Are you running a secure network and adequately protecting cardholder data? Do you have a strong vulnerability program and access controls in place? Do you have a coherent information security policy, and are you regularly testing that policy?
1 – Assess
This involves identifying what credit card data you’re responsible for protecting, creating a detailed inventory of IT assets and business processes related to receiving credit card payments, then carefully analyzing each system for security weakness. While the assessment should prioritize risks in the systems that are within the scope of your PCI-DSS compliance, you should evaluate the security throughout your entire company to get a comprehensive view of your organization’s vulnerabilities.
The goal of the assessment is to identify compliance gaps. To ensure the assessment’s success, it’s crucial to get support from company executives who can allocate it the proper resources, as well as buy-in from department heads who understand and value the PCI compliance process. Because assessment is highly technical, you’ll likely want to enlist the assistance of an outside security expert to help you understand the guidelines and avoid making mistakes.
2 – Remediate
Now it’s time to address the vulnerabilities you discovered during the assessment. This process begins by building a list of items that need remediation, interpreting compliance requirements to make sure you’re using the correct remediation methods and gathering the evidence you’ll need for PCI reporting.
Businesses may choose to outsource some of their data or credit card processing to a qualified payment processor. This is a perfectly acceptable way to offload some of the compliance burdens, but don’t make the mistake of believing this provides automatic compliance. You’ll still need to address policies for cardholder transactions and data processing in-house, as you must protect cardholder data when you receive it, or when you process refunds. You should also make sure that each vendor that you outsource payment processing to is compliant themselves, which should be done on at least an annual basis.
3 – Report
Compile and submit remediation validation records, along with the compliance reports, to your banks and card brands. This process often involves submitting a filled-in self-assessment questionnaire (SAQ), Attestation of Compliance (AOC), along with supporting documentation, such as an approved scanning vendor (ASV) scan report.
Common PCI DSS Compliance Stumbling Blocks
It shouldn’t be a surprise that businesses most commonly stumble on the technical aspects of PCI DSS compliance, failing to maintain security software, data encryption, anti-malware software, and controls to ensure data security.
One area where SMBs often have difficulty is with network segmentation. Segmentation should enable a company to isolate the Cardholder Data Environment (CDE), the portion of your network that contains or processes credit card information. In theory, this reduces the scope of your PCI implementation and makes compliance easier, but the process is much more difficult than most businesses realize. A firewall or router alone does not sufficiently separate sensitive information from the rest of your network. Hardware and software used to segment sensitive data must be hardened and configured to provide the proper level of security.
Compounding the technical challenges of PCI-DSS compliance is that it’s an all or nothing endeavor. Businesses that fail to make themselves 100% compliant are out of compliance. With no room for error, it’s easy to understand why many companies choose to outsource PCI DSS compliance work to a trusted technology partner.
The Human Element of PCI Compliance
Another challenge that many businesses face when pursuing PCI-DSS compliance is the competency gap. Because of the specific skill set that regulatory compliance demands, almost all companies lack the staff they need to address PCI compliance in-house fully.
Ensuring compliance takes more than a single expert, it requires a multi-disciplinary team of legal experts, technologists, executives, and operations specialists, who can holistically address changes in the standard and your technology without adversely affecting your business. PCI DSS compliance is not a one-time project that can be handled and then forgotten; it’s an ongoing program that takes sustained effort to realize total success. To alleviate their stress and make better use of their resources, many SMBs employ compliance specialists and technology partners as the outsourced compliance team commits significant time and energy to this initiative over the long-term.
NYC’s Team of PCI Compliance Professionals
With over two decades of experience serving the security and compliance needs of NYC businesses, the experts at Manhattan Tech Support have a documented path to providing reliable PCI DSS compliance for any business big or small. Call us any time at 212-299-7673 to discuss your compliance needs, or ask us any questions. We’re always happy to help!
Kaytuso – cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.
Exceed Digital – custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC