Navigate The PCI-DSS Compliance Process with Confidence
By Manhattan Tech Support
These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.
The Payment Card Industry Data Security Standard (PCI DSS) is a regulation that’s designed to protect data related to credit card transactions. Unlike other compliance standards, PCI-DSS is enforced by the credit card companies themselves, not by a government agency.
So, Who Should Maintain PCI-DSS Compliance?
Many small businesses may believe the PCI-DSS standard only applies to big companies, but this is false. Any company that accepts credit card payments must be PCI-DSS compliant — even if they only process a few payments a month.
According to Verizon’s 2018 Payment Security Report, none of the firms that were affected by a payment card data breach were in full compliance with PCI-DSS.[i]
The Importance of an Accurate Self-Assessment
Unlike regulations such as HIPAA or FINRA, PCI-DSS regulators won’t come and check on your systems – you must be proactive and self-report your compliance. The criteria for this reporting will be based on how many credit card transactions you process.
The Four Levels of PCI-DSS
- Level 1 – Businesses that do 6 million or more transactions per year, accept global transactions or have experienced a serious data breach in the past.
- Level 2 – Process 1 to 6 million transactions per year
- Level 3 – Process between 20,000 to 1 million in e-commerce transactions per year
- Level 4 – Process less than 1 million total transactions per year, or less than 20,000 e-commerce transactions per year
Self-reporting doesn’t mean you have room for error! Any business that’s caught out of compliance faces thousands of dollars in fines per day and could lose the right to process credit card transactions entirely.
Fines aren’t the only problem associated with PCI-DSS non-compliance
- Damaged reputation
- Revenue loss
- Legal action
81% of consumers would stop doing business with a company they know had experienced a data breach.[ii]
What Makes a Company PCI-DSS Compliant?
PCI-DSS is long and technical in nature, which can make it difficult for a layperson to understand. The 130-page body of the PCI-DSS features:
- 12 high-level objectives
- Over 300 separate controls for the monitoring and reporting of IT systems
The process of achieving PCI-DSS compliance involves a commitment to the cycle of assessing, remediating and reporting your status.
Identify what card data you’re responsible for protecting, which IT assets house that data, and any existing compliance gaps.
Address the vulnerabilities you discovered, which includes properly managing all external vendors that help with credit card processing.
Compile and submit remediation and validation records, in addition to a self-assessment questionnaire (SAQ), and other documents.
According to Juniper Research, online payment fraud will reach $48 billion per year by 2023.[iii]
The Good News: PCI-DSS is Built on Strong Cybersecurity
PCI-DSS is complex, but it’s based on established cybersecurity best practices. Those best practices can help you achieve PCI-DSS compliance, while also protecting your network and business from cyberattack.
Proper Firewall Configuration
Firewalls help prevent unwanted access, but they must be configured correctly to ensure they’re providing 100% compliance.
- Establish and implement standards for firewall configuration
- Block direct access between the Internet and your cardholder data environment (CDE)
Monitor and Track Network Access
You should create a documented process for tracking all the people in your organization who have access to your CDE while ensuring that unauthorized personnel is kept out.
- Isolate your cardholder data environment (CDE) from other systems
- Ensure that proper logging and monitoring are performed for PCI-DSS audits
Effective Password Management
Passwords are a major security liability. An important part of PCI-DSS is making sure that a weak or lost password doesn’t result in disaster.
- Maintain a complete record of all systems that are relevant to PCI-DSS
- Change vendor default passwords on all software and hardware
- Disable all unnecessary accounts with access to the CDE
Proper Implementation of Data Encryption
Encrypting at-rest and in-transit data is a significant focus of PCI-DSS.
- Make sure cardholder data always runs through SSL/TLS encrypted tunnels
- Document processes for the management of encryption keys
Common PCI-DSS Stumbling Blocks
In our 20 years helping businesses achieve complete PCI-DSS compliance, we’ve identified a few common problem areas where businesses are prone to non-compliance.
Safe Data Removal
PCI-DSS dictates how cardholder data should be removed from your premises. Any data that includes a primary account number (PAN), magnetic stripe data, or sensitive authentication data must be deleted to PCI-DSS standards.
Does Your Organization Have the Right Physical Security Protections?
Although the majority of PCI-DSS is about securing technology, the regulation also contains requirements for physical security too. Protecting devices – such as laptops, desktop PCs, servers, and routers – as well as your physical facility, are all necessary to prevent fines by your credit card companies.
According to Verizon, 55.4% of organizations that passed a PCI-DSS audit in 2016 failed an interim audit within just twelve months.[iv]
PCI-DSS Training – The Human Element
Your staff is the first line to strong PCI-DSS compliance. Without their awareness and vigilance, your PCI-DSS compliance efforts are almost sure to fail.
Manhattan Tech Support has made high-quality PCI-DSS awareness training a major feature of its service offering. Training helps companies:
- Learn about PCI-DSS requirements ahead of a self-assessment
- Better understand the credit card infrastructure and process
- Gain the latest insights into PCI-DSS best practices
- Drive strong PCI-DSS compliance across your organization
Manhattan Tech Support – NYC’s Trusted PCI-DSS Compliance Partner
We’ve been serving the security and compliance needs of NYC businesses for over two decades and can provide any business big or small with a documented path to reliable PCI DSS compliance. If you have a question for our compliance experts about how to achieve compliance with PCI-DSS or any other standard, we’re always available to answer your questions.
Contact us any time at 212-299-7673 or [email protected]!
Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.
Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC