Many business owners are unaware of these obligations which can not only expose them to hacking attempts, but a big shock when their bank discovers they're non-compliant, as this usually results in the suspension of payment facilities. Non-compliance can also cause reputational damage for a brand, and fines ranging from $10,000 to $100,000 (or more) per month until compliance is achieved.
Getting started: The road to PCI DSS compliance
PCI DSS standards comprise several areas of compliance from network security and physical security to hiring and training practices. The specific level of compliance required for your business is based on your transaction volumes, or your company’s level of risk which is determined by your bank.
These high-level requirements are supported by a number of sub-requirements which may make seem overwhelming or even impossible for an organisation looking at it for the first time. But in reality, it’s not too daunting and well worth the effort which will make the organisation better off in terms of preventing data breaches, large fines and the inability to accept card payments.
Here’s six steps to help you get started.
- Scope your cardholder data environment
The most critical first step is to separate your cardholder data (CHD) environment from the rest of your network. This is known as segmentation and helps you clearly differentiate between the environments which are in-scope and out-of-scope for PCI DSS compliance. This will help deliver a more focused PCI DSS audit specifically targeting the key in-scope areas that involve the flow of cardholder data.
- Cardholder data flow awareness
This involves raising awareness among key security personnel about the flow of cardholder data within the organisation in relation to the PCI DSS scope you established in step one. Implementing necessary controls to protect this data is also a vital part of the process and can include installing a Web Application Firewall in your network to prevent unauthorised access to the data flow.
- Identify who needs access to resources and the devices they use
You also need to ensure user access to this data is solely based on your team members' job functions, and perform periodic user access reviews for all employees – this includes an overall assessment of user roles, access rights and privileged rights. You should also pay special attention to past employees and check if there have been any role changes which could potentially impact access rights. This helps with issues such as unauthorised access and lack of accountability.
And when it comes to monitoring the devices used to access your network (such as servers and firewalls among other network devices), it's easy for a lot of organisations to overlook maintaining asset registers. But, as the number of devices used throughout your business increases, it becomes more challenging to keep track of assets, and the chances of these being misplaced or stolen increases. So it's important to establish and maintain a centralised asset register.
- Establish if the cardholder data you store is necessary ... and legal
PCI DSS requires the account number on customers' payment cards – also known as the Primary Account Number (PAN) - to be unreadable when stored. The PAN, cardholder's name and expiration date can only be stored if there is a valid and regulatory needed. All the data you store must be encrypted, and other sensitive data such as PIN or CVV numbers must never be stored – even if they're encrypted.
Merchants who do not save any cardholder data are significantly less prone to suffering from data breaches that can be expensive, time-consuming, and detrimental to their reputation. Put simply, if you don't need to store the data, then don't.
- Develop policies, standards and procedures
To achieve successful ongoing PCI DSS compliance, you need to have the three key documents in place:
Policies to help your organisation navigate cybersecurity decision making and to ensure consistency and alignment with PCI DSS compliance requirements.
Standards which outline the necessary measures to maintain effective policies. Good management practices are supported by clear guidelines that serve as a reference for evaluating your company's compliance with the standards.
A set of management and personnel procedures to effectively enforce PCI DSS requirements. Each procedure should outline the necessary steps to carry out a specific task; for example, a documented procedure will help guide your team members through a security breach.
- Security awareness
Establishing a robust security awareness programme for your team members is also a must for organisations to meet PCI DSS regulations and protect against security threats. This could include implementing annual security training, fake phishing campaigns to ensure employees are vigilant and can spot scams, and setting up lunch and learn sessions to get your employees involved and understand the repercussions of disregarding security best practices. And it is equally important to ensure that employees are aware of the consequences of not adhering to security best practices.
Controls for compliance must be part of your BAU processes
PCI DSS is simply another security standard designed to protect businesses and their customers. If your organisation wants to improve its security, then compliance to the standard will come almost naturally if you incorporate best practice into your BAU processes. One of the common mistakes businesses make is treating PCI DSS standards – or any IT security compliance measures - as a project with a completion date that is no longer given any attention once the initial work has been completed. We often see this as the main cause of failed results during organisations’ second year audits.
The best approach to successful compliance is treating it as a programme, where the processes and controls that have been developed are embedded into your BAU processes. This ensures that security is consistently maintained to keep your organisation safe.