In November 2018, the Marriott hotel group announced that it had fallen victim to a massive hack. While the full scale of the data breach is still being calculated, what we do know is that as many as 500 million customers had their names, personal information, contact information, passport numbers, and other account information stolen, including some credit card numbers.
Situations such as these are why compliance standards like the Payment Card Industry (PCI) Data Security Standard (DSS) exist: to develop a set of information security controls, requirements, and policies that must be in place for your organization to use any of the five major payment brands that handle customer transactions. While they do not make your organization immune, enacting these standards can help mitigate damage to you and your customers and reduce instances of fraud.
Although the PCI DSS is in its 3.2.1 release as of May 2018, since 2004, these six practices have remained the same and have been implemented and followed around the world. In sum, the PCI DSS offers common-sense requirements and steps merchants can implement to help reduce the risk they and their customers face when using one of five different payment card companies—Visa, Mastercard, American Express, Discover, and JCB. The PCI Security Standards Council summarizes its standards as follows:
Goals |
Requirements |
Build and Maintain a Secure Network |
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
Protect Cardholder Data |
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
Maintain a Vulnerability Management Program |
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
Maintain an Information Security Policy |
12. Maintain a policy that addresses information security for all personnel |
Obtaining PCI DSS compliance is not an end state, but an ongoing process that can be integrated into existing operating practices. The PCI Security Standards Council recommends that merchants continuously assess, remediate, and report, which encourages taking regular inventories of cardholder data and processes, fixing vulnerabilities, and reporting required validation records to the card brands you utilize.
When required by the individual credit card companies, merchants will also have to follow the PCI DSS steps to independently validate their compliance. These steps, as governed by the PCI Security Standards Council, include:
Scoping: determining which payment systems and processes are governed by the PCI DSS
Assessing: utilizing a PCI DSS certified auditor to examine compliance of the items in scope
Validating: assessing, through the independent auditor, the fidelity of the mitigations implemented
Reporting: submitting required assessor and entity documentation
Clarifying: updating report statements, as needed, upon request of the payment card brand
Penalties for not being PCI compliant can range in severity depending on the size of the organization, the track record of the merchant, and the type of deficiency. In addition to losing their ability to process payment cards from the five credit card firms permanently or temporarily, noncompliant companies can be hit with fines ranging from $5,000 to $100,000 per month per violation. However, fines are usually reserved for merchants who repeatedly have deficiencies identified.
The effects of the PCI DSS are going to be different for each organization, but obtaining and maintaining compliance doesn’t have to be an independent activity. One of the best ways to navigate PCI compliance is to select an experienced and trusted adviser who can help recommend the technology, policy, and process changes your organization needs to put in place.
Additionally, many organizations choose to have a managed services vendor store and process their cardholder data in PCI-compliant data centers, greatly reducing staff effort and mitigating some of the traditional hardware and network challenges that come with the PCI standards.
If you are looking for the right partner, Burroughs offers not only a PCI-compliant data center but also a team of skilled and experienced staff that is able to guide your organization through its compliance journey. Learn more about Burroughs’ PCI services here.