Why merchants and vendors should abide by the Payment Card Industry Data Security Standard—and how to do so easily
Since the onset of the COVID-19 pandemic, cybercrime has been on the rise. Compared to 2019, phishing and ransomware attacks increased by 11% and 6% respectively in 2020, according to a recent report from Verizon. It’s no coincidence that these virtual methods of fraud are gaining popularity. With more people working and shopping from home, and businesses increasingly relying on cloud computing, fraudsters are increasingly focusing on stealing data online.
Merchants and vendors have reason for concern—but there’s no need to panic. The Payment Card Industry Data Security Standard (PCI DSS) offers a template for businesses to protect themselves against threats both on- and offline. Created in 2006 after a data breach at TJ Maxx that affected millions of consumers, the PCI DSS is a 12-step process that merchants and vendors can follow to maintain a secure card-processing environment. Businesses that follow the guidelines laid out in the PCI DSS are far less likely to face the devastating effects of a data breach.
The cost of a data breach
Cybercriminals use a number of methods of stealing card information from merchants and vendors. Phishing attacks involve the use of fraudulent emails posing as a legitimate email from a trusted entity, such as a corporation or government, to trick employees into giving up sensitive information. “Man in the middle” attacks occur when cybercriminals hack into a private network and eavesdrop on supposedly private communications. Sometimes, criminals simply guess passwords correctly (highlighting the importance of avoiding obvious passwords).
Whatever methods they use, the consequences can be disastrous. The average cost per business of a data compromise in the U.S. is $200,000. Typically, the merchant is responsible for the cost of forensic investigations into the breach, as well as covering any fraudulent purchases and the cost of reissuing new cards. The merchant may also be subject to fines and be denied card acceptance by card associations—a substantial hindrance to their ability to do business going forward.
And that’s not all. Businesses that have been breached may face higher subsequent costs of compliance to industry standards. Plus, a data breach can hurt their reputation and lead to a significant loss of customers. Many organizations, particularly smaller ones, lack the resources to fully recover from a data breach.
The PCI DSS guidelines
The PCI DSS provides a pathway for merchants and vendors to protect themselves against these damaging effects. The guidelines apply to any systems that store, process or transmit cardholder data, as well as to systems that provide security services or that may impact the security of the card data environment. Individual banks or payment brands enforce compliance, not the PCI.
The PCI DSS lists 12 requirements, falling into six categories:
1. Build and maintain a secure network
• Use and maintain firewalls. Firewalls are systems designed to prevent unknown entities from accessing private data. This is your first line of defense against data breaches.
• Implement proper password protections. Avoid obvious passwords, and change passwords often.
2. Protect cardholder data
• Encrypt card data. Regularly scan primary account numbers to make sure no unencrypted card data exists.
• Encrypt transmitted cardholder data. Whenever cardholder data is transmitted across channels, it must be encrypted to protect cardholder privacy.
3. Maintain a vulnerability management program
• Install anti-virus software. Anti-virus software is required for all devices that interact with or store card data.
• Regularly update anti-virus software. Software updates address vulnerabilities in existing products, often responding directly to specific attacks.
4. Implement strong access control measures
• Restrict data access. Cardholder data should be strictly limited to those employees and third parties who need to access it to process card information.
• Require unique IDs for access. Unique logins and passwords should be supplied to individuals who need access to cardholder data.
5. Regularly monitor and test networks
• Track and monitor all access to networks and cardholder data. An inventory of equipment, software and employees with access to card data is necessary to comply with the PCI DSS. Also, keep a log of when that data is accessed, and by whom.
• Deploy regular vulnerability scans and penetration tests. A vulnerability scan is an automated test that searches for potential vulnerabilities. A penetration test is a more focused and hands-on examination.
6. Maintain an information security policy
• Create a written information security policy. A written policy keeps all employees on the same page and stresses the importance of data protection
• Update the policy as needed. Your policy will evolve as your business evolves and new threats emerge.
An ongoing process of data protection
Following the PCI DSS is not a one-time action. Instead, it’s a continuous process of:
• analyzing card processing systems for vulnerabilities
• addressing any vulnerabilities you find and eliminating any cardholder data that isn’t absolutely necessary
• compiling and submitting required reports to the appropriate banks and card brands.
This process may seem intimidating or overly time-consuming, but the potential consequences of a data breach make it worth it for companies of all sizes. Clarien makes it easier for clients by providing a complimentary, user-friendly risk assessment tool. Our user-friendly portal provides clients with guidance to protect sensitive customer information and card details. Value-added services include an annual risk assessment questionnaire and monthly vulnerability scans for integrated software, hardware and eCommerce payment environments.
Following the PCI DSS should be a routine part of operations for all merchants and vendors dealing with sensitive cardholder data. It’s good for consumers, and it’s good for your business.