Protecting Your Business and Customers: The Importance of PCI DSS Compliance and Risks

Introduction

Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards that was introduced to ensure that all companies that process, store or transmit credit card information maintain a secure environment. The standard was created by the Payment Card Industry Security Standards Council (PCI SSC), which is a global organization that comprises of major credit card brands such as Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS provides guidelines and standards for organizations to protect their customers' payment card data, thereby reducing the risk of credit card fraud and data breaches.

What is PCI DSS Compliance?

PCI DSS Compliance is the process of meeting the PCI DSS requirements. Compliance is mandatory for all businesses that accept credit card payments, regardless of their size or volume of transactions.

The PCI DSS consists of twelve requirements that are divided into six control objectives:

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

7. Restrict access to cardholder data on a need-to-know basis.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes.

Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel.

What are the Risks Associated with PCI DSS Compliance?

Non-compliance with PCI DSS standards can lead to severe financial and legal consequences. Companies that fail to comply with PCI DSS may be subject to hefty fines, legal actions, and damage to their reputation.

Data Breaches

Data breaches can occur when companies fail to comply with the PCI DSS standards. Cybercriminals can exploit security vulnerabilities to gain access to sensitive payment card data, resulting in fraudulent transactions and identity theft.

Financial Penalties

Non-compliance with PCI DSS can lead to substantial financial penalties. Fines can range from $5,000 to $100,000 per month for non-compliance, depending on the volume of transactions and the severity of the breach.

Legal Actions

Legal actions can be taken against companies that fail to comply with PCI DSS standards. Customers whose data has been compromised may sue companies for damages resulting from fraud or identity theft. Additionally, government agencies may take legal action against companies for failing to comply with regulations.

Damage to Reputation

Non-compliance with PCI DSS standards can damage a company's reputation. The loss of customer trust and loyalty can have long-lasting effects on a company's brand image and financial performance.

Has there been any big breaches?

Yes, There have been several high-profile cases where a PCI DSS (Payment Card Industry Data Security Standard) breach has resulted in significant fines and credit card data loss. Here are a few examples:

• Target: In 2013, Target suffered a data breach that resulted in the theft of over 40 million credit and debit card numbers. The company was found to be non-compliant with several PCI DSS requirements, and as a result, was fined $18.5 million by several state attorneys general.
• Heartland Payment Systems: In 2009, Heartland Payment Systems suffered a data breach that compromised over 130 million credit and debit card numbers. The company was found to be non-compliant with several PCI DSS requirements, and as a result, was fined $5 million by Visa and Mastercard.
• Home Depot: In 2014, Home Depot suffered a data breach that compromised over 56 million credit and debit card numbers. The company was found to be non-compliant with several PCI DSS requirements, and as a result, was fined $20 million by Visa and Mastercard.
• Equifax: In 2017, Equifax suffered a data breach that compromised the personal information of over 147 million people, including credit card information for approximately 209,000 consumers. The company was found to be non-compliant with several PCI DSS requirements, and as a result, was fined $575 million by the Federal Trade Commission.

In each of these cases, the fines were substantial due to the scale of the breach and the fact that the companies were found to be non-compliant with several PCI DSS requirements.

It's important for organizations that handle payment card data to prioritize compliance with PCI DSS to avoid such breaches and potential fines.

How to Achieve PCI DSS Compliance

Businesses and service providers can show they meet PCI DSS requirements by doing an audit of their cardholder data environment against the PCI DSS Standard's requirements.

By performing following audit types (depending on level of transitions done by organisation/their level):

• A RoC (Report on Compliance) completed by a PCI QSA organisation or by an ISA (Internal Security Assessor). Template can be found here.
• An SAQ (self-assessment questionnaire) signed by an officer of the organisation. There are nine types of SAQ designed to meet different types of merchant and service provider's requirements. These are listed below.
• An external vulnerability scan conducted by an ASV (Approved Scanning Vendor).

Also, the type of audit you must undergo and your exact PCI compliance requirements will vary depending on your merchant or service provider level. This level is based on the number of card transactions processed yearly (shared below under merchant validation criteria).

As a small business, do I require PCI DSS?

PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume.?When compared with more prominent merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protecting, which can help reduce their PCI DSS compliance effort.??

Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or payment brand they do business with, as applicable.?

What type of PCI DSS merchant validation is required?

Validation is based on those set by Visa and Mastercard, the predominant payment card brands.

Level 1 Criteria

Merchants that process more than 6 million transactions per year, or those whose data has previously been compromised.

1. RoC conducted by a QSA or ISA.
2. Quarterly scan by an ASV.

Level 2 Criteria

Merchants that process 1 million to 6 million transactions per year.

1. RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
2. Quarterly scan by an ASV.

Level 3 Criteria

Merchants that process 20,000 to 1 million transactions per year.

1. SAQ signed by a company officer.
2. Quarterly scan by an ASV (dependent on SAQ completed).

Level 4 Criteria

Merchants that process fewer than 20,000 transactions per year.

1. SAQ signed by a company officer.
2. Quarterly scan by an ASV (dependent on SAQ completed).

How much does PCI DSS compliance cost?

It depends on your organisation's setup, which will affect the overall cost of PCI compliance.

• Your business type: Are you a Level 1 merchant, large franchise, service provider, or retail shop? Each will have varying amounts of cardholder data, environment structure, and risk levels, which means different requirements.
• Your organisation size: Typically, the larger the organisation, the more potential compliance gaps it has. More staff members, more programs, more processes, more computers, more cardholder data, and more departments mean more cost.
• Your organisation’s security culture: If data security is one of upper management’s top priorities, increasing security costs probably isn’t a major internal struggle. In other cases, management is very hesitant to forget data security because they don’t understand their organisation’s security liabilities.
• Your organisation’s environment: The design of your network (LAN/WAN), networking technologies used, number and types of systems used, type of mobile devices, etc., can all affect PCI cost.
• Your organisation’s dedicated PCI staff: Even with a dedicated team, organisations usually require outside assistance or consulting to help them better understand and meet PCI requirements.
• Your acquirer pre-pays: Some acquiring banks consult with a PCI DSS vendor and pay for their small merchants' PCI compliance. However, this is quite rare.

For a Small business, PCI DSS compliance should cost from $300 per year (depending on your environment).

• Self-Assessment Questionnaire: $50 - $200
• Vulnerability scanning: around $100 - $200 per IP address
• Training and policy development: around $70 per employee
• Remediation (software and hardware updates, etc.) varies widely based on how much work is needed to achieve compliance and security: anywhere from $100?to $10,000

If you're a medium/large enterprise and need a PCI DSS assessment, expect to pay $70,000+ in total costs (depending on your environment).

• Onsite audit: around $40,000
• Vulnerability scans: around $1,000
• Penetration testing: around $15,000
• Training and policy development: around $5,000
• Remediation (software and hardware updates, etc.) varies considerably based on how much work is needed to achieve compliance and security: anywhere from $10,000 to $500,000

Conclusion

PCI DSS compliance is essential for any company that processes, stores, or transmits credit card data. Non-compliance can lead to significant financial and legal consequences and damage to a company's reputation.

Achieving and maintaining PCI DSS compliance requires a comprehensive approach that includes policies, procedures, technical controls, and ongoing monitoring and testing. Companies can protect their customer's payment card data and reduce the risk of fraud by complying with the PCI DSS standards.