The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect cardholder data from exposure and misuse. It mandates that credit card numbers and cardholder information be highly secured by merchants and transactions comprising PCI data be encrypted. This international standard applies to ANY organization, regardless of size or number of transactions, that accepts, transmits, or stores cardholder user data.
If your business deals with credit cards or mobile and online payments, you have to take steps to protect that information. Organizations that suffer a breach and have not taken steps to ensure compliance can be subject to stiff monetary penalties, and in some cases may even be prohibited from working with specific payment brands.
The consequences of not being PCI compliant can range from $5,000 to $500,000 per month, with penalties levied by banks and credit card institutions.
PCI DSS 3.1 went into effect on June 30, 2016. It lays out very detailed rules and guidelines about network configuration, segmentation, firewall protection, vulnerability testing and more, but there is still some confusion about how to fully implement it.
Does Your Security Policy Comply with PCI DSS Guidelines?
Here are the questions you should be asking:
Do you scan for vulnerabilities?
Do you review all code changes before production?
Have you implemented change control procedures?
Do you identify, prioritize, and address newly discovered and common security vulnerabilities?
Have you incorporated information security in your SDLC?
“On top of their direct losses, retailers get the public blame after a breach, paying a price with both their customers and the financial markets.”
Auditor – Friend or Foe?
The biggest difference between PCI 3.0 and 3.1 is that the latter introduces stricter rules for auditing.
Here are some things you can do to prepare for your next PCI audit:
Never assume that you’re compliant; PCI DSS guidelines are an evolving standard
Understand your risks
Talk to your assessor during the year so there are few if any surprises
Get stakeholders engaged
Maintain an accurate network diagram
Keep all relevant documentation up-to-date
Maintain meaningful security metrics
And a few tips that will help keep you in compliance:
Conduct a pre-audit assessment to determine which of your systems must comply with the standard
Once the scope has been identified, assess the integrity of your systems with internal and external testing
Create a paper trail of your policies and procedures, hardware and software configurations and adjustments, backup strategies, and security scans and reports
Be proactive about security rather than just checking off all the boxes or waiting for the results of official audits
Always remember that PCI 3.1 is built around policies and procedures. To achieve compliance around PCI DSS guidelines, your company needs to have a detailed Information Security Policy and a complete set of policies to document secure practices across your environment.