Complying with PCI DSS 3.1 Guidelines

The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect cardholder data from exposure and misuse. It mandates that credit card numbers and cardholder information be highly secured by merchants and transactions comprising PCI data be encrypted. This international standard applies to ANY organization, regardless of size or number of transactions, that accepts, transmits, or stores cardholder user data. 

If your business deals with credit cards or mobile and online payments, you have to take steps to protect that information. Organizations that suffer a breach and have not taken steps to ensure compliance can be subject to stiff monetary penalties, and in some cases may even be prohibited from working with specific payment brands.

The consequences of not being PCI compliant can range from $5,000 to $500,000 per month, with penalties levied by banks and credit card institutions. 

PCI DSS 3.1 went into effect on June 30, 2016. It lays out very detailed rules and guidelines about network configuration, segmentation, firewall protection, vulnerability testing and more, but there is still some confusion about how to fully implement it.

Does Your Security Policy Comply with PCI DSS Guidelines?

Here are the questions you should be asking:

• Do you scan for vulnerabilities?
• Do you review all code changes before production?
• Have you implemented change control procedures?
• Do you identify, prioritize, and address newly discovered and common security vulnerabilities?
• Have you incorporated information security in your SDLC?
• Do you maintain secure environments?
• Do you train developers to code more secure apps?

What’s at Stake?

The widely publicized Target information breach left the debit and credit card information of 40 million customers exposed. The FBI recently reported the discovery of approximately twenty similar cases within the last year, which tells us something about the scope of the problem and the potential costs.

“On top of their direct losses, retailers get the public blame after a breach, paying a price with both their customers and the financial markets.” 

Auditor – Friend or Foe?

The biggest difference between PCI 3.0 and 3.1 is that the latter introduces stricter rules for auditing.

Here are some things you can do to prepare for your next PCI audit:

• Never assume that you’re compliant; PCI DSS guidelines are an evolving standard
• Understand your risks
• Talk to your assessor during the year so there are few if any surprises
• Get stakeholders engaged
• Maintain an accurate network diagram
• Keep all relevant documentation up-to-date
• Maintain meaningful security metrics

And a few tips that will help keep you in compliance:

• Conduct a pre-audit assessment to determine which of your systems must comply with the standard
• Once the scope has been identified, assess the integrity of your systems with internal and external testing
• Create a paper trail of your policies and procedures, hardware and software configurations and adjustments, backup strategies, and security scans and reports
• Be proactive about security rather than just checking off all the boxes or waiting for the results of official audits

Always remember that PCI 3.1 is built around policies and procedures. To achieve compliance around PCI DSS guidelines, your company needs to have a detailed Information Security Policy and a complete set of policies to document secure practices across your environment.

10 PCI DSS mistakes you should avoid:

1. Failing to vet your auditor
2. Skipping the pre-audit assessment
3. Starting without a pre-audit checklist
4. Poor documentation
5. Bad assumptions
6. Data everywhere
7. Ineffective data scoping and network segmentation
8. Looking for product panaceas
9. Trusting just any service provider
10. Expecting to finish

To Sum Up

Be an active participant in the united, global response to fighting payment card data compromise.

• Keep your systems secure so that customers can trust you with their sensitive payment card information.
• Remember that compliance doesn’t equal security. Just because you’ve checked all the PCI boxes doesn’t mean that a breach is impossible, so stay ever vigilant.
• Security is a continuous process, and it should infuse everything that you do.

Still have questions? Want to learn more about complying with PCI DSS guidelines? go to the PCI Security Standards Council website for more information.