The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect cardholder data from exposure and misuse. It mandates that credit card numbers and cardholder information be highly secured by merchants and transactions comprising PCI data be encrypted. This international standard applies to ANY organization, regardless of size or number of transactions, that accepts, transmits, or stores cardholder user data.
If your business deals with credit cards or mobile and online payments, you have to take steps to protect that information. Organizations that suffer a breach and have not taken steps to ensure compliance can be subject to stiff monetary penalties, and in some cases may even be prohibited from working with specific payment brands.
The consequences of not being PCI compliant can range from $5,000 to $500,000 per month, with penalties levied by banks and credit card institutions.
PCI DSS 3.1 went into effect on June 30, 2016. It lays out very detailed rules and guidelines about network configuration, segmentation, firewall protection, vulnerability testing and more, but there is still some confusion about how to fully implement it.
Does Your Security Policy Comply with PCI DSS Guidelines?
Here are the questions you should be asking:
Do you scan for vulnerabilities?
Do you review all code changes before production?
Have you implemented change control procedures?
Do you identify, prioritize, and address newly discovered and common security vulnerabilities?
Have you incorporated information security in your SDLC?
Conduct a pre-audit assessment to determine which of your systems must comply with the standard
Once the scope has been identified, assess the integrity of your systems with internal and external testing
Create a paper trail of your policies and procedures, hardware and software configurations and adjustments, backup strategies, and security scans and reports
Be proactive about security rather than just checking off all the boxes or waiting for the results of official audits
Always remember that PCI 3.1 is built around policies and procedures. To achieve compliance around PCI DSS guidelines, your company needs to have a detailed Information Security Policy and a complete set of policies to document secure practices across your environment.