- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect cardholder data from exposure and misuse. It mandates that credit card numbers and cardholder information be highly secured by merchants and transactions comprising PCI data be encrypted. This international standard applies to ANY organization, regardless of size or number of transactions, that accepts, transmits, or stores cardholder user data.
If your business deals with credit cards or mobile and online payments, you have to take steps to protect that information. Organizations that suffer a breach and have not taken steps to ensure compliance can be subject to stiff monetary penalties, and in some cases may even be prohibited from working with specific payment brands.
The consequences of not being PCI compliant can range from $5,000 to $500,000 per month, with penalties levied by banks and credit card institutions.
PCI DSS 3.1 went into effect on June 30, 2016. It lays out very detailed rules and guidelines about network configuration, segmentation, firewall protection, vulnerability testing and more, but there is still some confusion about how to fully implement it.
Here are the questions you should be asking:
The widely publicized Target information breach left the debit and credit card information of 40 million customers exposed. The FBI recently reported the discovery of approximately twenty similar cases within the last year, which tells us something about the scope of the problem and the potential costs.
“On top of their direct losses, retailers get the public blame after a breach, paying a price with both their customers and the financial markets.”
The biggest difference between PCI 3.0 and 3.1 is that the latter introduces stricter rules for auditing.
Here are some things you can do to prepare for your next PCI audit:
And a few tips that will help keep you in compliance:
Always remember that PCI 3.1 is built around policies and procedures. To achieve compliance around PCI DSS guidelines, your company needs to have a detailed Information Security Policy and a complete set of policies to document secure practices across your environment.
10 PCI DSS mistakes you should avoid:
Be an active participant in the united, global response to fighting payment card data compromise.
Still have questions? Want to learn more about complying with PCI DSS guidelines? go to the PCI Security Standards Council website for more information.