In Part 3 of our CYA* blog series we’re focusing on Payment Card Industry (PCI) compliance. PCI Data Security Standards (PCI DSS) were last updated in May 2018 (version 3.2.1) with version 4.0 planned to be released in late 2020. This article will be based on the requirements of version 3.2.1.
Unlike the previous version of our CYA blogs (GDPR/CCPA, HIPAA/HITECH), PCI compliance isn’t the law but it is an industry standard. Credit card companies (American Express, MasterCard, Visa, Discover, and JCB) had each been setting standards on their own but came together to create the PCI Security Standards Council in 2004. These standards apply to “to all entities that store, process or transmit cardholder data and/or sensitive authentication data” [Quick Reference Guide] – and not just in the US. Brick and mortar stores, online retail, or sole proprietors that take major credit cards (or debit cards with a credit option) from those on the PCI Security Standards Council must adhere to them.
For many small businesses, using a basic point of sale system that meets PCI compliance may be all they are doing – quick payments for a cup of coffee or a haircut. In simpler, smaller businesses there shouldn’t be a need to store credit card data. Merchant account providers may offer hosted payment pages or other options that encrypt the customer’s data while taking payments online or recurring billing systems.
Even the best laid plans of security end up failing though – customer support representatives receive emails with a customer’s unasked for credit card number, event booking contracts require credit card details to be written in and sent unsecured via email that gets backed up to the internal drive, or an employee might type out a credit card number onto a blank word document while taking a wholesale order over the phone, or working with a 3rd party vendor or software that stores cardholder data or primary account numbers (PAN) as plaintext.
Some of these fall on the shoulders of customers who are unaware of how to handle their own information security but also employees who should be trained in PCI compliant policies. Throwing away hastily scrawled order information without shredding it or keeping PAN on index cards for recurring charges can result in being non-compliant and risk breaches. These sorts of issues happen to all level companies (table below) from the smallest sole proprietorship yoga studios to the largest international corporations.
|PCI Compliance Levels|
|Level||Discover, MasterCard or Visa||American Express|
|1||6 million or more annual transactions||2.5 million or more annual transactions|
|2||1 to 6 million annual transactions||50,000 to 2.5 million annual transactions|
|3||20,000 to 1 million annual transactions||Fewer than 50,000 annual transactions|
|4||All other merchants processing fewer than the above stated number of annual transactions|
To meet the PCI DSS, 12 requirements must be met (table below). Most of them are basic security best practices – install a firewall (#1), don’t use default passwords (#2), test your security systems and processes regularly (#11), and keep an information security policy (#12). Some of those are built into the business’ network, point of sale system, online shopping cart, or credit card processing equipment but not all.
|PCI Data Security Standards|
|Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data|
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data|
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus software or programs|
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know|
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
Requirements 3, 4, 7, 8, 9, and 10 on the other hand are about the storage and movement of credit card data, especially the offhand emails, word documents, spreadsheets, print-outs, files, and databases that are unencrypted or not handled by another system. Not everyone in the business needs to have access to all that information (#7). Bruce force hacking, phishing schemes, or unsecured online storage are all other contributing factors to being non-compliant and more likely to be breached.
But for many less technical business owners, understanding what they must do to be compliant can be overwhelming. There are Quality Certified Assessors around the world [QSA List] to help get your business compliant or self-assessment questionnaires for the variety of different business types (SAQ). As the PCI DSS Quick Reference Guide states:
“There are three ongoing steps for adhering to the PCI DSS:
Assess — identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
Repair — fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
Report — documenting assessment and remediation details and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).” – [Source]
Just like meeting CCPA, GDPR, or HIPAA/HITECH regulations, PCI compliance is an on-going battle as technology changes and breaches become more complex.
Unlike CCPA, GDPR, or HIPAA/HITECH penalties, PCI non-compliance and breach penalties aren’t standardized. From small monthly fees from the merchant account provider to tens of thousands of dollars from the credit card companies themselves, the penalties can hit any business of any size. On top of that, then local laws about breaches come into play, such as the CCPA and GDPR’s penalties.
We here at Active Cypher aren’t PCI DSS specialists, but we do know encryption (#3, #4, #6, #7, #8). Active Cypher’s proprietary encryption algorithm works with over 200 file types to encrypt each one individually. We use Active Directory’s built in Security Groups to manage what gets encrypted and who can see it. Within the business itself you can keep files on a need-to-know basis (#7). It doesn’t matter if it’s a busy employee who saves a customer’s card information in a .txt on their laptop or an old database spreadsheet from 2013 on an archived server – Active Cypher’s products can encrypt it all, keeping your customers and their credit card data safe and CYA.
*If you aren’t sure what C.Y.A. stands for, Wikipedia can help you.