It's a great morning, the sun is shining, you have an awesome career in information technology/security and life is good. You arrive at work to find a new project on your desk. Your business minded company executive has decided that your company needs to become PCI compliant! Ominous background music plays as the clouds roll in and you ponder if you need to make a career change.
You can spell PCI, and perhaps you even know what PCI stands for, but your knowledge of the Payment Card Industry (PCI) Data Security Standard (DSS) is very limited. Your spare time is even more limited and you’ve got to make this a successful project so that you can maintain your good standing as the subject matter expert in the company. So, what do you do?
Like any technology expert worth their salt, you head over to your extensive research library, also known as the Internet, and begin to research what PCI DSS is all about.
You find out that the PCI Security Standards Council (PCI SSC) created the PCI DSS. The PCI SCC is a governing body that was created in 2005 by the major card brands (MasterCard, Visa, American Express, JCB and Discover) to help reduce credit card fraud. The standard has since been updated and the current revision of the standard is PCI DSS version 3.1. You do find some new information that PCI DSS version 3.2 is about to be released at the end of April 2016.
In doing your research, you find out that anyone who stores, processes or transmits credit card data must comply with the PCI DSS. Whether you are a mom and pop grocery store who does a few thousand credit card transactions annually or a large corporation who conducts millions of credit card transactions annually, both must adhere to the PCI DSS!
You wonder what will happen if your company just decides this is too much work and they decided not to adhere to the PCI DSS. You find out that your company could be fined by your bank or processor. If your company is breached, they might be taken to court and be hit with additional fines.
You dig deeper and find the PCI SSC website (http://pcisecuritystandards.org) where you find more information on the current version of the standard. You read through the standard and find that it is a series of security controls grouped into different areas. You see there are twelve requirements that must be assessed:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
Your eyes begin to gloss over and you check the clock on your computer and realize that the day has gone by so quickly. You see there is much more research that needs to be done, but it will have to wait until tomorrow. You turn off your light, close your office door and head home for the day.
If the scenario described above is giving you a sense of deja vu, you’re not alone! Through our years of experience with payment service providers and merchants, this appears to be a common experience shared by many information technology and data security professionals prior to working with us. If you have any questions regarding PCI compliance or any other compliance or data security issues, please feel free to reach out to us at firstname.lastname@example.org for more information.
David Grow is the Manager of Compliance Services at CompliancePoint and has over 25 years of expertise in information security and technology. David advises U.S. and international clients on areas of data protection, compliance, security frameworks, risk assessments, PCI DSS, ISO 27,000 and process management. He has earned his Certified Information Systems Security Professional (CISSP) certification from the International Information System Security Certification Consortium (ISC), a PCI Qualified Security Assessor (PCI QSA) certification from the PCI Security Standards Council, is a certified PCI Professional (PCIP), and received a B.S. in Marketing from Excelsior College.