PCI Compliance Explained - 2019

---

PCI Compliance

What Does PCI Compliance Mean?

PCI stands for Payment Card Industry and forms part of a broader Information Security set of standards that are typically referred to as PCI DSS.

The Payment Card Industry Data Security Standard is essentially a group of procedures and policies that sets out a number of key ways to help safeguard cardholders from any abuse of their personal data. It also optimizes the security of transactions that are carried out using a debit, credit or cash card.

Full List of PCI DSS Objectives

PCI compliance is driven by six core objectives that are formed with 12 PCI DSS principals. If you want to know how to get PCI compliant, then you need to read these before doing anything else.

To Build and Maintain a Secure Network

The first PCI DSS objective essentially means that in order for a company to achieve PCI Compliance standards, they need to have a secure network that is continuously maintained. It covers requirements relating to the data centre.

Firewalls – The firewall must be highly effective, yet with minimal disruption to vendors or cardholders alike. It refers to lockdown, implementation, port justification, and more. For wireless LANs, there are specialist firewalls available as these areas are known to be highly vulnerable.

Vendor Defaults – Config standards, vendor supplied default modifications, non-console admin access encryption, and more.

Authentication – Information such as passwords and pins should not entail any of the defaults that are supplied by vendors. If a customer wants to change their details, it must be easy for them to do so.

Protect Cardholder Data

The second objective of PCI DSS compliance standards dictates that wherever the information is stored, it must be protected at all times. It includes any and all requirements on stored data, or data at rest, such as telephone numbers, dates of birth, social security numbers, mothers’ maiden names, and postal addresses; it places ownership of those who hold that data to protect it against hacking or any other type of attack. If information is sent through public networks, then such information must be encrypted. Storage of data is to be kept to an absolute minimum with specific restrictions in place for such data.

Maintain a Vulnerability Management Program

The third PCI Compliance objective is focussed on the requirements that entail anti-virus and anti-spyware software along with a host of other security measures. When people ask for PCI compliant software, there is a strong security element that is driven by this principal. All applications need to be free-from and protected from bugs and any other vulnerabilities which could result in any exploitation of the system or its data.

Security vendors and operating system patches must be installed in order for the systems to remain PCI DSS compliant at all time and attain the highest level of security standards at all times.

Implementation of Robust Access-Control Measures

This PCI compliance objective specifically covers what it also termed as ‘a need to know basis’ for the access of cardholder data. Access to operations and system data should be restricted and fully controllable. Procedural measures such as two-factor authentication, password encryption, access forms and full access tracking, including restrictions placed on physical access should be applied. Essentially, al cardholder information needs to be both electronically and physically protected at all times.

Regular Monitoring and Testing of Networks

This objective of PCI Compliance entails the monitoring and logging access to cardholder data, network resources, and the routine checking of security protocols and systems that have been put in place to access PCI DSS data. Such measures might include logging requirements, centralized logging, logging review criteria, vulnerability scanning, wireless analyzers, and pen testing. For any AV or anti-spyware installations, these must have the most up to date signatures and definitions in place, and scanning of any exchanged information, applications, storage media or RAM must occur dynamically.

Effectively Maintain an Information Security Policy

This final principal of PCI Compliance means that a strict information security policy should be clearly defined and adhered to at all times by all parties concerned with PCI compliant data. Some of the matters addressed by such a policy should include Employee Usage Needs, Role assignments, incident response planning and more. There also needs to be enforcement measures put in place such as penalties for non-compliance and independently conducted audits.

For each of these six PCI DSS requirements, there is no acceptance to the rules, al points need to be accounted for and addressed fully in order to achieve consistent PCI DSS compliant status.

Who needs to be PCI Compliant?

PCI DSS Compliance Standards is applicable to any service provider or merchant who processes, stores, handles, or transmits credit card information. Simply put, if you take payments, you need to comply with PCI rules.


Why Do You Need to Be PCI Compliant?

PCI DSS compliance relates solely to the processing of information pertaining to credit and debit card payments. You need to be PCI compliant in order to ensure your organization is managing and storing information in line with the PCI DSS requirements.

While PCI compliance is not a legal requirement, and fines for breaches are initially passed to the banks by Security Standards Council providers such as Mastercard and Visa Inc. If you do not comply and data is compromised, then your banking provider might opt to pass on these fines to your business or terminate your account.

Financial Data Compliance

The Benefits of Being PCI and DSS Compliant

When asking if your business needs to be PCI compliant, the first thing you should consider is the financial risk of not doing so.

Aside from the above-mentioned monetary implications, there are other reasons for a business to become PCI compliant.

Primarily, it can give assurances about your business to financial institutions and indicate that you take the protection of cardholder information seriously.

Additionally, any loss in trust following a violation could severely impact your business reputation, and cause damage on a multitude of layers with potentially devastating effects on your company.

By implementing PCI compliance standards within your business, you show your customers and potential customers that you offer a secure and responsible service that put their needs first.

The Benefits of Outsourcing PCI and DSS Compliance

There are many reasons a merchant or service provider would consider outsourcing their hosting solution to a third-party provider. By selecting a PCI Compliant hosting provider who has passed PCI audit certification and has a wealth of PCI DSS Security know-how, any organization will benefit from this expertise. Aside from this, other benefits of outsourced PCI include:

Security

A hosting provider that is PCI compliant will deliver a robust security offering that uses best-of-breed security vendors to provide elite levels of security. Such tools will help you safeguard your cardholder data and give you complete peace of mind that you have experienced and trusted professionals who will be maintaining and monitoring your company servers.

Cost Savings

Most organizations have cost-saving targets to achieve. If you outsource PCI DSS to a hosting provider, this prevents you having to invest in new equipment or software to meet with the strict PCI compliance standards. What’s more, you will not need to employ IT staff to manage PCI in your business, providing further cost savings for your business.

Flexibility

When you outsource PCI to a hosting provider, you can rest assured that you will benefit from ultra-modern virtualization technologies. The tangible benefit this provides is scalability for your business and an ability to deploy PCI DSS solutions fast.  

Availability

High-availability solutions boost your organizational uptime and safeguard the availability of key cardholder information. This also means that the opportunity for a single point of failure is virtually negated and you benefit from a far greater estate of IT equipment and support for your PCI DSS compliance needs.

The Risks of Outsourced PCI DSS

The foremost risk with outsourcing any IT infrastructure is that a hosting provider would not be fully PCI compliant. The most reassuring way to verify their suitability is via an impartially conducted PCI Report on Compliance (ORC).

A ROC clearly measures a hosting providers level of PCI DSS compliance within each of the six principals and their underlying requirements. In almost all cases, this report will be conducted independently and should be readily available for you to review. Unless you obtain actual evidence that you are choosing a hosting provider with proven PCI DSS compliance, then your business shall officially be liable for any compromises to cardholder information.

Essentially, it is a significant decision and if a breach occurs, it will be your reputation and potentially your business banking that will be at risk. As a final point, it is always worth the expenditure to visit any PCI data centre in advance of any agreements being formed and signed. If you become concerned with the cost of such a visit, instead, consider the cost of a breach and in almost all cases, the initial expense of paying them a visit in person will far outweigh any risks.

Additional Reading:

What Are the Differences Between PCI Certified, PCI Ready, and PCI Compliant?

While each of the above terms seem to be very similar, the truth is that they are each quite different from one another. This means you need to understand what each term means and how to make sure you choose the right PCI DSS hosting provider should you choose to outsource your PCI compliance.

PCI Compliant and PCI Ready

In many cases, data centres who claim to be any of the above are not fully PCI certified. If they were, they would clearly state they have such a certification.

An independent PCI report comes following an PCI audit and fully documents and notarises the authority of that data centre is terms of its suitability for safeguarding cardholder data.

Make sure you ask key questions that pertain to the ongoing audits and the procedures and of any parties that undertake such measures. At this point, you want to feel confident that it isn’t just a ‘tick-in-the-box’ operation and that they take the audit and their PCI obligations seriously.