In 2004 the founding members of the PCI Security Standards Council was formed. This group was comprised of Discover Financial Services, Mastercard, Visa, American Express, and JCB International. As credit card fraud data security became more and more of concern this group developed the first version of a common set of standards to help ensure data security. This new standard was known as PCI DSS 1.0 and was released in December of 2004.
PCI DSS has continually evolved to the latest version of these standards which is PCI DSS version 3.2.1. This latest version focuses on 3 pillars. The 1st is increased education and awareness, the 2nd being greater flexibility, recognizing that there are multiple ways to manage security, and the 3rd and final being security as a shared responsibility.
Let’s take a look at each of these areas more closely.
Increased Education and Awareness
According to a December 2020 Security Magazine article, roughly 36 billion records were exposed by data security breaches in the first 3 quarters of 2020 from over 2900+ security breach events. These breaches included companies we all know well such as Microsoft, Facebook, Instagram, Tik Tok, YouTube, as well as some you may not be so familiar with bot who affect your personal data security every day such as BlueKai a large web traffic tracking firm and other behind the scenes service providers engaged in data harvesting. The put it plainly your data and your customers data is at risk every day. So, what can be done about this?
By focusing on employee education, we can help to mitigate some of the most common causes of data security incidents. Employees should be trained on the risks and best practices around password management, phishing scams, and the sharing of company and personal data online.
Strong passwords, comprised of multiple characters, several character sets (letters, numbers, and special characters) should be required. Passwords should not contain common or animal names, pets or family members names or birthdays, or be left with the software or service default password. All passwords should be changed frequently, and no part of a recent prior password should be utilized in the new password.
Email security training should be conducted so that phishing scams may be explained to employees so that the risks of clicking on unsolicited email links and recognizing fake counterfeit emails. Often times these phishing emails will claim and attached invoice or other important document needs to be downloaded, they may appear to be your personal bank requesting verification or additional information about recent activity, or a security breach a has already occurred and you need to click on their link to protect yourself. The Federal Trade Commission provides additional information on identifying and handling phishing scams on their website here https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
Employees should understand how to protect customer card data and personal information when it is provided over the phone or in person and policies should be in place so that everyone knows what is expected and the safest way to conduct daily tasks involving sensitive data.
Greater Flexibility
The latest version of the standards does provide for more flexibility recognizing that there is more than one way to manage security.
Organizations can implement the password security standards that are appropriate for their specific security strategy and organizations can choose the security approach that best fits their particular business or non-profit.
It is important to recognize that although this greater flexibility does exist there are many myths about PCI compliance that should be recognized.
One vendor and product will make you compliant.
While there are many services and products available there is not one that will singularly make you fully PCI compliant. PCI compliance is more than just software and technology. It is the way in which you handle sensitive information, physical security at your business location, network design and I.T. practices, and the employee policies developed to monitor and enforce these practices.
Outsourcing Card processing makes us compliant
This may simplify your processes and remove some risk however you are still responsible for security around transactions such as refunds, chargebacks and more where you may have access to or handle sensitive data for you customers.
PCI Compliance is an I.T. Project
PCI compliance is about much more than just technology. It spans you human resources policies, physical building security, document management both physical and digital, as well as your technology infrastructure. Your PCI management team should include individuals from I.T. but also from your finance group, operations, and even marketing and sales.
PCI will make us secure
PCI Compliance is a picture of your policies and practices at a specific point and time. Even a single change to your internal practices, network security, firewalls, or passwords could leave you vulnerable. PCI compliance and data security are an ongoing and living project that needs to be addressed continually in your daily operations.
PCI requires you to hire a Qualified Security Assessor
While a QSA can bring additional knowledge and expertise to your PCI Compliance efforts most schools and organizations using ProClass qualify to Self-Assess with an officer sign off if your merchant provider bank agrees. There are several different levels of PCI Compliance:
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
Organizations in levels 2 through 4 usually qualify to self-assess although you should check with your own PCI Compliance team to determine specific requirements for your organization.
There are several organizations that can help to streamline your PCI DSS self-assessment process. Here are links to a few:
https://www.securitymetrics.com/
We don’t take enough cards to need to worry about compliance.
If you process even a single charge annually. You need to be PCI compliant. PCI Compliance starts before the first charge takes place.
Security as a Shared Responsibility
Data security is a shared responsibility between you and you service providers. It is said that up to 63% of investigations identifying a security deficiency involved a third party responsible for systems support, development, or maintenance. At ProClass we take our role in your security seriously and work to always maintain the highest security standards. But this is only as good as the internal policies you employ when using applications such as QuickBooks, ProClass, or other applications involved in processing payments or receiving donations for your organization.
Using an outsourced or third-party model is almost a inevitability these days so it is critical that your 3rd party service providers understand the gravity of your data security needs and are there to support you both with their solutions as well as the myriad of processes that surround them.
For additional guidance on outsourcing PCI DSS responsibilities and the responsibilities of your service providers visit www.PCISSC.org
12 Steps to PCI DSS Compliance.
To make sure that you are PCI DSS compliant the policies, infrastructure and procedures below should be implemented.
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
For full PCI standards and access to additional resources visit https://www.pcisecuritystandards.org/document_library
