What is PCI Compliance: Requirements and Penalties
PCI Compliance is a set of requirements that companies who want to process card payments have to comply with. The standard was developed by the major card brands (MasterCard, Visa, Discover and American Express) and the Payment Card Industry Security Standards Council. Each company that processes credit or debit cards has to be PCI compliant under the rules of one of the card brands in order to not face heavy fines.
PCI DSS is the set of 12 pci dss compliance requirements set out by the PCI Security Standards Council in order for a company to be compliant with the standard. Here are some highlights:
Build and Maintain a Secure Network Requirement 1 : Build and maintain a secure network. Restrict access to cardholder data by business need to know. Assign a unique ID to each person with computer access. Restrict physical access to card holder data. Encrypt transmission of cardholder data across open, public networks. Maintain a vulnerability management program Requirement 2 : Protect stored cardholder data Requirement 3 : Encrypt transmissions of sensitive information across public networks Requirement 4 : Maintain a policy that addresses information security.
Protect Cardholder Data Requirement 5 : Protect stored cardholder data Requirement 6 : Encrypt transmission of cardholder data across open, public networks Requirement 7 : Mask PAN when displayed (the full Primary Account Number must not be displayed in clear text) Requirement 8 : Identify and authenticate access to system components Requirement 9 : Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access Requirement 10 : Track and monitor all access to network resources and cardholder data Requirement 11 : Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security.
Maintain a Vulnerability Management Program Requirement 13 : Use and regularly update anti-virus software Requirement 14 : Develop and maintain secure systems and applications Requirement 15 : Restrict access to cardholder data by business need to know. Assign a unique ID to each person with computer access Requirement 16 : Maintain a policy that addresses information security.
Regularly Monitor and Test Networks Requirement 17 : Track and monitor all access to network resources for threats such as malware and unauthorized access. Requirement 18: Regularly test security systems and processes
Here is a video from the Council about PCI Compliance:
Businesses that process and store card data and do not become PCI compliant can face very heavy fines from the card brands; fines that will make most businesses go bankrupt. There was a case in Florida where a company had to pay $9.5 million because it wasn’t PCI compliant (see here).
As you can see, compliance with PCI DSS is not something to fool around with. However, implementing the standard is not an easy task and many companies that process card data are still failing on different areas of compliance.
They get audited by their acquirer or by a third party auditor, get fined and lose time trying to fix things while continuing processing cards without being compliant. Unfortunately the big card brands don’t care about your business and their goal is to make sure that you become PCI compliant. It’s really in your best interest to follow the standard, take it seriously and do not fool around when addressing compliance.
In our last post we talked about audit process from a merchant’s point of view, in this post we will be focusing on the perspective of a QSA – a Qualified Security Assessor who is responsible for auditing companies that process and store card data against PCI DSS. I will be quoting from an interview with a real life QSA, whom we have been working together with to help merchants pass their audits.
I interviewed our partner QSA, whom we have been working with since the early days of our company, to help merchants become PCI compliant. He has performed hundreds of audits for companies that process and store card data. His name will not be revealed to ensure privacy but I assure you that he is very experienced, trustworthy and knowledgeable in PCI compliance.
When asked about what are the most common mistakes he has seen merchants make during their compliance process, he had the following to say:
I’ve found the biggest problem with merchants who are not compliant is that they don’t have a proper IT department. A lot of times I’ll go visit them and it’s obvious they think an IT guy means someone who knows how to use the data cable that came with their computer to connect it to the internet.