Complying with the payment card industry’s data security standard (PCI DSS) might make great business sense, but it can present challenges for companies that might not have the technical skills in-house – or the capacity to manage compliance with a detailed security standard.
Let’s look at a few common challenges of PCI DSS compliance, as well as potential solutions.
First, it’s worth outlining the 12 requirements of PCI DSS compliance:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use default passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Defining the scope
The PCI DSS standard is composed of four levels of compliance. The requirements for your organisation depend on your level of activity.
Level 1: processing more than 6 million card transactions per year
Level 2: processing 1 – 6 million transactions per year
Level 3: processing 20,000 – 1 million transactions per year
Level 4: processing fewer than 20,000 transactions per year
Before you can create a plan for achieving and maintaining compliance, you need to determine your required level of compliance. This step may help you reduce the effort involved in complying with PCI DSS, or at least help clarify your destination.
The differences between the levels are significant, and might mean the difference between confirming compliance with a self-assessment questionnaire (SAQ) or an annual audit with a qualified security assessor. Level 1, 2 and 3 organisations will also need to conduct a quarterly network scan.
Not all organisations have in-house resource for managing a broad project like PCI DSS compliance. And even if you have teams that are willing and able, it’s easy to waste time heading in the wrong direction, or to stress about details that aren’t relevant, while missing key components of the standard.
Getting external support from qualified security experts can accelerate the process of compliance and reduce the burden on your colleagues.
To some people, PCI DSS can seem like just another regulation with a load of extra paperwork and stress. But this is a mistake, because PCI DSS is a huge opportunity to reduce risk and prevent the kind of company-crippling data breaches that happen every day.
Data breaches don’t just affect major corporations. Hackers look for free data wherever they can get it, and knowing that small companies are often less protected than their big corporate sisters, SMEs become a very attractive target.
Again, if your teams are struggling to manage PCI DSS compliance, then look for external support, and also work on perceptions of PCI DSS within your organisation. Everyone needs to understand the importance of compliance, as well as their own role in sticking to the standard (requirement 12).
Shielding payment card data
Requirement 7 of the PCI DSS standard stipulates that cardholder data should be restricted along a need-to-know basis. The ideal payment solution keeps card information encrypted during transit and obscured in storage.
Some organisations struggle with this requirement because they rely on legacy systems to either collect primary payments from customers, or to collect ad-hoc payments through contact centres. For some systems, there is no workaround or upgrade available, and the only solution is to replace the non-compliant system with one that is designed for compliance from the ground up.
Failing to regularly test systems
Requirement 11 is to regularly test systems and processes. For many organisations, this requires an organisational shift, as it demands that a team is made responsible for this testing, and a schedule of testing and reporting is implemented. You may also need to update job descriptions to include this function.
What have you found most challenging about PCI DSS compliance? Are you still on your compliance journey – or have you fully established your PCI DSS systems and processes?