Does Your Business Need To Be PCI DSS Compliant? Here’s What You Should Know.

March 16, 2018

David Mundhenk is a multi-certified Security Consultant at Herjavec Group with 20+ years of Information Security industry experience. While he has worked in virtually every security discipline, he specializes in testing and certifying payment processing systems and environments.

As more consumers rely on using credit and debit cards for retail transactions, payment card data theft has become a hotbed for cyber-criminal activity. In fact, a 2016 study from the Aite Group said that costs associated with card-not-present fraud will exceed over $7 billion by the end of 2020.

It is critical for enterprises to do everything possible to protect credit card data. After all, the costs of a data breach can be significant. The Ponemon Institute stated that data breach costs have risen 29% since 2013 to an average of $4 million.

So how can enterprises protect themselves from cardholder data theft?

First, enterprises must understand that there are two types of payment card data that must be protected:

• Cardholder Data (CHD): which includes the card’s Primary Account Number (PAN), cardholder name, expiration date, and service codes. The PAN is what determines the PCI DSS compliance scope, and can be only stored electronically or via hard copy if PCI DSS mandated protections are in place (encryption, redaction, etc.).
• Sensitive Authentication Data (SAD): which includes the card verification value (the 3-digit CVV code), the magnetic strip and electronic chip information, and Personal Identification Numbers (PINs), can never be stored following transaction authorization or declination.

While businesses are allowed to store cardholder data if properly protected, they are not permitted to store the Sensitive Authentication Data following transaction authorization or declination.

Second, all businesses and entities that store, process, or transmit payment card information must validate their compliance annually with respect to the requirements of the Payment Card Industry Data Security Standard (PCI DSS). According to the 2017 Verizon Payment Security Report, of all the payment data breaches investigated by Verizon in the last 10 years, not one company was found to be fully PCI compliant at the time of the breach.

It is the responsibility of enterprises, large or small, to ensure they meet and validate their PCI DSS compliance responsibilities. Some may be required to engage with a Qualified Security Assessor (QSA) company and Approved Scanning Vendor (ASV) firm to validate adherence to applicable PCI DSS requirements.

It is also worth noting that compliance with the PCI DSS standards is not a one-time, annual event. Enterprises should be reinforcing the importance of information security methods and PCI compliance DSS requirements on an ongoing basis. Doing so requires a continued investment in people, processes, and technologies to ensure effective cyber threat and risk management on a 24x7x365 basis. This means there must be an overwhelming commitment from senior business leadership to understand and address a corporation’s responsibility to protect all sensitive information assets.

In the end, the less cardholder data a business ‘touches’, the fewer PCI DSS requirements and associated security controls will be applicable. In addition, it is important to realize that no matter what protections might be in place, a security incident is inevitable. It is not a case of if, but when, such an event will occur. With this in mind, ensure that the business has a comprehensive cyber incident response plan. Having visibility to an attack or incident, containing it and then remediating promptly, will save time and financial damages.

Payment card transaction processing has become almost ubiquitous. Ensuring that all aspects of cardholder data security is everyone’s responsibility, including the card brands, merchants, and service providers who process, store or transmit cardholder data all the way to the payment card user.

There is an old saying, “…a rising tide floats all boats”. We all have a responsibility to work together to help protect and preserve cardholder data and payment card transaction viability. In doing so, we can all help to raise the level of payment transaction security and confidence.

To learn more about how Herjavec Group can help your business achieve and maintain PCI compliance, please click here.