Understanding PCI Compliance

The two most common mistakes – and the best solution.

Mnet 194972 Credit Card Online Shopping Ecommerce
Stevie HayStevie Hay

It’s a nightmare scenario for customers and manufacturers alike: a data breach exposing sensitive information to tech-savvy thieves. As Sears and Delta recently learned, the impact can be much worse if credit card data leaks. And despite IT teams’ best efforts, the question of another massive data breach is “when” rather than “if.”

Back in 2004, transaction processers saw this threat on the horizon. In response, a panel of representatives from major credit card companies designed the Payment Card Industry Data Security Standard (PCI DSS). Many PCI compliance regulations are common sense — for example, ensuring all sensitive data is protected by a firewall and watching for illegal devices such as card skimmers. The PCI DSS continues to regularly update PCI compliance standards.

As data breach threats grow, more companies are taking PCI DSS seriously; compliance grew 44 percent between 2012 and 2017. However, Verizon found more than 40 percent of merchants still fail to meet PCI compliance — and new regulations mean even when they do achieve compliance, they may quickly lose it. I continue to hear from customers who struggle with the scope of their PCI compliance projects.

What’s keeping companies from maintaining these crucial security standards? Consider the two most common mistakes companies make when seeking PCI compliance — and the best way to ease your PCI DSS concerns.

Mistake #1: Underestimating PCI compliance reach

Traditionally, PCI compliance conjures the image of a major retailer dealing with thousands of credit card transactions per day. While it is true that the strictest regulations are reserved for companies completing more than six million credit card transactions a year, there are four levels of compliance regulation — and even manufacturers and distributors, not just retailers, are subject to the PCI DSS if they process credit card payments.

Perhaps the most common misconception about PCI compliance revolves around third-party credit card processing. For smaller organizations, outsourcing credit card processing is attractive — it’s one less expensive and complicated process to worry about. However, you are still responsible for your customers’ transactions. To remain PCI compliant, you’ll need to 1) ensure your processor is PCI compliant at the time of hire and 2) reconfirm your processor’s compliance each year. Otherwise, you could be on the hook for a data breach beyond your control.

The bottom line: any processing, storing or transmitting of credit card data — online or offline — requires you to be PCI compliant.

Mistake #2: Relying on your IT team to manage the entire process

Some of the most critical PCI compliance-focused tasks, such as setting up a firewall and encrypting data as it passes through open networks, require an IT expert’s assistance. However, the onus is on your entire team to maintain PCI-compliant processes. In fact, maintaining a security policy and requiring your employees adhere to it is a PCI compliance standard.

Because credit card numbers can pass through your network in a number of ways, start by addressing another PCI standard — keeping your operating system and end point protection up-to-date. This will help prevent hackers from using malicious software, such as a keylogger, to obtain customer data.

To remain PCI compliant, you’ll need to re-evaluate your manual transaction processes. Even accepting credit card information over the phone comes with risks. If you record customer service calls, make sure that you edit out any credit card info the customer provides. Any printed document with credit card info needs sensitive data blacked out. Email attachments with credit card data should be deleted as soon as card numbers are collected. Better still, discourage sharing credit card data that way as email is not a secure method of delivery. To put it simply: Any time you receive or process credit card data, even if it’s not through your website, any identifying information needs to be redacted, shredded or erased.

PCI compliance within your manual processes may seem like a chore, but the alternative — managing a breach of sensitive data within your call logs — is expensive and time-consuming.

Solution: Keep access limited

If you’re struggling with the scope of your PCI compliance project, it’s time to reconsider how your company accesses and manages data.

For those willing to invest more in PCI compliance, working with a Qualified Security Assessor to dive into your transaction processes and provide solutions is the best option — an assessor can address the nuances your IT team might overlook. Still, for smaller companies, such a comprehensive review might not be financially feasible.

As an alternative, your team can create a process map to determine how credit card data flows through your network. Consider 1) which departments have access to sensitive customer data and 2) how much access do they have? Take time to meet with each department to determine how critical this data is to their day-to-day responsibilities — and if they can manage without it, cut them off.

By reducing the number of users with access to sensitive data, you’ll have fewer processes that require resource-consuming PCI compliance measures. You’ll also reduce the chance of a data breach caused by employee error — if, for instance, a non-essential user opens a suspect email attachment and the computer becomes infected. You’ll ultimately find compliance to be more affordable and more achievable.

Awareness is your best defense

Many companies have adopted PCI compliance into their business decision-making processes, and for good reason — falling victim to a data breach can have serious consequences. By understanding how PCI compliance affects your operations, reducing the number of departments affected and training those with access to be vigilant, your team can become true data defenders.

Stevie Hay is Senior Director at Aptean.

More in Security