“PCI-DSS” stands for Payment Card Industry Data Security Standards.
If you’ve heard the term lately, you’re not alone. It’s a buzzword that’s flying around the business world, hitting headlines and company leadership hard.
Any company that takes credit cards online or stores credit card information — from a retail store to a doctor’s office — must be aware of and comply with PCI standards.
Staying in compliance with ever-changing PCI data security standards is a challenge.
The regulations are constantly evolving, organizations often lack visibility into their technical environments, and the security environment is more complex than ever before.
In some cases, companies are so focused on other areas of their business that they haven’t even looked closely at PCI. With payment information breaches making headlines, however, more companies are taking note.
There’s some important news that should catch your attention now. If you haven’t looked at this issue since 2017, you may have inadvertently fallen out of compliance. A number of PCI-DSS changes went into effect at the beginning of the year that call for major upgrades to every organization’s PCI-DSS plans. And other important changes will hit in the middle of 2018, on July 1 to be exact.
For anyone that uses credit cards or fax in their business, a failure to keep up could be expensive and dangerous. Here’s what you need to know about becoming PCI compliant in 2018 and beyond.
What is PCI Compliance?
Before we dive into the top five reasons you should be PCI-DSS compliant and how to achieve that, let’s do a quick review for anyone who might not be fully up to speed on the regulations. The PCI standards apply to companies of any size that accept credit cards as payments. If you’re going to accept, store or transmit payment information, your organization needs to host data with a PCI-compliant hosting firm.
We’ll take a deeper dive in a minute on the specifics of PCI-DSS compliance, but first, let’s establish why it’s critical to be compliant. Many people ask the question, “What is PCI compliance?”
There’s sometimes confusion, because the PCI Security Standards Council establishes the rules, but isn’t in charge of enforcement. Card issuers and banks are the enforcers.
What happens when there’s a break in your PCI compliance?
Banks and credit card issuers can take steps that quickly add up to expensive fines and even limit your ability to do business. Repercussions of faulty PCI-DSS compliance include:
- Suspending your ability to accept bank payments or credit cards.
- Issuing monthly fines for non-compliance that accrue — and increase — every month you’re out of compliance. Fines can range from $5,000 to $100,000 per month and increase from there. Some issuers will even use past data — forensic accounting — to establish your guilt.
- The higher volume processors will pay larger fines. A level 1 merchant will pay double the fine as a Level 2 merchant, for example.
- In addition, specific fines are applied based on the number of cardholders who were affected by the breach. These are in the range of $50 to $90 per customer, which is sobering when you realize that millions of people can be affected by a single breach.
- Estimated data breach penalties from just 1000 cardholders range from $155,000 to $305,000.
- Depending on the location, you may be required to report the data breach to the State Attorney General’s office, Consumer Protection Board, and Office of Cyber Security, for example.
In addition, there are accounting costs, legal costs, PR costs, customer service issues and possible civil litigation, not to mention loss of business from the negative publicity.In other words, if a mid-size business experiences a breach that affects 100,000 customers, and it’s found that the breach was the result of being out of compliance for a year, the fines could easily add up to millions of dollars.
Few businesses have the financial ability to absorb these stringent penalties. Or the man hours needed to respond to the customer service and other complaints that will arise. Your best defense is being prepared.
5 Ways to Get Current with PCS-DSS Compliance This Year
1. Create a PCI-DSS 101 Checklist
The first step to avoiding a devastating breach or out-of-compliance fines is to understand the basics of PCI-DSS compliance.
The PCI Security Standards site offers a great summary of how to get started. At a high level, here’s their strategy:
- The standard works for some of the world’s largest corporations. And it can work for you.”
- Buy and use only Council-approved PIN entry devices at your points-of-sale (POS).
- Buy and use only Council-validated payment software at your POS or for your website shopping cart.
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software — most, like “ADMIN” are unsafe.
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about physical and logical security and protecting cardholder data.
- Follow the PCI Data Security Standard.
Implementing these steps — and staying up to date with the latest changes — are essential.
2. Document and Test Significant System Updates
A new clause went into effect for 2018, which puts pressure on organizations with upcoming systems changes. Are you making a major change to your system, whether that’s moving to a new POS system or buying bandwidth from a new communications company? New rules going into effect in 2018 state that merchants need to:
- Identify when a major change occurs, including having a document or policy in place that defines what that means.
- Keep track of and document all changes that occur.
- Work with your auditor (called a QSA) or with your internal team during a self-assessment to ensure that ongoing security steps were taken. These include penetration testing, vulnerability scanning and risk assessment updates to ensure the changes don’t leave you open to new issues.
- Meet the latest encryption standards defined by PCI-DSS v3.2 and disable older and less secure technology. For web-based on-line credit card processing, this may require an upgrade to your Java or .Net environments.
3. Implement Multi-Factor Authentication
Your Gmail account may have nothing more important in it than chain letters from your grandmother, but most people have still implemented multi-factor authentication. Taking this step means that it requires more than a simple password to log in. You might use a token, a biometric scan or another form of second-level verification to ensure you’re the person logging in to the account. As a result, your information is better protected and your account is harder to hack.
The new regulations essentially require administrators to use multi-factor authentication to access the cardholder information environment. Incorporating this level of control throughout the system makes it more secure and puts another layer of protection between you and cybercriminals.
4. Work with a QSA who Observes the Latest Changes
The PCI-DSS rules involve different regulations for different companies. At a high level, organizations are assigned to different levels. Level determination depends on the volume of business you do, whether you’ve had previous breaches and other factors. Merchants at the higher levels must be periodically audited and work with an approved Qualified Security Assessor.
However, the regulations that govern this industry change frequently, and a number of new requirements went into effect for 2018.
Even if your QSA has done a great job in the past, ask them for an update on the regulations that impact their service and how they’re taking steps to meet them. This helps ensure a higher level of security for your business and avoids expensive and time-consuming PCI-DSS violations.
5. Upgrade to the Latest Security Standards Mandated by the PCI Security Council by July 1.
An important deadline is looming—after June 30, 2018, the PCI DSS standard will no longer recognize Secure Sockets Layer (SSL) or early versions of Transport Layer Security (TLS), as being secure enough to protect card holder data. The council went even further, proclaiming that:
“It is critically important that organizations upgrade to TLS v1.2 or higher as soon as possible, and disable any fallback to SSL or early TLS.”
What does this mean? Well, when you log onto a secure website with the HTTPS prefix and you see the lock symbol, that is Secure Sockets Layer—SSL— working to keep your data private and protected. SSL-type security can also be used to secure and encrypt email passing between mail servers, and these days HTTPS websites have mostly been upgraded to support TLS, which is the successor to SSL.
The problem is, legacy SSL and early TLS (v.1.0/1/1) protocols remain in widespread use, despite well-known security vulnerabilities for which there are no fixes, other than upgrading to TLS 1.2. This upgrade is especially important for businesses taking on-line orders via web sites, 3rd party e-commerce apps and even by fax, as they are most at risk. See this info guide from the PCI Security Council for more information and links to the PCI-DSS documentation.
Don’t Forget Your Fax Solution
Organizations need to focus on several areas for PCI-DSS compliance: the network, point of sale device and how you store payment information. Many, however, forget about faxes. It’s essential that you don’t overlook your fax provider, because plenty of industries still fax in orders, purchase order verifications and payment details, which can include credit card numbers and CVV codes with card holder names and addresses.
Are faxes coming in to a physical fax machine or multifunction printer and sitting unattended in plain view until someone picks them up? That’s basically a PCI-DSS compliance nightmare!
Instead, consider switching to a secure cloud fax solution that delivers faxes directly to individual employee inboxes for greater privacy. You must take care to select a provider that implements the latest PCI-compliant security, encryption and authentication protocols.
The best providers also maintain their own redundant and survivable infrastructure to comply with tough government regulations and ensure business continuity when disaster strikes. As noted above, protecting your customers’ payment information from end-to-end is essential for compliance with PCI-DSS v.3.2.
Are you interested in learning more about how a secure on-line fax solution can help you stay compliant with PCI-DSS, GDPR, HIPAA, and other regulations?
Get started with eFax Corporate, the world’s leading provider of secure cloud fax solutions used by nearly half of Fortune 500 corporations, as well as thousands of small and medium-sized businesses. Consensus, the parent company of eFax Corporate, is a PCI Merchant level- performing over 6 million credit card transactions annually.