PCI DSS Compliance - what's it all about?

When considering the area of credit card payments on the internet, it is important to be educated about the area of PCI DSS compliance. PCI DSS stands for Payment Card Industry Data Security Standard. This standard was developed by the PCI Security Standards Council and includes the background of effectively combating the misuse of credit card payments on the Internet. PCI DSS is important for all companies that process data from card users. Proof of compliance can be provided by an internal security assessor (ISA), a qualified security assessor (QSA), or a self-assessment questionnaire (SAQ). However, a self-assessment questionnaire is only relevant for companies that have low credit card data flows.

For businesses, it should be noted that PCI DSS compliance is considered a global standard but is not legally mandated. The fact is that all countries regulate credit card payment data. If a company disregards this global standard, this can lead to heavy fines and at the same time cause a loss of image.

Why should companies concern themselves with PCI DSS?

Companies that integrate credit card payments on the Internet into their business must take measures to protect the data they receive from an attack by cybercriminals and accompanying fraudulent use. Following the media, companies that have experienced a cyber attack on credit card users' data face a potential loss of sales, reputation, trust, and a loss of customers.

Particularly in the case of small companies, a breach of data protection regulations can often be recorded. The reason can be given that these companies are more vulnerable to security breaches as fewer security measures are implemented. Especially for small companies, a security breach in the area of credit cards can pose an existential threat, and therefore corporate responsibility should be recognised and the safeguarding of the data should be ensured.

What measures need to be taken to achieve PCI DSS compliance?

The path to desired PCI DSS compliance includes one basic requirement: a company must understand how the data it receives is organised, stored, processed, and captured. Most companies use a solution that is hosted holistically. In this case, the desired compliance is checked by a service provider or vendor and compared with the given standard. Looking at the current IT governance, a company will find the following requirements that a merchant or a managed service provider (MSP) has to comply with when working with the sensitive data of cardholders:

• The basis is a secure and well-maintained IT network
• Cardholder data must be protected in every area
• Security gaps must be protected by applications
• Reliable access control must be in place
• Networks must be audited
• Penetration tests must be carried out
• Provide and maintain an information security policy

The above requirements are divided into 12 individual conditions in the standard. Only after fulfilling each condition will a merchant or managed service provider be certified as compliant.

• Cardholder data is secured by installing and maintaining a firewall configuration.
• The company does not use default values or default settings from suppliers that relate to system passwords or security parameters.
• As a matter of principle, stored data and information must be protected. All policies, processes, and organisational methods shall be included in this process. Ensure that disposal and retention of current data are guaranteed. It should be noted that not all data may be stored. In particular, the magnetic stripe data, the card verification number, and the personal identification number should be mentioned here. All other data should be subject to encryption.
• At the same time, customer data that is transmitted in public networks is subject to encryption. Examples include the Internet, transmission via Bluetooth, GPRS, or satellite communication.
• In every company, the use of anti-virus software and keeping it up to date should be a standard. The systems must be protected against malware and there must be an active fight against worms, Trojans, and viruses.
• The software used must be up-to-date throughout the company. In principle, every update offered must be used in order to achieve extensive protection against data protection breaches.
• Access to the data received must be restricted. For this reason, processes and systems must be optimised in such a way that an overview is always guaranteed as to who receives data access and for what reason the data is needed. If data access is not needed, access should be restricted.
• In order to control data access, each person with computer access should have their own ID. This ID can be used to grant permissions that ensure proper authorisation. Two-factor authentication, tokens, smart cards or biometric recognition can be mentioned here.
• A physical security breach must be excluded. Thus, physical access to the acquired data and information must be monitored and limited. In particular, the server room or a data centre must be secured and the proper destruction of data media must be ensured. At the same time, manipulation of data carriers must be excluded.
• All-access must be logged internally to identify any risk to data protection compliance. The logs should record user actions. This should include access to data, login attempts, changes to authentication, object deletions, and changes to permissions. Reviewing logs minimises the risk of a data breach.
• All security systems and security processes should be regularly checked by a penetration test. In particular, vulnerability scans, network topology, and firewalls should be focused on annually.
• Basically, a policy should be set up that addresses the issue of information security for employees and contractors. Twice a year, risk assessments are to be carried out, which include possible vulnerabilities and threats. With this information, it is possible to set up an incident response plan. At the same time, staff training must be conducted and communication regarding new security protocols must be ensured.

‍Since PCI DSS compliance is a global standard - even if it is not legally required - you should at best deal with the topic when you integrate credit card payments on the internet at your business. We hope you found our summary helpful!