Understanding PCI DSS and the Importance of Compliance


The Payment Card Industry Data Security Standard (PCI DSS) was originally established in 2004 as a standardization of security practices for any organization that handles or uses payment collection via credit cards. This standardization is required by all major credit card carriers and is regulated by the Payment Card Security Standards Council (PCI SSC). This proprietary standardization program requires businesses to install software that could prevent viruses, control physical access to information, and consistently test the network’s security software. Additionally, the company is required to create a privacy policy and allow an independent organization to evaluate their security software.

Although not all payment processing organizations meet PCI DSS standards, and not all are required to, most reputable payment card companies require that their payment processors meet the requirements. One such organization is Visa, who will not authorize a payment processor without that company validating PCI DSS compliance. Visa’s position in the market means that exposing themselves to the greater liability risk of working with a processor that does not meet PCI DSS standards, may be devastating to their business. The PCI DSS standards are all about risk reduction, and following are examples of what the risk reduction process looks like within an organization that is PCI DSS compliant.

Preventing Breaches

Preventing a data breach is one of the primary objectives of PCI DSS; therefore, the program requires businesses to add a state-of-the-art firewall to their database, since firewalls are commonly accepted as a first line of defense against most of the threats that are sent over the web. Beyond just installation of a firewall, the standardization requires that no enterprise use default hardware or software passwords. Base or default security software that accompanies hardware devices is also not recommended.

To further prevent breaches, processors are also required to use cutting-edge software that automatically encrypts each customer’s information. However, encryption algorithms may become obsolete. Therefore, higher end encryption programs periodically modify the type of encryption they use in order to prevent attackers from breaking the codes.

The PCI DSS standards also recommend that a processor set up scanning software at multiple levels, and most notably at the point of download. Given that the end user is a primary vulnerability to data breach, the standards suggest that any download be scanned for potential malware prior to it actually being installed on the computer. Scanning software also has the ability to notify administrators if malware has made its way through in the download.

Another common layer in preventing breaches is actually to have a breach performed intentionally, in the form of a penetration test. A PCI DSS compliant organization will employ a third party cyber security organization to actively attack their network to try and identify weaknesses or vulnerabilities. This type of operation should be performed regularly, as systems, applications, hardware and software are typically updated regularly. Once the results of a penetration test are complete, these results are presented to processor company’s management in the form of a report, and are then acted upon by either the organization, or the third party (penetration testing) company in order to patch the vulnerabilities.

Internal Employee Guidelines and Privacy

In 2011, the Payment Card Industry Security Standards Council created a policy prohibiting call centers from storing recordings that contained a cardholder’s information if the audio files would be accessible to multiple users. Given that audio files are often the primary source of customer personally identifiable information (PII) within a call center, this practice helps to reduce the risk within the specific call center environment.

According to PCI DSS, a processor must create a privacy policy that indicates whether or not the company plans to sell a customer’s information. However, this practice is certainly flawed. While privacy policies are important for privacy practice disclosure, they often are not read by the customer. Many people mistakenly believe that a privacy policy means that a company will keep all customer data completely confidential. Instead, privacy policies tend to benefit the processor company more than the customer.

To further protect an individual’s data, the PCI DSS indicates that a payment processor company should only show a customer’s data to employees who play a critical role in the payment collection process. The organization will typically assign an identification number to each designated employee. Software is then installed within the organization to track the activity of the designated employees. If a customer’s information is compromised, the business can view a list of employees who accessed the data prior to the breach.

Although PCI DSS is not mandated for all payment processor companies, and by no means is it perfect, it does play a positive role in reducing risk for the card companies, and for the customers. It provides a guideline to companies who handle individual’s personally identifiable information, and without those guidelines, it would be all too easy for potential hackers and criminals to access valuable data which often ends up for sale on the dark web.

 

About the Author
Ryan J Corey is CoFounder of Cybrary which is a free online cyber security training platform. Cybrary provides cyber security classes from entry level to advanced. Cybrary also provides enterprise organizations with security training classes such as End User Security Awareness.

Leave a comment

Your email address will not be published. Required fields are marked *