Online shopping and paying bills online have become inevitable in most parts of the world and with the outbreak of COVID-19, more businesses are now even leveraging online sales to provide their product and services without restrain. This raises the number of organizations in the payment card industry and begs the question “Are these companies complying with the PCI DSS?”
What is PCI DSS?
PCI DSS is an information security standard for organizations that handle branded credit cards. It is developed and mandated by the PCI SSC (PCI Security Standards Council) and compliance is validated annually. PCI SSC provides some tools and resources that will enable organizations to ensure the security of cardholder information at all times. PCI DSS Compliance refers to the technical and operational standards that businesses follow to ensure the security of cardholder data (CHD).
The PCI DSS has 12 major requirements that must be implemented by organizations within the scope of the standard as outlined below
- Install and maintain a firewall configuration to protect CHD (Cardholder Data)
- Properly protect all passwords and do not use vendor-supplied defaults for system passwords and other security parameters
- Protect shared cardholder data by knowing the location of all CHD, where it is stored and how long it will be stored. All CHD must either be encrypted, truncated, hashed or tokenized.
- Encrypt transmission of cardholder data across open and public networks to reduce the risk of data compromise.
- Organizations should develop and maintain secure systems and applications that would help to identify and classify vulnerabilities
- All software used to enhance security of cardholder data for example firewall and antivirus should be properly updated as soon as there is a new release
- Restrict access to cardholder data by business need to know. This should be done using a role-based access (RBAC)
- Assign a unique ID and complex password to each person with computer access in order to identify every user and trace the actions they take with CHD
- Restrict physical access to cardholder data in order to prevent unauthorized persons from gaining access to these devices to steal, interrupt or destroy CHD.
- Track and monitor all access to cardholder data and network resources and send logs to a centralized syslog server. SIEM tools can also be used to monitor network activities and logs
- Regularly test security systems and processes on a frequent basis in order to ensure that security is maintained. This involves scanning external IPs and internal vulnerability scans
- Maintain a policy that addresses information security for all personnel – This requirement is dedicated to the core PCI DSS goal of implementing and maintaining security policy for all employees and other parties involved with CHD
Who does it Apply to?
PCI DSS applies to all organizations that store, process or share branded credit card information and organizations that accept card data for processing. These organizations are required to comply with all the requirements of the standard and failure to comply may result in serious and long-term consequences. The PCI DSS has 12 major requirements that must be implemented by organizations within the scope of the standard.
Why it is necessary
Looking at the requirements in the PCI DSS, one can easily spot the relevance of implementing them and how they will improve the security of card data. From the security perspective, the implications of ignoring them are also quite evident. The following are some of the reasons why FinTech should endeavour to implement PCI DSS
- Helps to prevent breaches: The requirements of this standard were carefully orchestrated to secure card data while in storage, transit and during processing. The controls encourage merchants to not retain cardholder data, use strong firewalls and encryption methods thereby making compliant organizations less-valuable targets for threat actors.
- Boosts Fintech reputation and builds trust with customers: The importance of trust in e-commerce cannot be overstated hence, assuring customers of the safety of their data surely buys their trust. Since a lot of Fintech have third party affiliations, complying to PCI DSS helps to boost their reputation and makes customers confident in using their services.
- Provides a basis for Fintech to comply with other regulations: Some of the controls in PCI DSS requirements like physical access restriction and properly updated software are in line with controls in the ISO/IEC 27001:2013 and so complying with the PCI DSS means you have met the basic standard for securing data and this will make it easy to build on compliance with other world standard regulations.
Without an in-house compliance team, it is easy to get overwhelmed with implementing all of the controls in the PCI DSS. Contacting an MSP might just be the one step to a seamless process of complying with this standard. At CyberPlural, our team of experts will take you on the remarkable journey of compliance while ensuring you get the most benefits of taking your Fintech to compete on global standards!