Running a business in the digital age is no easy feat. This is especially true nowadays as cybersecurity threats continue to evolve and increase.
Data breaches have hit even some of the largest, multinational companies, exposing sensitive user data and compromising the privacy and trust of their customers. When it’s payment card data that leaks on a large scale, the damage goes far beyond consumer confidence.
Table of Contents
- Who needs to comply with PCI DSS requirements?
- What happens when you don’t comply with PCI DSS?
- The DIY approach to PCI compliance
- The easiest and fastest path to PCI compliance
Individual customers’ lives and financial future can be irrevocably hurt when their sensitive data falls into the wrong hands. That’s why it’s crucial to secure cardholder data, which is what PCI DSS aims to do.
Like many compliance programs, the Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure vendors are stable and secure, which leads to a more reliable payment card industry overall. PCI DSS ensures that you, your fellow merchants, and all the stakeholders in the payment card industry are held to a rigorous industry standard for security.
But what about your business - do you need to be PCI DSS compliant?
If you store, process, or transmit cardholder data, the short answer is yes. Let’s go over a few things to help you understand exactly why this data security regulation is so vital to your business.
All merchants and service providers that process payment card information must comply with PCI DSS, which is an industry-wide framework with a set of controls and obligations that reduce the likelihood of fraud or cardholder data being compromised.
To put it simply: if your business touches payment card data it must follow PCI DSS.
The most recent DSS version from the Security Standards Council (SSC), which is a consortium of payment card brands like Visa and MasterCard, contains 12 requirements that merchants and service providers must implement.
A dozen boxes to tick doesn’t sound too difficult, right?
Not so fast: within these 12 requirements are hundreds of security controls and sub-requirements. Installing firewalls, encrypting cardholder data, performing patch management and maintaining traceable records are just a few of the requirements for PCI DSS compliance, many of which are complex and can require an entire cross-functional team to tackle.
Some of these requirements may be especially difficult for smaller organizations or lean engineering teams to meet, particularly without any expert help.
So, how do you know if your business needs to worry about attaining and maintaining compliance?
PCI DSS applies to any organization, regardless of size, value, or number of transactions, if that organization collects, transmits, maintains, or transfers cardholder data (CHD). Anyone who transacts a major brand card such as Visa, Mastercard, American Express, or Discover must comply with the PCI DSS framework.
In other words, if payment card data touches your network at any point, you must comply.
If you’re in a smaller organization, the journey to reaching full PCI DSS compliance without any help may seem incredibly daunting – but failing to fulfill the requirements can and does lead to hefty consequences.
Businesses agree to adhere to PCI requirements when they engage in any activity related to the payment card industry. Failure to comply with PCI DSS could cost you, particularly if you ever have a breach of payment card data. The penalties for non-compliance range from sizable fines to having your ability to process payment cards revoked entirely – both of which can be especially detrimental for an early-stage company; and these can be just the tip of the iceberg compared to the total financial penalties caused by non-compliance.
From there, your business may have to pay to inform every individual impacted by the data breach, reissue cards, pay legal fees - the list goes on. The fines for non-compliance are just the start, and don’t factor in the brand damage and intangible costs a data leak causes and the loss of consumer trust that follows. Brand image is, in fact, one of the biggest vulnerabilities when it comes to data security.
According to research from the Ponemon Institute, 61% of Chief Marketing Officers believe that the largest cost of a security incident is the erosion of brand value.
Not only should you, as a business leader, want to maintain a secure cardholder data environment (CDE) for your customers, you should also want to avoid the liability of not implementing these compliance requirements.
The question, therefore, should not be “is PCI compliance mandatory” (it is), but rather “why would you take the risk of not implementing it?”
Understanding that PCI DSS compliance is absolutely vital is the first step - but how can your business go about becoming compliant?
To build a PCI-compliant infrastructure you will, at a minimum, need to follow and adhere to the following nine steps.
Step one: Download and review the comprehensive PCI DSS details from the Security Standards Council and study it. There are resources that will help you understand how to comply. Read through them and understand the challenges ahead.
Step two: Conduct a risk assessment to evaluate the robustness of the controls and how you will mitigate the risks. Not every control applies to every environment; use your risks to identify the gaps you need to fill. It’s wise to work with an expert consultant for this step. Many available third-party solutions often exceed the needs (and budgets) of smaller businesses, but untrained personnel often struggle to identify which controls do not apply, or how to compensate for them.
Step three: Determine which of your current resources can be leveraged for one or more of the tasks indicated by your risk assessment. Identify any gaps that will require net new resources, including servers, routers, communication equipment, physical security, and full-time employees.
Step four: Create a project plan with budget and timeline/milestones. Be careful with how long you take to get compliant, as your risks don’t drop until you are compliant. For many smaller businesses, this process will take 3-6 months – for larger ones, it’s closer to 6-12 months, usually requiring significant consultation from experts as well as costly technology point solutions, including firewall(s), access control systems, vulnerability scanning services or tools, and much more.
Step five: Gather your resources and build or rebuild your network. It is likely you will need at least one full-time employee to manage your network for PCI DSS compliance.
Step six: Test and verify that your controls reduce the risks you identified as expected. Controls do not always work as intended, since technology changes rapidly, so the method you chose a few months ago may have been circumvented in the intervening time.
Step seven: Go live with your solution and hope it works as designed. It might not but you will tweak it until it does.
Step eight: Have your system audited by a Qualified Security Assessor (QSA). You’ll find them listed on the PCI Security Council website. You won’t really know how well you have done until you are audited (that is unless you have a breach, in which case, you did poorly).
Step nine: Revise your controls or infrastructure based on the audit findings.
Now, once all nine steps are completed, it doesn’t mean you can wash your hands and walk away. Constant vigilance, testing and reworking are required on a regular basis.
The human resources and funding required to complete all of the above are, unfortunately, out of reach for many younger companies.
For this reason, many small-and-medium-sized organizations opt to work with a trusted third-party data security partner to manage all their PCI compliance needs.
Rather than have a cross-functional team undertake the arduous process of gaining PCI DSS compliance the DIY route, the fastest and simplest way to become compliant is to make sure payment card data never touches your business’ servers.
But how can you possibly transact payment cards and run an online business without ever touching cardholder data?
The solution is an innovative approach called data aliasing, during which sensitive user data - like cardholder information - is redacted in real time and replaced with a synthetic data alias so that none of the original data ever passes through your system.
Data aliasing is the foundation of Very Good Security’s Zero Data™ solutions, which enable businesses to collect, store and transmit any sensitive data they want (payments, PII, PHI, secrets etc.) without ever coming into possession of it.
This effectively removes most of your business systems from PCI DSS compliance scope, so your burden is drastically reduced - and your risk of data breaches plummets to almost zero.
Very Good Security offers lightning quick compliance for smaller merchants and service providers upon integration. For organizations that require PCI Level 1, either because of transaction volume or because their bank or partners require it,compliance can be achieved in as few as 21 days.
If you choose the DIY path, achieving the same results can take months – and that’s after you’ve already invested a substantial amount of human and financial capital into securing your databases and processes.
Very Good Security is a completely scalable solution that grows with your business, and can almost entirely take your PCI burden off your plate. Interested in descoping your company's environments from PCI requirements and achieving compliance the simple and efficient way? Get a personalized demo of VGS.