With the recent rise in cyber threats, protecting customer data has never been more critical. Back in March, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standards (DSS) 4.0, the latest framework of security standards for any business that handles payment card information. This version focuses on targeted risk analysis and organizational maturity, requiring companies to have a sound security policy that can be enforced consistently across all business areas. In other words, PCI DSS compliance is no longer a one-time checklist item; it must be an ongoing effort that should be incorporated into your overall cybersecurity strategy. If your organization processes credit card payments, you will need to comply with PCI DSS by March 31, 2024, two years after PCI DSS 4.0 is released. In the meantime, here is a quick overview of the most notable PCI DSS requirements:
- Install and maintain a firewall to protect cardholder data
- Encrypt transmissions of cardholder data across networks
- Restrict physical and online access to cardholder data
- Internal vulnerability scans at least quarterly
- Application and network penetration tests at least once annually
- Implement an information security policy for all employees
- Perform risk assessment at least once annually
- Ensure employee cyber awareness training is in place
Not all organizations will have the same level of compliance. The PCI SSC has been separated into four “merchant” levels based on the volume of Visa transactions over the course of a year. If an organization has a DBA (Doing Business As) or a subsidiary, the aggregate volume must be considered to place them accurately. Each level has more stringent requirements than the last, meaning that a small mom-and-pop shop will not have nearly the exact compliance requirements as a national chain restaurant. If an organization accepts payment cards but does not store the data, they are still subject to PCI DSS but likely have much fewer and less intensive requirements.
So, what are the consequences for non-compliance? If a payment brand finds an acquiring bank violating PCI compliance, that bank could get fined anywhere from $5,000 to $100,000 per month. The fine will likely be passed along the chain until it reaches the merchant. The bank might even end its relationship with the merchant or raise transaction fees. Penalties are not something people talk about often, but they can destroy a small business if they are not careful.
Fortunately, the PCI SSC provides many of resources to help organizations with compliance. They have self-assessment questionnaires (SAQs) that can determine the level of PCI DSS compliance required. The PCI SSC approves many third-party organizations to assist with implementing these requirements.
PCI DSS compliance isn’t something that can be achieved overnight. It requires a commitment from the entire organization to following best practices for handling payment card information. At Alliant Cybersecurity, our dedicated professionals have the knowledge and experience to guide your organization through PCI DSS compliance to ensure that you follow best practices and protect your customer data. Is your business compliant with the updated standards?
Thanks for reading and be sure to reach out and share your thoughts or any questions you may have!