Identity theft, specifically the theft of cardholder data, harms both businesses and consumers. For businesses, identity theft leads to chargebacks that reverse revenues and incur additional costs for handling the chargebacks. According to statistics, financial losses due to identity theft amount to more than $50 billion every year. Identity theft can also deal a significant blow to a business’s reputation and credibility, negatively affecting its long-term profitability and even longevity.
As a response to identity theft, merchants are required to comply with the Payment Card Industry Data Security Standards (PCI DSS), which strengthen card security and protect cardholders from identity theft and other security risks.
PCI DSS: An Overview
Administered by the Payment Card Industry Security Standards Council (PCI SSC), which is comprised of five major card companies, the PCI DSS provides a set of requirements to strengthen credit, debit, and cash card transaction security and to protect cardholders against card fraud and theft of their personal information. The PCI DSS is a globally accepted set of standards. It provides companies with a baseline that they can comply with and implement throughout their entire organization, regardless of where they are operating in the world.
Your PCI DSS Compliance Checklist
To comply with the PCI DSS, organizations have to comply with the six compliance goals laid down by the PCI Security Standards Council. These requirements are further broken down into 12 requirements.
Step #0: Determine Whether Your Organization is Covered by the PCI DSS
The first step is to determine whether or not the PCI DSS applies to your organization. Simply stated, the PCI DSS applies to organizations of any size as long as they accept, transmit, or store any cardholder data. While degrees or levels of compliance vary depending on the number of their transactions, organizations generally need to comply with the same requirements.
Step #1: Build and Maintain a Secure Network
Does your organization have a firewall configuration to protect cardholder data and maintain it regularly?
Has your organization changed vendor-supplied defaults for system passwords and other security parameters?
A secure network ensures that every transaction is safely conducted. Firewalls minimize instances of hacking and illegal eavesdropping or surveillance. Changing vendor-supplied default passwords for systems and security modules, on the other hand, is a security measure that organizations should automatically implement. Default passwords are often easy to guess, making systems susceptible to attacks. The PCI DSS also requires organizations to enable their customers to easily change their user passwords.
Step #2: Protect Cardholder Data
Does your organization have measures to protect stored cardholder data?
Does your organization encrypt cardholder data when it is transmitted across open, public networks?
The PCI DSS requires organizations to protect cardholder information whether it is stored or in transit. Repositories keeping vital information such as dates of birth, credit card numbers, mailing addresses, and other personally identifiable information should be kept secure against hackers and malicious software. The PCI DSS requires the use of encryption especially when cardholder data are in transit or shared through open and public networks. This requirement is critical in all credit card transactions, but particularly in e-commerce transactions.
Step #3: Maintain a Vulnerability Management Program
Does your organization use and regularly update anti-virus software or programs?
Does your organization develop and maintain secure systems and applications?
To protect organizations and their customers’ information from emerging threats, the PCI DSS requires organizations to ensure that the security of their systems and software are up to date. Aside from using and regularly updating anti-virus, anti-spyware, and other anti-malware software, organizations must also ensure that software are free from bugs that can exploit vulnerabilities in their systems. Strengthening the security of systems and applications also involves downloading and installing the latest patches for operating systems.
Step #4: Implement Strong Access Control Measures
Does your organization restrict access to cardholder data on a need-to-know basis across the business?
Does each person with computer access have a unique ID assigned?
Are physical safeguards or restrictions to physical access to cardholder data established across your organization?
The PCI DSS requires strong internal controls especially when it comes to access to systems and customer information. First, organizations should not require cardholders to provide additional personal information that are not required to process business transactions. Second, enterprises need to internally restrict access to cardholder data only to those who are processing transactions. Third, each person with computer access to the systems must be assigned a unique ID or confidential identification number. Finally, physical access to cardholder data must also be restricted by enterprises. This includes the use of secure locations in keeping paper documents containing cardholders’ personal information, proper disposal of documents, limiting duplication of documents, and even the utilization of locks and chains in securing offices where documents are kept.
Step #5: Regularly Monitor and Test Networks
Does your organization track and monitor all access to network resources and cardholder data?
Does your organization regularly test security systems and processes?
Meeting PCI DSS compliance requirements goes beyond establishing safeguards and security procedures. Organizations also have to continually monitor and test their networks and systems, as well as track and monitor access to cardholder data and network resources to identify risk areas. Understanding the flow of information or cardholder data also prevents potential leakages in the systems. Frequently stress-testing security systems and procedures will also ensure that they can handle malicious attacks of varying degrees of complexity.
Step #6: Maintain an Information Security Policy
Does your organization maintain a formal policy that addresses information security for employees, contractors, and all partners?
The final step in complying with the PCI DSS is formalizing security measures across entire organizations by creating and maintaining a formal policy that everyone in an organization and its partners should follow.
Reduce the Scope of PCI DSS Compliance with Tokenization
PCI DSS compliance offers tremendous benefits to organizations and businesses. Aside from being a proven security measure to prevent attacks against enterprises and protect customer data, compliance with the PCI DSS also increases customer confidence. Since people are now more aware of the security risks associated with giving away their credit card information, more customers look for PCI compliance to be sure that organizations are following best practices in protecting their information.
However, despite these business benefits, organizations still find the compliance procedures burdensome and time consuming. Most organizations, especially e-commerce merchants, have to dedicate time, money, and resources away from their strategic objectives in order to comply with PCI regulations.
Tokenization enables organizations to replace sensitive data such as personally identifiable information with surrogate data or tokens. Instead of using cardholder data to process transactions and storing them in repositories, organizations can use and store randomly generated tokens. Thus, these organizations are able to reduce the scope of systems and applications that must be compliant with the PCI DSS and other payment card security standards and focus on their strategic objectives.
Liaison’s tokenization solution stores sensitive data in Liaison’s encrypted cloud, narrowing the scope of an organization’s systems, applications, and processes that need to be audited for compliance with PCI DSS and even HIPAA. Delivered using the ALLOY™ Platform, Liaison’s cloud tokenization technology manages the competing objectives of access and security by substituting sensitive data throughout enterprise systems with format preserving tokens. This enables enterprises to avoid the need for back-end system modifications and allow data analysis operations to continue as usual.
With Liaison’s tokenization technology, enterprises can minimize points of risk by allowing customers to bypass their systems altogether and transmit payment card data directly to Liaison’s cloud. Enterprises can also minimize costs associated with compliance with PCI DSS requirements or building on-premise tokenization solutions. Contact our data experts to learn more about this solution.