Businesses need to store and transfer credit card information digitally. This requires some data security standards to avoid cybercrime. That’s why the four horsemen of the payment apocalypse (Visa, Mastercard, Amex, and Discover) set aside their competition to create PCI compliance. In this article, we will go over your burning questions of “What does PCI stand for” and “What is PCI compliance”?
What Does PCI Stand For?
PCI stands for Payment Card Industry. The abbreviation PCI is often accompanied by the acronym DSS. What does DSS stand for, you’re wondering? Data Security Standard. PCI DSS is all about storing debit and credit card information securely. These standardized regulations were put forth by the PCI Security Standards Council.
Card networks and banks may not work with your business if you do not meet PCI payment standards. Or, you may be charged a high fine for every month you remain PCI non-compliant. Of course, that means you couldn’t accept credit cards, or it may put you in a financial bind.
Fortunately, there is a very easy solution to staying PCI compliant, which is to work with your payment processor to follow the guidelines and standards. At ECS, we work directly with Authorize.net to get you squared away with compliance.
Is PCI Compliance Important?
In 2013, 40 million Target shoppers had their personal financial information compromised because of some very dedicated hackers (and as it turns out, most hackers are very dedicated to their profession). They used a phishing email sent to a Target contractor (for HVAC, nonetheless) to get into Target’s back door.
Not literally, of course, but rather Target’s data system. Target had given access to these systems to the HVAC contractor for some aspects of their work. But this became an Achilles Heel that allowed the hackers to enter Target’s data.
This saga is not unique to the retail landscape. Other big data breaches have hit Yahoo (13 billion compromised accounts), LinkedIn (700 million), and Facebook (533 million). But cyberattacks do not just focus on big business. In fact, 82% of ransomware attacks are against companies with less than 1,000 employees.
Let’s dive into some more data to see how important PCI compliance is. Small businesses receive the highest rate of phishing emails (1 in 323). Their employees experience 350% more social engineering attacks.
And small businesses have something to lose: 87% retain customer data that could be stolen, and 27% of them have no plan to secure payment data. Now that we’ve seen the importance of securing cardholder data, let’s take a look at the components of staying PCI compliant.
PCI Compliance Means Using Firewalls
A firewall is a digital fortification that prevents unknown parties from accessing information. Firewalls are often a first line of defense against potential hackers attempting to steal payment information. Like an actual wall, they are meant to keep threats out.
Firewalls are a complicated topic, but in a nutshell, they work like this: the firewall creates gateways called choke points through which web traffic can come and go. These gateways also review the web traffic based on programmed parameters to weed out suspicious entrants.
A firewall could be used to protect stored data, or it could be used to protect live traffic on a site. A WAF or website application firewall can filter and block out suspicious addresses. A WAF can be cloud-based or built into a network. Either way, it’s a line of defense against unwanted parties, such as a criminal trying to collect credit card numbers.
PCI Compliance Means Encrypting Stored Data
Another security control for protecting access to cardholder data is encryption. Encryption does not involve burying information in a subterranean sepulcher, but rather translating it into garbled jargon. This garbled jargon will be totally meaningless to outsiders.
That’s because the jargon must be unscrambled by someone possessing an encryption key. Anyone without the key will not be able to translate the data into something useful. Additionally, for PCI DSS Compliance, the encrypted data must be algorithm-generated.
Algorithms work by creating random strings of information. The encryption generated by such algorithms would be almost impossible for an outsider to crack since it would have no bearing on anything significant. Finally, in addition to the cardholder data being algorithmically encrypted, the keys must be encrypted as well.
PCI Compliance Means Secure Storing of Passwords
Gone are the days when you could use your birthday as a password. It’s easy for a cybercriminal to find out who owns your business (you) and then find your birthday on social media. If they can’t do that, they may be able to purchase that information on the dark web.
If your passwords are too easy to guess based on personal information, cybercriminals (from even a remote location) can enter your software and even hardware. Things are much worse if all your login information is the same.
To prevent this problem, PCI compliant businesses are required to keep a list of devices and their passwords in a secure location. They are also required to avoid using generic passwords that might come pre-set with the hardware. And lastly, they must have procedures in place for maintaining the passwords, such as changing them periodically.
PCI Compliance Means Using Anti-Virus Software
Antivirus software protects your software and hardware from computer viruses. There are many different kinds of computer viruses, and different end goals for the hackers involved. Sometimes they will hack into systems and hold them for ransom until the currency is issued for their release (often bitcoin or digital currency).
In the case of financial recordkeeping, viruses may be meant to enter a system and allow hackers to scoop up sensitive cardholder data. This is often what happens during a data breach. Often something called a Trojan Horse Virus will be used.
Like the big wooden horse used by the Greeks in the Trojan War, a benign-looking piece of data (email or text, for instance) will contain some hidden soldiers that open a back door and allow the criminal army to come in. Anti-viral software can detect, block, and remove such threats. However, it must be regularly updated to defend against the most recent viruses.
PCI Compliances Means Keeping Information Private
There is no reason for your employees to have access to cardholder data. A big part of PCI compliance means that the only people with access to payment processing information are those who actually need to know it.
Staff theft of financial information is unfortunately one of the more common security vulnerabilities. Think, for instance, of a restaurant setting. In times past, restaurant servers would take a tangible card to a register. The card could be away from its owner for up to ten minutes. During this time, an unscrupulous staff person could actually take down card numbers.
This is all the more so true with card information stored digitally. PCI compliance requires business owners to show that access to this information is restricted only to individuals who need it, only when they need it.
For instance, sharing an Excel spreadsheet of credit card numbers with all employees might make it easier to quickly run charges with customers over the phone, but it is not PCI compliant. An employee may get fired or quit and then would still possess sensitive customer card information.
PCI Compliance Means Encrypting Sent Data
A lot of data is sent to a lot of different parties all the time in the payment landscape. This data, just like the stored data, must be encrypted. Remember that encrypting data means turning it into meaningless jargon, usually through the assistance of an algorithm.
For instance, let’s suppose you have a contractor with physical access to a cardholder that you don’t have in the office. This contractor sends you a text with a picture of the customer’s credit card, front and back. This is not a PCI-compliant means of transmitting card information since it is not encrypted.
What happens later when that contractor hits Flannigans after work for a cold one (or six), and then leaves their phone on the bar while using the restroom? Someone could come along, look at this picture, and take down the card number. You cannot rely on the assumption that most people use passcodes on their phones.
In fact, you can’t really rely on anything other than encryption when it comes to sending information. All the participants in payment processing these days (card networks, banks, and payment processors) encrypt sent data.
PCI Compliance Means Updating Your Software
Old software can be filled with (proverbial) holes through which cybercriminals can enter your systems. To get a sense of this issue, think of an actual physical building. Over time, the building wears down. Decaying wooden doors are easier to kick in. Concrete crumbles and is easier to chip apart. It’s easier for criminals to break and enter the property.
The same is true for old software. Criminals may have learned to exploit a certain weak point of the software, or the anti-viral software meant to protect it. Software patches can cover these proverbial breaches by patching up the area with an update. System-wide updates can overhaul the entire system.
Updated anti-virus software, for instance, is crucial for thwarting the latest evolved threats in cyber criminality. To give you some sense of how urgently consistent these updates must be, know that thousands of new cyber viruses are created every day.
PCI Compliance Means Physically Securing Stored Data
Data is not always just digital. Sometimes payment information will be stored on paper, such as a contractual form for authorizing a recurring payment. Alternatively, stored information might include a master list of passwords and devices in the business.
This sensitive data must be securely stored, physically. That means, for instance, behind lock and key (or combo lock). In a brick-and-mortar retail setting, it might be tempting to post a spreadsheet of devices and passwords in the employee break room. After all, if you’re out golfing, you don’t want to have to take a phone call about how to log into the wifi.
But this is the type of sensitive information you need to store securely. Moreover, any time this data is accessed, it should be logged, along with the reason for it. This brings us to our next point…
PCI Compliance Means Having Access Logs
As just mentioned, access to data must be logged. For instance, if a POS needs to be restarted, and an employee needs to rest their eyes on the coveted sacred master sheet of passwords, the date, time, and reason for that glance should be logged.
Not requiring the signage of a logbook in terms of accessing data opens the door to all sorts of problems. For one, employees may nonchalantly access data, and then leave it out for other people to find. Creating a process whereby formalities are observed makes it harder for careless mistakes to happen.
Another benefit to this restricted access is that it can help trace back the origin of a data breach. If you know that such-and-such an employee accessed cardholder data at a certain time on a specific date, you can question them and other employees on duty in the event of a breach.
If their access occurred digitally, you can examine texts, emails, and other correspondences that might have contained a Trojan Horse. This investigative work is facilitated by logging the date and time data was accessed, so that unwarranted access may be pinpointed.
PCI Compliance Means Unique Identifiers
Access to sensitive information should have individual identifiers for logging into systems that retain cardholder data. There should not be one password shared by a dozen people to access stored payment information, for instance.
Unique IDs create less vulnerability, especially if other systems are in place to thwart their usage. For instance, (in a very high-tech example), employee punch-ins can be coordinated with the availability of specific passwords so that only on-duty employees can leverage their ID. This alone makes it harder for criminals to access information if one person compromises their ID.
Unique IDs can also help isolate a data breach. If it is known whose ID was used to access said data, that person can be called to account, or an investigation can start into who used their ID to access the sensitive information.
PCI Compliance Means Creating Workflows and Procedures
Workflows and procedures dictate how your business operates. Pretty much all corporations have thick handbooks that specify every detail of company policy, from rules about employee bathroom breaks to high-level marketing strategies.
Your small or midsize business may not have such a copy of War and Peace. But it probably does have some workflows and procedures that have become traditions. For instance, as soon as you flip that closed sign to open, you may turn on the battery-powered lucky cat by the register (meow).
Unfortunately, traditions are not enough for PCI compliance. You must have documented procedures in place that outline the flow of information and how it is secured. A company policy vis-a-vis PCI compliance may spell out, for instance, who can access payment information and under what circumstances.
PCI Compliance Means Constantly Scanning and Testing
It’s not enough to get PCI compliance in place and rest on your laurels. Of course, if you’re running a business, there is not much time for resting on your laurels anyway. But to maintain PCI compliance, you need to constantly and proactively check your systems.
In addition to the general standards put forth by the PCI Security Standards Council, you should have an assessment questionnaire for your business. Is the anti-virus software up to date? Are all hardware systems functional? Did you change the passwords this month? Are procedures for accessing payment information concretized in writing?
These questions are contained in the PCI SAQ or security assessment questionnaire. The assessment questionnaire SAQ must be submitted regularly to make sure you remain PCI compliant. Note, there are several types of SAQ, depending on what kind of business you run.
Beyond the SAQ, a regular assessment includes scanning and testing your software. The global IT cybersecurity market is expected to hit a market valuation of $425 billion by 2030, growing at a CAGR of almost 14%. That’s a lot of money invested in proactive defense. Your business must also be proactive about defense, as 61% of small and midsize businesses were subjected to a cyber attack in 2023.
How to Stay PCI Compliant
Some businesses cannot just restrict access to a cardholder in terms of collecting recurring payments. They will need to store cardholder data. Even businesses that are not subscription-based may want to allow customers to make loyalty accounts, wherein payment info is saved.
Certain security standards must be met for Visa, Mastercard, Amex, or Discover to work with you. In terms of passwords, you cannot use supplied defaults for systems. You cannot use a public network (like the shopping mall wifi) for storing customer information. You have to track and monitor cyber threats with anti-viral software.
Some of these things seem easy enough to do on your own. But others—like encrypting data and testing and monitoring your systems may be a little more challenging.
You may need a dedicated IT team to monitor your security systems. But the right payment processor, like ECS Payments, for example, can be sure to offer payment solutions with integrated security features such as encryption and tokenization.
If you have any questions about PCI compliance, what it entails, and what risks are present without it, give us a call or fill out the contact form below.