Cybersecurity is arguably one of the most prominent concerns for businesses and customers alike. Companies must protect their patron’s information to nurture an ongoing professional relationship and keep customers coming back. When that trust is broken, such as in a data breach, a company’s reputation can spiral downward rapidly—not to mention the cost of mitigating the damage. In this post, we dive into the details of what PCI DSS is, how cyber liability plays a role, and how to tell if you’re compliant.
What Is PCI DSS?
According to the Privacy Rights Clearinghouse, more than 8,500 data breaches have played out since 2005, compromising over 11 billion consumer records. In response to these stark numbers, five credit card companies joined forces in 2006 to develop the Payment Card Industry Security Standards Council (PCI SSC). These companies included Visa, Mastercard, American Express, Discover, and JCB.
The PCI SSC aimed to regulate and manage security standards for businesses that handle credit card information. While each of the five companies had their similar requirements, the PCI SSC aligned requirements on a single standard policy. This baseline plan is known as the PCI Data Security Standards, or PCI DSS for short.
What Role Does Cyber Liability Play?
Keep in mind that PCI DSS isn’t law. Instead, it’s a blueprint to help protect consumers and banks operating on the web. However, companies who aren’t PCI DSS compliant face multiple vulnerabilities—damaging business relationships, fines and penalties, etc. Mainly because when you accept, transmit, or store any credit card information, you run the risk of a data breach. Cybercriminals love to get their hands on loads of customer data, after all.
What this means is that your business must hold cyber liability at the utmost importance. Even more than merely complying with PCI DSS requirements, cyber liability refers mostly to data breaches and recovering from them—which is where a cyber liability insurance policy can help you, too.
That said, cybercriminals are becoming more sophisticated with multi-tiered attacks, so experiencing a data breach is something that most companies will have to navigate. Unfortunately, over 43% of data breaches are small businesses. Plus, 67% of the recovery costs following a data breach happen in the first year following the attack, which is often enough of a blow to shutter a business.
Consider this; cybercriminals can earn up to $2.2 million by stealing only ten credit cards per website through formjacking attacks. PCI DSS compliance works to prevent such losses—but how vulnerable are you?
For example, how do you store your customers’ data, such as credit card information? Some companies use a service provider or a gateway to stash away vital information. No matter how you store data, the mere act of collecting and using sensitive information makes you liable for it.
Unfortunately, payment brands can fine an acquiring bank $5,000 to $100,000 for PCI compliance violations. Eventually, these fines trickle down to the merchant, aka your company. As a result, the PCI DSS created a baseline to help companies protect both their customers and the financial institutions involved in transactions.
What Are the Requirements for PCI DSS Compliance?
PCI DSS compliance involves three main elements, which include handling credit card data, storing it securely, and completing a PCI validation form each year. However, the most current PCI DSS Version 3.2.1, consists of a 12-point requirement list with 300+ sub-requirements. The 12 main requirements are:
Who Must Comply with PCI Data Security Standards?
PCI DSS applies to any business—regardless of its size— that collects, transmits, or stores any cardholder information. According to the PCI DSS Quick Reference Guide Order Form, “While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs.”
Nevertheless, if you handle any cardholder information, it’s best to know where you fit in concerning PCI DSS compliance. Mainly because merchant levels exist, requiring companies to comply with an even more complex set of standards based on their operations. Here is an outline of the merchant levels:
Is Your Business Compliant with PCI DSS?
Complying with PCI Data Security Standards is a chief goal when it comes to cyber liability. But reading through a 300-page document is no one’s idea of fun. In other words, compliance can be a confusing process. That said, here are a few simplified steps to take to be PCI DSS compliant, including:
- Figure out which parts of your systems and networks need to be PCI DSS compliant.
- Assess your system compliance by using PCI DSS testing requirements.
- Allow an assessor to complete the essential documentation, such as the Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).
- Complete the correct Attestation of Compliance (AOC).
- Submit the SAQ, ROC, AOC, and other documentation to the appropriate party.
- Address any non-compliant parts of your systems and networks, and then submit an updated report.
To break it down even more, here are some details to consider when executing your step-by-step compliance plan.
Know Which Requirements Apply to Your Company
As mentioned above, different parts of PCI DSS apply to varying levels of business. Each organization must know exactly where it falls regarding compliance requirements. The PCI DSS Self-Assessment Questionnaire can help you determine categorization. Once you know your company’s PCI DSS “level,” you can move forward with compliance.
Create a Map of Your Data Systems
It’s best to recruit your IT and security team for this portion, which is to map out your systems and networks. Knowing how everything works together is a vital step in PCI DSS compliance. Leave no stone unturned, focusing on payment transactions first, moving on to how you handle cardholder information, and finally pinpointing any systems that touch payment transactions.
Ensure Security Configurations and Protocol
This part is where the 12-point requirements (listed above) enter stage left. After your team maps your data systems effectively, it’s time to review all your security configurations and protocol. Again, due diligence will pay off significantly in terms of cyber liability and PCI DSS compliance. Be mindful of other regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation(GDPR).
Make PCI Compliance an Ongoing Process
As you might have guessed, PCI DSS compliance isn’t a one-time deal. Instead, it’s an ongoing process as your business evolves, and technology develops. It’s standard for card brands to require quarterly or annual reports to ensure compliance. Also, because compliance will typically require multi-departmental collaboration, it’s not a bad idea to establish a “PCI team.”