Compliance in the business sphere is often viewed negatively. It requires effort, often a cost layout, and time many business leaders feel can be used to focus on core business. Despite this undeserved attitude compliance is a manner that trust can be built with a customer base. Non-compliance can erode the trust that has taken years to develop in a matter of seconds.
Today’s lesson regards Payment Card Industry Data Security Standards, or PCI DSS for short, compliance. As with any lecture we have boringly sat through normally begins with a definition. There is no better starting point for any discussion on the critical requirements for PCI DSS compliance. The standards were developed by the Payment Card Industry Security Standards Council (PCI SSC) with the intention of protecting both the credit card holder and the merchant processing the data on the card to facilitate payment. To do this the PCI DSS established a set of standards focused on developing standards for how consumer credit card data is managed.
Why does a standard need to be created? The simple answer to that is to protect consumers from credit card fraud in the variety of forms it takes. According to the FBI, American individuals and businesses lost a combined 3,5 billion USD as a result of fraud, including credit card fraud. There is a clear need for standards to be established to try and protect both the consumer and merchant.
When researching PCI DSS on the Internet it is all too easy to be bombarded with too much information. This includes the popular articles regarding trends for a specific year. Fortunately, the information can be simplified down to what are the key requirements businesses should focus on. To that extent, it helps to look at PCI DSS compliance requirements as requirements needing to serve some end goal. One such goal is ensuring a secure network which can be achieved by using a firewall to protect cardholder data and refrain from using default passwords provided by hardware and software vendors.
Other such goal requirement pairs include:
- Protect cardholder data. This can be achieved by securing cardholder data and ensuring that the transmission of said data is always encrypted when being sent over a public network.
- Vulnerability management. This is achieved by regularly updating software and anti-virus packages. This lends itself to the maintenance of a secure network.
- Access Control. Only those who need to access cardholder data should be given that access. Those with access should be given unique IDs that can be logged when accessing the data and accessing the data should be as physically limited as possible.
- Monitor and test. The network should be monitored constantly and tested regularly. With regards to monitoring, all access to the network and cardholder data needs to be logged. The network should also be tested to discover potential vulnerabilities that can be exploited by an attacker.
- Information and security policy. A policy that addresses the organization’s expectations of its employees regarding the handling of information and their responsibilities in maintaining the security of the network needs to be drawn up. This creates consistency regarding the expectations of staff including management.
The attitude of compliance being a nuisance or hindrance often forgets why such compliance exists in the first place. PCI DSS compliance can be seen as a method to protect both consumer and business, but an opportunity to improve the overall security stance of the company. This is proven to build trust, a hard commodity to foster but all too easy to lose.