5 min read
What is the PCI Data Security Standard and why should I care?
Small businesses are the most vulnerable when it comes to cybersecurity and are often the least equipped to deal with threats and the associated risks. In fact, 22 per cent of Australian small businesses1 who were the victim of the 2017 Ransomware attacks are no longer operating.
Similarly, the majority of Australian small businesses still haven’t come to terms with their compliance obligations for handling credit card data and don’t understand the ramifications of poor cybersecurity standards. This can substantially increase the likelihood of being the victim of a data breach, placing businesses at risk.
If your business is involved in online transactions, you may have heard the term ‘Payment Card Industry’ or seen ‘PCI DSS’. For the sake of your business’ financial integrity and for best cybersecurity practice, it is important to have a firm grasp of the concept.
What is PCI DSS?
The Payment Card Industry Data Security Standard, or PCI DSS, is an internationally recognised standard for maintaining the integrity of merchant payments and customer data security. It was originally developed by the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to encourage cardholder data security and secure the global payments ecosystem.
There are twelve core requirements to be PCI DSS complaint:
- Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
- Maintain an information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
Depending on how you accept and process cardholder data and your role in the payments ecosystem, there are different levels of compliance activity and audit required. If you outsource all your payments processing systems, then compliance is straight-forward and simply requires you to self-assess your handling of customer data prior to processing by the outsourcer, and to confirm you are using appropriately qualified organisations to outsource to.
In a nutshell, PCI DSS is a set of comprehensive requirements and guidelines to guide the best practices for any entity that stores, processes and/or transmits cardholder data in order to help keep it safe.
Why are Payment Card Industry Data Security Standards so important?
It sounds like a lot of work, but if you and your business are not compliant with the PCI DSS then you face the threat of account data compromise (ADC). Or even worse, you could face fines for data loss or non-compliance.
Don’t let the simple acronym fool you. An ADC defines a security breach where a person or group gains unauthorised access to cardholder data within your business environment, whether that be in electronic or physical form.
Such a breach can occur in several ways and cause severe damage to your business. It can undermine the confidence banks, partners and customers have in the security of your business, or damage the trust in your brand. A security breach could also put you at risk of financial penalties or the termination of your merchant facility. Small breaches are dangerous, as they could attract even more hackers to target your business’s digital presence. Often hackers will test your response to a small hack to see your response, and once sure you are not looking, proceed to steal your data, hijack your systems to attack others and finally, extort money from you.
Ezidebit has launched the Merchant Trust Initiative for merchants to improve their cybersecurity and ensure compliance with their obligations in regard to card payment data they collect, transmit and store.
The risks of non-compliance are too big to ignore.