Is your organization PCI compliant? If not, you could be susceptible to a credit card data breach. Here’s what PCI compliance means for your business, and how to achieve it.
Started in 2004 by American Express, Discover, MasterCard, and Visa credit card companies, the Payment Card Industry Data Security Standard (PCI DSS) is a set of standards established to ensure the protection of customer data and they apply to any company of any size that accepts credit card payments. Therefore, if your business processes, stores, and transmits credit card information of customers, you must comply with the PCI standard to protect customer data and to mitigate the possibility of a data breach.
Credit card breaches are, unfortunately, still a common occurrence. In January of 2018, OnePlus revealed an infected server compromised the information of up to 40,000 customers. In March of this year, Orbitz announced 880,000 credits cards may have been exposed. And just last month, a software service provider for Delta and Sears revealed that a breach from last October resulted in the leak of credit card information of hundreds of thousands customers.
The culprits are usually malware introduced via faulty protection policies. According to a Verizon report, 80 percent of organizations are not PCI compliant. Clearly, there’s still work to be done.
How do you prevent data breaches and comply with PCI? By following these core objectives:
Know What Data Must Be Protected
Cardholder data specifically refers to the credit card number, cardholder name, expiration date, and security code (the three numbers on the back of the card). Figure out what counts as sensitive data, including personally identifiable information such as names and home addresses that could be linked back to an individual. Find out where the data is kept in your systems, how it’s transmitted, and whether it should be stored at all.
If possible, Do Not Store That Sensitive Data
Instead, use a system that doesn’t require the storage of sensitive information when customers are charged. If data absolutely must be stored, restrict access to employees who need it for work. Ensure those team members are given unique credentials, complete with authorization, password encryption, two-factor authentication, login time limits, and similar best practices.
Train Your Employees on a Regular Basis for Increased Security Awareness
Maintain policies that address the acceptable types of apps, devices, and technology administrators and employees should use to avoid Shadow IT. Maintain and review these information security policies regularly. And use, maintain, and regularly update anti-virus software, and perform regular vulnerability scans and penetration tests to check for any possible security gaps. Properly configure firewalls and limit remote access to networks as much as possible.
Encrypt Cardholder Data Across All Networks
Encryption is the best possible way to protect sensitive information. Solutions such as eperi Gateway also provide encryption through pseudonymization, which renders personal information unreadable before it is transmitted to a web service. That way, no sensitive information gets compromised even in the event of a data breach. Only those who hold the encryption keys can decrypt the data, and the encryption keys are always in the hands of the company that uses eperi Gateway.
Like the General Data Protection Regulation (GDPR), which requires the complete protection of the data of European Union citizens, the PCI Security Standards Council can impose steep fines in the event of a data breach that could have been prevented with adequate data protection.