It’s hard to believe the payment card industry data security standard (PCI DSS) is 16 years old at this point. Although it’s experienced different updates and iterations over the years, this standard has provided an industry-defined payment processing and data storage framework for more than a decade and a half.
Still, compliance remains a challenge for many organisations. Verizon’s 2020 Payment Security Report found that PCI DSS compliance continued on a declining trend, with only 27.9% of organisations granted interim validation achieving compliance during the previous year.
So how can your business rise above the fray whilst avoiding costly penalties and damaging headlines down the line? It starts with identifying the level under which you’re categorised for PCI DSS purposes.
Your merchant level provides crucial guidance for understanding what you need to do in order to become compliant with the standard. The tier or category to which you belong will also help determine the penalties your business will face if issues emerge.
While PCI DSS involves a great deal of standardisation, your merchant level may vary based on the card company in question. In general, according to the Discover Global Network, the merchant levels are:
It’s a good idea to cross-reference these levels based on the accepted forms of payment at your business.
Achieving PCI DSS compliance provides reasonable assurance that you are handling sensitive customer data responsibly whilst limiting your liability to fines from card companies in the future. To accomplish this goal, follow these strategies.
This strategy helps manage risk, minimise the cost of compliance and ensure that controls are focused on the areas of greatest risk. Adjusting the scope could be accomplished by techniques like changing business processes or leveraging options to segment components of technology that are used for handling cardholder data.
That said, once your processes are optimised, compliance isn’t enough. Instead, you should view PCI DSS adherence as the minimum acceptable outcome for your operation. It’s true that you want to ensure you’ve successfully balanced customer convenience with security, but aim for policies, procedures and technologies that far surpass the minimum requirements.
As part of your efforts to go beyond the minimum, you should ideally identify technologies and processes that can help you surpass the expectations in the standard. Review your policy, enhance it, and then look for blind spots with the help of official questionnaires, which may be required for compliance purposes. Find out which assessment applies to your business by visiting the PCI Security Standards Council (PCI SSC) website.
This strategy applies just as much to patching and software updates as it does to policy reviews and new workflow rollouts. After you complete your assessment, make sure you craft a detailed plan for establishing alterations on a brisk, reasonable timetable.
Even the most dedicated internal staff members may have some inherent biases about the systems with which they’ve worked so closely. Robust testing and external consultations can help you further refine your approach to security.
It’s important to systematise your data security strategies. If you identify gaps during your testing, don’t just patch what’s in front of you. Dig deeper to resolve the processes that led to this oversight in the first place. It’s also important to conduct new security reviews if you change vendors. Continue to revise your strategy on a rolling basis as needed.
The cyber security landscape is dynamic. As companies are forced to respond to changing global circumstances — like the shift to remote work that resulted from the Covid-19 pandemic — security efforts must keep pace.
A recent PCI SSC blog outlined some remote work precautions to be mindful of whilst ensuring PCI DSS compliance. The group recommends:
As we’ve mentioned, outside support can be crucial for counteracting institutional blind spots with regards to cyber security and the steps that are necessary for achieving PCI DSS compliance. With the financial risks posed by potential fines and the devastating impacts of data breaches, an outside perspective can mean all the difference for business success. Contact 1 Cyber Valley today to find out how we can help.