PCI-DSS Compliance:
Throughout history, people have sought to protect their valuable possessions. In today’s world, credit card numbers are among the most valuable assets we have. To ensure their protection, the Payment Card Industry (PCI) Security Standards Council has created their Data Security Standard (DSS).
For any organization that stores, processes, or transmits Primary Account Number (PAN) data, failure to comply to PCI DSS can have serious consequences: up to US$500,000 per incident, increased fees, restrictions and even removal of processing privileges. Yet, even these fines look insignificant compared to the consequences of sensitive data being compromised by not following PCI DSS. Apart from externally imposed penalties, the organization will also face irate customers, possible lawsuits, heavy regulatory oversight, costly repairs to their system, lost goodwill, and lost business. The true cost of a breach is estimated at $90+ per record. At that level of cost, an ounce of prevention for PCI DSS is indeed worth a pound of cure.
The PCI DSS is in the forefront of the drive toward cutting-edge security best practices, while companies are taking a heightened interest in security guidelines for their sensitive data, whether credit card related or not. Even for companies that are not obligated to comply, the PCI DSS offers an authoritative road map for high security systems and processes that can help guard a company’s data.
The Origin of the PCI DSS Standard.
With the advent of the Internet and the explosion of e-commerce, the payment card industry faces an unprecedented level of security risk. As PAN data is transmitted across an increasingly wide range of electronic networks, industry leaders realized they had to collaborate on how to address security risks to cardholder data.
The PCI Security Standards Council created the PCI DSS—an authoritative roadmap for implementing high security systems and processes. The PCI DSS is a multifaceted security standard developed as a collaborative effort among six industry-leading companies: Visa, MasterCard, American Express, Diner’s Club, Discover, and JCB USA, as well as many major merchants. Comprised of twelve major requirements, each with several individual categories, the PCI DSS is a comprehensive standard that covers security management, policies, procedures, network architecture, software design and other hardened security measures.
GlobalSCAPE, a leader in secure file management, is directly involved in this collaboration as a participating member of the PCI Security Standards Council and plays a role in the continuing development of the PCI DSS.
The Challenge of PCI DSS Compliance.
Technology solutions have simplified much of modern business operations. However, enterprise compliance to any standard, including the PCI DSS, involves far more than a technology solution. PCI DSS Compliance is a doctrine that must be integrated into your IT procedures. With so many tasks from implementation to enforcement of the standard, where can you find the resources to comply?
The GlobalSCAPE HS-PCI solution is designed to facilitate this integration. By providing security measures for data storage, access, and transmission, the HS-PCI solution supports the technology requirements of the PCI DSS. In addition, the HS-PCI solution also helps procedure and policy enforcement by monitoring and reporting on PCI DSS compliance by using prompts and warnings, while also permitting flexibility by allowing non-compliant settings provided a compensating control is described.
A compensating control is a method of risk mitigation that is different than the requirements detailed in the PCI DSS, yet has the same effect.
Use the chart on page 7, and the outline that follows, as a guide to identify and plan for all the factors that will need to be addressed in your compliance strategy.
Who Must Comply?
Any organization that stores, processes, or transmits Primary Account Number (PAN) data is required to comply with the PCI DSS. They are broken down into four levels of PCI DSS risk. These levels are driven by the transaction volume of the company. The levels range from Level 1, companies handling over 6,000,000 transactions per year, to Level 4, companies handling fewer than 20,000 transactions per year. PCI DSS Compliance at all levels is mandatory, but reporting and scanning requirements differ depending upon transaction volume.
The table below describes the measure that you must take to validate compliance within your organization.
Qualified Security Assessors (QSA’s) are entities certified by the PCI DSS to validate compliance. Only Level 1 merchants have to use QSA’s, the other levels are required to self assess their compliance and have the option to bring in a QSA.
