According to CPA Practise Advisor, worldwide digital payments are expected to hit $6.6 trillion in 2021, an all-time high for the industry.
With so many people making payments digitally using cards and devices, it’s important to ensure that your businesses provide customers with a safe, secure, and digital way to pay. However, when handling digital payments and customer data, it’s essential to be compliant with PCI DDS regulations.
PCI DDS or Payment Card Industry Data Security Standards is a term many people have heard of, but it's not an easy one to understand. It can be a complex topic and it can be difficult to know what the requirements are, and what your business needs to do to remain compliant.
In this article, we’ll provide a clear description of DDS and give some actionable steps your business can take to get and remain compliant.
Let’s start by learning exactly what PCI DDS is and what it means for businesses.
PCI DDS is a set of security standards created by the PCI Security Standards Council. The standards aim to reduce the threat of data breaches and digital fraud by making all businesses compliant when it comes to security. Any merchant or organization that handles credit card payment data is required to have protocols in place in order to securely store and protect it from cybersecurity threats.
PCI DDS was founded by the PCI SSC which was made up of major credit card companies like Visa, Mastercard, and American Express, as they realized that credit card companies and businesses in other verticals were all united by an interest to prevent cybersecurity threats and credit card fraud. Companies were keen to protect their consumer data, and credit card companies were also keen to limit liability for losses as a result of data breaches
By creating the PCI standards, they ensured that all companies were working towards the same goal, and keeping to the same security standards. The first version of PCI DDS was introduced in 2004 and the standards have been continually updated to keep up with current trends in the card payment industry. The most recent version of PCI DDS is 3.2.1 and centers around 12 core requirements. Here’s a list of the requirements:
The answer to this one is simple - if your businesses processes, stores, or transmits card data, you MUST be PCI DDS compliant. Keep reading to learn more about the different compliance requirements and standards to find out how you can get compliant.
In order to comply with PCI data security standards, there are three main tasks that are required. These are:
Here are some steps you should take in order to get compliant.
In order to ensure that businesses of every size are staying on top of their compliance responsibilities, the PCI DDS separates businesses into 4 levels. It’s important to know these levels in order to put the right security processes in place. The levels are determined mainly by the number of transactions a business handles. Here’s a breakdown of the 4 levels.
Level 1: Organizations that process 6 million+ transactions a year. If an organization processes less than this but has had a data breach, it will also be classified as level 1. Similarly, credit card companies can classify merchants as level 1 based on their own discretion.
Level 2: Organizations that process 1 million to 6 million transactions across all channels.
Level 3: Organizations that process between 20,000 and 1 million e-commerce transactions each year.
Level 4: Organizations that process less than 20,000 e-commerce transactions each year or any organization that processes up to 1 million regular transactions every year.
In order to stay on top of your card data management and ensure that it is being collected and stored correctly, it’s important to know exactly where it is coming from, and how it flows through your various systems. To do this, you’ll need to create a comprehensive map of your systems and applications so that you have a clear picture of how sensitive data is managed. To do this, you’ll need to work together with your IT and security teams (if you have one) or outsource these tasks to an expert as it can get quite complex. Here are the steps you’ll need to take to create a detailed map.
The first thing you’ll need to do is identify every customer-facing area of your business where a payment transaction can be completed. This includes physical stores, and e-commerce as well as payments taken by phone.
Once you’ve created a list of each customer-facing transaction point, you should then detail how the data is handled at each point. Are the payments taken via a POS system? Which digital payment terminal do you use for eCommerce transactions? Does your staff record data manually that is transmitted verbally over the phone. Having an accurate record of these details will make it easier to identify security weak spots in your workflows, and it will help you to identify breaches more easily if they happen.
For consumers, making a card payment is as simple as inputting their card details and hitting pay, or even tapping their card on a POS terminal. However, behind the scenes, lots of different systems and applications work together to ensure their payments are processed properly.
To remain PCI DDS compliant, you should keep a record of every network, system, and data center that data passes through, and details of cloud-based systems where data is stored. This will mean that you can secure every single step in the payment process to prevent cybersecurity breaches.
After you’ve completed your data flow map, you can then start working with your security teams to put rigid protocols in place to keep your customer data safe. You can then use the 12 security requirements of PCI DDS to guide you to create a compliant security system. The good news is that many of the principles of PCI DDS will help you to get compliant with other data protection standards including HIPAA and GDPR.
Once you’ve completed the steps above, you should have a solid system in place to stay PCI DSS compliant. However, your responsibilities don’t end there. It’s important to treat PCI DSS compliance as an ongoing task, and you should always be monitoring your dataflows and making sure that they are still working for your business.
As your data touchpoints change, and your business grows, you’ll find that you need to make changes to your security flows, and it’s important to put a plan in place to stay up-to-date with every department within your businesses that deals with customer’s data and card payments.
To stay on top of your compliance monitoring, there are a series of auditing tasks that you can complete. We’ll talk about these in more detail in the next section.
There are 4 different ways that you can prove you are PCI compliant and you may be audited using any one of these methods. Here are the details of each PCI audit process:
QSA stands for Qualified Security Assessor. QSA’s are certified PCI auditors and complete annual audits on organizations. During these audits, you’ll have to provide all proof of your ongoing compliance processes.
ISA stands for Internal Security Assessor. This person works within an organization and holds a PCI certification in order to continuously audit the organization to ensure ongoing compliance. They must be certified to complete PCI self-assessments.
ROC stands for Report on Compliance. This refers to a form issued by the PCI regulation body that must be completed. ROC audits are only an option for level 1 organizations.
SAQ stands for Self-Assessment Questionnaire. These questionnaires are mandatory for all businesses that fall under PCI regulation. They help companies audit themselves and determine how they are doing when it comes to PCI compliance. What questionnaire a business is required to complete will be determined by how they process transactions.
Using the steps above, any business can become PCI compliant, and stay PCI compliant with ongoing PCI maintenance.
Accountable is the founder of The Trust Platform, a platform that helps companies of all sizes integrate compliance, privacy, and trust into every part of their organizations. The platform provides tools and resources to help support our customers and help their businesses to become compliant and remain compliant as they grow. Want to learn more? Check out Accountable today.
"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.
