The Evolving Need for PCI DSS Compliance.
The current COVID-19 pandemic has dramatically accelerated a trend that was already on the rise — a move toward many new forms of electronic payment that involve capturing and transmitting credit card data. Businesses have moved online-only transactions during this crisis, and many consumers don’t want to handle physical money. And with so many employees working from home on their own computers, laptops, and mobile devices, the risk of a data breach is increasing at an exponential rate.
Many companies are vulnerable to breach, theft, and fraud. A single data breach can severely impact a company’s reputation as well as its ability to conduct business in the future. For merchants that process, store, and transmit credit card information, Payment Card Industry Data Security Standard (PCI DSS) compliance has never been more critical.
What is PCI DSS?
PCI DSS stands for the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS is a proprietary information security standard that was established in 2004 by the major credit card brands. The standards apply to organizations that handle major branded credit cards, including Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS does not cover private label cards, such as department store credit cards, that are not associated with a major card brand.
The PCI DSS consists of common-sense steps that coincide with widely accepted data security best practices. The goals of the PCI DSS standards are to help merchants securely process credit card transactions and prevent fraud.
PSI DSS Compliance in a Remote world
Remote working is the new normal. Historically, remote workers and PCI DSS Compliance have not mixed. The PCI Security Standards Council recently issued a memo regarding remote audits. The council stated that an assessment that would typically require to be on-site could exceptionally be conducted remotely if the QSA takes the necessary measures to ensure the verification made remotely is done with a sufficient level of assurance to confirm that the controls are in place. This could mean, for example, that the QSA will be doing additional checks to ensure that the people interviewed and the systems observed are the same as if the QSA had visited the site.
Also, the council issued guidance for remote work while stressing the need to maintain security practices to protect payment card data at this time. These best practices for remote work, however, do not replace PCI DSS requirements but are meant to support companies to meet compliance while their employees work from home.
According to the guidance, one of the best ways to guarantee continued compliance is to create and maintain a culture of security within the organization. This can be achieved through a security-awareness program that informs employees about a business’s security policies and procedures and helps them understand their importance both for data security and compliance. If companies were PCI DSS compliant before the ongoing health crisis, they should already have such a program in place as it is part of PCI DSS Requirement 12.6.
In the case of remote work, the need to inform and educate employees increases: they must be made aware of the risks posed by working from home to PCI DSS compliance and what they need to do to ensure the continued security of systems, processes, and equipment supporting the processing of payment card data.
Who must be PCI DSS compliant? Does the law require PCI DSS compliance?
While PCI DSS is not mandated by U.S. federal law, some states have statutes that refer to PCI DSS explicitly or contain equivalent mandated standards. Additionally, the major credit card brands require that all organizations, worldwide, that accept or process their cards be compliant with PCI DSS. If your organization processes, stores, or transmits cardholder data, you are required to be compliant with PCI DSS.
What if I’m not Compliant?
PCI Compliance is not a law; however, it is a universally required set of regulations that all card brands mandate that you follow to avoid financial penalties. Most processors will tack on noncompliance fees to your merchant statement for not becoming compliant.
Not being PCI Compliant could potentially open your systems to a data breach. In 2019, the average cost per data breach in the U.S. was just over $8 million, according to a report from IBM. For most small businesses, that means shutting the doors. Yes, that is extreme; however, there are also additional fines from the card brands that can reach $100,000 per incident. The fine amount depends on a company’s transaction volume, the number of PCI DSS requirements violated, and other factors. And you will need to pay it until you address the issue.
Being out of compliance can also be damaging to your brand. Data breaches can take years to recover from if you recover at all. It’s better to comply with PCI standards.
Continuum GRC can help with your PCI DSS Compliance needs
Our primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence – in any jurisdiction. Continuum GRC specializes in IT security, risk, privacy, governance, cyberspace law, and compliance leadership solutions and is fully dedicated to global success in these disciplines.
The PCI DSS focuses heavily on proactive steps that organizations can take to secure cardholder data and prevent breaches. Continuum GRC agrees with this approach; we feel that it is much better to be secure and prevent a breach than to have to react to one and face steep fines, legal ramifications, and damage to your organization’s name. Continuum GRC’s services address all PCI DSS compliance requirements, including security management, policies, procedures, network architecture, software design, and other critical proactive cybersecurity measures.
Whether you require assistance with your Self-Assessment Questionnaire or a full Report on Compliance, our Qualified Security Assessors support and QSA certified ITAM IT audit software modules will guide you through the process and help you identify compliance gaps before the assessment to save you time and money.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.
Want to learn more?