The link between PCI DSS and visitor management
Data security is not something you deal with today and forget tomorrow. It’s a continuous process that needs keeping up with for the latest technology and policy changes. This hold especially for the Payment Card Industry Data Security Standard (PCI DSS) that's meant to guide companies in their compliance journey and long-term security for their consumer payment card transactions.
We take data security seriously and we know you do too. So let’s delve deeper into what PCI DSS actually is, what is means for your business and regulatory compliance, and how the right visitor management system can help.
What is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) “enhances cardholder data security” by providing a set of global security standards.
These standards were developed to ensure that all organizations (not just those based in the US) adopt consistent data security measures in relation to credit card information:
- when processing credit card information,
- storing said information, or
- transmitting said information
The most recent version of the PCI DSS (PCI DSS version 3.2.1) went into effect on January 1, 2019, adding further clarifications to the existing requirements.
The main goals of PCI DSS are very straightforward - and a lot less frightening than one would expect:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
The Security Standards Council
The Payment Card Industry Security Standards Council (PCI SSC)—represented by the payment card brands Visa, Mastercard, American Express, Discover, and JCB International—is the authority that manages the development of the PCI DSS requirements.
However, the Council does not enforce compliance but just the individual payment brands or acquiring banks. In fact, their priorities are two-fold:
- Helping vendors create secure payment solutions.
- Helping merchants and financial institutions protect their payment systems from breaches and theft of cardholder data.
Which businesses are affected by the PCI DSS?
As mentioned above, PCI DSS is mandatory for all companies that accept, transmit, or store cardholder data and/or sensitive authentication data.
Also, it applies to “all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers”.
According to PCI, cardholder data and sensitive authentication data include the following:
- Cardholder Data: Primary Account Number (PAN), cardholder name, expiration date, service code
- Sensitive Authentication Data: full track data (magnetic-stripe data or equivalent on a chip), CAV2/CVC2/CVV2/CID, PINs/PIN blocks.
Additionally, PCI DSS requirements differ based on a business’s transaction volume over a 12-month period.
Thus, there are four levels of PCI compliance:
Level 4: Applies to any business processing less than 20,000 transactions, annually
Level 3: Applies to any business processing between 20,000 and 1 million transactions, annually
Level 2: Applies to any business that processes between 1 to 6 million transactions, annually
Level 1: applies to any merchant that processes over 6 million transactions, annually
If you’re not sure which compliance level applies to your company, make sure to consult with your payment processing provider.
What are the main PCI DSS requirements and how can your business become compliant?
The main requirements that a business has to comply with are the following:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
These requirements are linked directly to the six PCI DSS goals mentioned earlier:
PCI compliance is a continuous process
Implementing the PCI Data Security Standard should start with scoping: Every company has to identify all locations and flows of cardholder data and all system components that are connected to the cardholder data environment (CDE). This type of environment is usually comprised of people, processes, and technology that handle cardholder data or sensitive authentication data.
Remember: Scoping is an annual process and must occur prior to the annual assessment.
On the whole, the PCI compliance should be perceived as a continuous process containing the following steps:
- Assess - identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and analyze them for vulnerabilities
- Remediate - fix any vulnerabilities and eliminate the storage of cardholder data unless absolutely necessary
- Report - compile and submit required reports to the appropriate acquiring bank and card brands
Once your company has updated its processes and security systems, you must go through compliance validation. This process involves the evaluation and confirmation that the security controls and procedures have been properly implemented as required by the PCI DSS requirements.
Validating compliance is either accomplished through a Self-Assessment Questionnaire (SAQ) or annual audits by a qualified security assessor (QSA) who will come up with their findings through a ROC (Report on Compliance). In this case, a Qualified Security Assessor is a data security firm that is qualified by the PCI Council to perform on-site PCI Data Security Standard assessments.
Scoping: Every company has to identify all locations and flows of cardholder data and all system components that are connected to the cardholder data environment (CDE).
So what is the link between PCI DSS and visitor management?
In addition to regulatory compliance with many other global laws, a cloud-based visitor management system like Proxyclick can help you grant the right level of access to your visitors and track their access points.
Having the right visitor management system can help you manage your visitors following PCI's standards so you can:
- Enforce mandatory pre-registration of all visitors and contractors
- Use ID Match for government-issued ID-scanning using facial recognition for identity verification at check-in
- Screen all visitors against internal and external global watchlists to ensure authorization
- Send security alerts if unauthorized access is attempted
- Capture visitors' digital signatures on legal documents and NDAs
- Print custom visitor badges with photos, QR codes for access, and detailed information for fast identification and authorization
- Grant and restrict access to areas of your premises with access control integrations
- Send automated notifications to hosts to keep everyone aware of visitors' check-ins
- Depend on secure cloud storage of your visitor data
- Track visitor history and their precise movements for reporting and audit purposes
- Export data for all insurance- and audit-related queries
What happens if you’re not PCI compliant?
Failure to adhere to PCI security standards leads to non-compliance fines from the payment processors and/or credit card companies ranging from $5,000-$10,000 per month until the company reaches compliance.
Aside from the fines and penalties, there are also other potential liabilities that can affect a business. According to PCI Data Security Standards, failing to comply with the requirements, together with possible disastrous data breaches, could result in:
- lost confidence, so customers will likely go to a competitor
- decreased sales
- cost of reissuing new payment cards
- fraud losses
- higher subsequent costs of compliance
- legal costs, settlements, and judgments
- termination of the ability to accept payment cards
- lost jobs (CISO, CIO, CEO, and dependent professional positions)
- going out of business
Some companies learn about data breaches the hard way, like Equifax did when they discovered their data breach in late July 2017. This breach affected more than 147 million consumers by having their sensitive information exposed and resulted in a great settlement sum of about $650 million, not to mention the serious damage done to their reputation.
Trust, once lost, is harder to earn back (if at all). This holds true especially for businesses. That's why it's vital to invest in efficient security systems and processes that can protect your customers' data.
Look out for updates
We recommend you get yourself acquainted with the PCI DSS version 3.2.1 and continue to maintaining high levels of security on a daily basis. This includes the way you manage your visitors and contractors.
Note: New updates to this version won’t come until late 2020.
The PCI Council stated that key priorities for the upcoming version are “to continue to provide the critical foundation for securing payment data in a rapidly evolving ecosystem and to add flexibility for organizations using a broad range of methods and technologies to achieve PCI DSS security objectives.”
Once version 4.0 is published, version 3.2.1 will, however, remain valid for a period of time to support businesses transitioning to the new version of the standards.
So until our next article - keep calm and stay in compliance. And don't hesitate to contact us for more information!
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.