Data security is not something you deal with today and forget tomorrow. It’s a continuous process that needs keeping up with for the latest technology and policy changes. This hold especially for the Payment Card Industry Data Security Standard (PCI DSS) that's meant to guide companies in their compliance journey and long-term security for their consumer payment card transactions.
We take data security seriously and we know you do too. So let’s delve deeper into what PCI DSS actually is, what is means for your business and regulatory compliance, and how the right visitor management system can help.
The Payment Card Industry Data Security Standards (PCI DSS) “enhances cardholder data security” by providing a set of global security standards.
These standards were developed to ensure that all organizations (not just those based in the US) adopt consistent data security measures in relation to credit card information:
The most recent version of the PCI DSS (PCI DSS version 3.2.1) went into effect on January 1, 2019, adding further clarifications to the existing requirements.
The main goals of PCI DSS are very straightforward - and a lot less frightening than one would expect:
The Payment Card Industry Security Standards Council (PCI SSC)—represented by the payment card brands Visa, Mastercard, American Express, Discover, and JCB International—is the authority that manages the development of the PCI DSS requirements.
As mentioned above, PCI DSS is mandatory for all companies that accept, transmit, or store cardholder data and/or sensitive authentication data.
Also, it applies to “all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers”.
According to PCI, cardholder data and sensitive authentication data include the following:
Additionally, PCI DSS requirements differ based on a business’s transaction volume over a 12-month period.
Thus, there are four levels of PCI compliance:
Level 4: Applies to any business processing less than 20,000 transactions, annually
Level 3: Applies to any business processing between 20,000 and 1 million transactions, annually
Level 2: Applies to any business that processes between 1 to 6 million transactions, annually
Level 1: applies to any merchant that processes over 6 million transactions, annually
If you’re not sure which compliance level applies to your company, make sure to consult with your payment processing provider.
The main requirements that a business has to comply with are the following:
These requirements are linked directly to the six PCI DSS goals mentioned earlier:
Implementing the PCI Data Security Standard should start with scoping: Every company has to identify all locations and flows of cardholder data and all system components that are connected to the cardholder data environment (CDE). This type of environment is usually comprised of people, processes, and technology that handle cardholder data or sensitive authentication data.
Remember: Scoping is an annual process and must occur prior to the annual assessment.
On the whole, the PCI compliance should be perceived as a continuous process containing the following steps:
Once your company has updated its processes and security systems, you must go through compliance validation. This process involves the evaluation and confirmation that the security controls and procedures have been properly implemented as required by the PCI DSS requirements.
Validating compliance is either accomplished through a Self-Assessment Questionnaire (SAQ) or annual audits by a qualified security assessor (QSA) who will come up with their findings through a ROC (Report on Compliance). In this case, a Qualified Security Assessor is a data security firm that is qualified by the PCI Council to perform on-site PCI Data Security Standard assessments.
Scoping: Every company has to identify all locations and flows of cardholder data and all system components that are connected to the cardholder data environment (CDE).
In addition to regulatory compliance with many other global laws, a cloud-based visitor management system like Proxyclick can help you grant the right level of access to your visitors and track their access points.
Having the right visitor management system can help you manage your visitors following PCI's standards so you can:
Failure to adhere to PCI security standards leads to non-compliance fines from the payment processors and/or credit card companies ranging from $5,000-$10,000 per month until the company reaches compliance.
Aside from the fines and penalties, there are also other potential liabilities that can affect a business. According to PCI Data Security Standards, failing to comply with the requirements, together with possible disastrous data breaches, could result in:
Some companies learn about data breaches the hard way, like Equifax did when they discovered their data breach in late July 2017. This breach affected more than 147 million consumers by having their sensitive information exposed and resulted in a great settlement sum of about $650 million, not to mention the serious damage done to their reputation.
Trust, once lost, is harder to earn back (if at all). This holds true especially for businesses. That's why it's vital to invest in efficient security systems and processes that can protect your customers' data.
We recommend you get yourself acquainted with the PCI DSS version 3.2.1 and continue to maintaining high levels of security on a daily basis. This includes the way you manage your visitors and contractors.
Note: New updates to this version won’t come until late 2020.
The PCI Council stated that key priorities for the upcoming version are “to continue to provide the critical foundation for securing payment data in a rapidly evolving ecosystem and to add flexibility for organizations using a broad range of methods and technologies to achieve PCI DSS security objectives.”
Once version 4.0 is published, version 3.2.1 will, however, remain valid for a period of time to support businesses transitioning to the new version of the standards.
So until our next article - keep calm and stay in compliance. And don't hesitate to contact us for more information!
***
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.