If your business handles any kind of payment card data, you probably understand the basics of PCI DSS (Payment Card Industry Data Security Standard). And it likely didn’t come as a surprise to you when the latest iteration of PCI compliance requirements, the 3.0 standards.
Despite your being aware of the changes, if you haven’t yet taken steps toward compliance, it’s time to get moving. But don’t panic — I’ll cover the key points here, and help you pass your audit with flying colors.
What’s new in Security and Reliability
The new standards are intended to protect cardholders, as well as the businesses from which they buy goods and services. And this is a good thing for your organization: Once you put the systems in place to meet the new standards, your business will develop a reputation for security and reliability.
This latest iteration has come into play because the payment IT landscape grows riskier and more complicated every day. More companies are doing business in the cloud than ever before, and digital payment technologies have expanded as a result. This means criminals have more ways to hack your systems. The new PCI standards are aimed at helping you protect your customers and your brand’s reputation with the right compliance controls.
You’ll need to transition your compliance programs before your next audit.
1. Cultural Changes
New cyber threats don’t just attack once in a while; they are constantly evolving. Did you hear what happened to Sony and their movie, “The Interview”? Security hacks like the one they dealt with are the reason PCI has requested businesses adopt a culture of constant data security.
If compliance for your company has been little more than an annual checkbox in the past, you’ll now need to have data security integrated into your daily processes. This likely means you’ll need further education on how to accomplish this — for yourself, your staff, your partners, and your providers. Initiating a new security culture throughout your organization isn’t something you can tackle with one internal memo.
2. Service Provider Changes
When it comes to trusting third-party providers, many companies make unsafe assumptions that can result in expensive and embarrassing security breaches. It’s critical to know exactly who is handling what compliance responsibility. PCI is now stepping into this area, and you’ll need to make sure your company and your providers spell out all security, operations, and reporting duties in detailed contracts.
3. Operational Changes
This is where most of your work will be. PCI will check that all of your payment data is in specific locations and that those locations are well protected. So your first order of business is to define your Cardholder Data Environment (CDE), which will restrict where and how the cardholder data is accessible. To do this, your team will need to make an inventory of all technology, people, and processes that interact with the data, then make diagrams that trace the flow and location of cardholder data in your system.
Test, rinse, repeat
After that, your CDE will need to be validated, which proves that your techniques and controls are actually effective at protecting your data. The best way to do this is by running card data searches and penetration tests (also known as “pen tests”).
Don’t have the resources to handle this in-house?
There are plenty of businesses you can go to that regularly handle pen testing. Since these tests can turn up any security gaps in your system, it’s wise to conduct them earlier rather than later so you can correct any deficiencies long before your audit.
Be sure all of your systems are tested
All too often businesses assume they already know where their cardholder data is stored and how it flows through their system. They tend to test only those systems they think could be problematic. The truth is that it takes only one employee creating his or her own process, or one gap in the system, to put data in a rogue location, placing the whole organization at risk. For this reason, it’s critical to test your entire network.
It’s not enough anymore to just make the minimum effort to protect your data. PCI wants you to prove that you’ve made a strong effort. This means documenting all of your work, from lists of security system components to data flow diagrams to the results of your penetration tests. This is slightly different from previous iterations of PCI requirements, which tended to be more lenient on documentation. So, it’s important to have immaculate evidence of your compliance ready for your audit. PCI will definitely check for it.
There is no doubt that designing and implementing these changes will require a lot of work.
The good news is that all of your effort will not only help you pass your PCI audit, but help you build a stronger, safer, higher-performing environment for your customers. And you’ll no doubt learn quite a bit from digging deeper into these important preventive measures.
From inhibiting cybercrime to building a brand reputation for security and reliability, meeting PCI 3.0 requirements can help your business keep the money that you earned.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover, JCB International, MasterCard, and Visa Inc., the Council has more than 700 Participating Organizations representing merchants, banks, processors, and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visitpcisecuritystandards.org.
About the AppointmentPlus The Online Scheduling Software Experts
Last year, a record breaking 54 million appointments were scheduled by the 200,000+ locations that used AppointmentPlus scheduling software for growing businesses and franchises. To learn more, visit AppointmentPlus.com