Why PCI compliance is crucial

Data security and privacy are today a prime focus for most organizations globally. While there have been several regulations and standards introduced to improve data security, the evolving landscape makes it challenging for organizations to stay compliant. For many, General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS) are the first topics that come to mind when privacy is concerned.

PCI DSS refers to a combination of requirements that make sure all companies that store, process, or transmit credit card information provide an environment for their customers’ data that is safe and secure. PCI DSS is composed of helpful rules and guidelines that keep sellers and their customers safer. It was first introduced as an official regulation in 2006, by major credit card companies such as Visa, MasterCard and American Express.

The PCI DSS is not a regulation per se, and it does not supersede local or regional laws, government regulations, or other legal requirements. However, it has become the financial services industry standard for information security, and compliance is a prerequisite for working with global payment card brands. In 2020, US consumers reported losing more than $3.3 billion to fraud—an increase of nearly $1.5 billion compared to 2019.

Improving the data security of card payment systems is the job of the PCI Security Standards Council. They make available standards and materials that incorporate tools, measurements, frameworks, and resources to support organizations as they endeavor to uphold cardholder information security. The council uses PCI DSS as a framework for creating comprehensive payment card security processes that allow for the detection and prevention of and response to security issues.

A Qualified Security Assessor will verify all technical information given by the merchant or service provider, use independent judgment to confirm the standard has been met, provide support and guidance during the compliance process, adhere to the PCI Data Security Standard Assessment Procedures, validate the scope of the assessment, evaluate compensating controls and produce the final report on compliance.

While the cost of attaining PCI compliance varies depending on what you already have in place, the cost of not being compliant is considerable. The cost of non-compliance is best determined by calculating the cost of a security breach. Although fines are not published for the public, they can be steep. They tend to be between $5,000 and $100,000 for each month you are out of compliance. This holds true for both on-premises and cloud systems.

PCI compliance involves 12 distinct requirements, all of which are designed to enhance security. They are as follows: install a firewall and maintain it, initiate strong password protections, protect the data of cardholders, encrypt data that gets transmitted, install and maintain antivirus software, update your software, restrict access to data, establish unique IDs for those with access, limit physical access needs, establish and maintain access logs, scan and perform tests to identify vulnerabilities and document your policies.

The problem for most large retailers is that they treat security controls as being a ‘tick box’, where once a year they show their PCI QSA that they have the policies, processes, and technologies. But only focusing on an annual compliance assessment can create a false sense of security. Investigators have realized that security controls used by organizations that had passed an assessment were often out of compliance when breaches occurred later.

According to Verizon’s 2020 Payment Security Report, an astounding 72 percent of all organizations assessed on PCI DSS compliance failed an interim validation. That means that, although they had achieved 100 percent compliance in a previous assessment, only 28 percent were able to maintain that level of compliance in between assessments. In the past decade’s worth of these annual reports, the best performance was reported in 2017, when 55 percent of organizations were found in full compliance.

Thankfully, new technologies are available to help manage scope and minimize risk all year long. Identifying sensitive data is the fundamental first step, followed by accurate classification and intelligent data protection. The more you automate and integrate these steps in one continuous, policy-driven process, the more effective your data protection, compliance, and risk reduction efforts — and the less disruptive they are to business users.

TMP’s role

TMP meets PCI compliance requirements to make sure we are handling all customer and client information in a safe and secure manner. As digital outreach evolves in chat and self-service offerings, TMP is able to keep up and learn these new features as they develop. PCI compliance reinforces our security and best practices in managing technology and privacy.