BY Stephen Cavey | 21 October 2020
The Payment Card Industry Data Security Standard (PCI DSS) is a global security requirement for any organization that processes, stores or transmits credit cardholder information. Released in 2006, the standard serves as a minimum set of requirements needed to protect customers’ payment data from being compromised and ensures the security of credit card transactions in the payments industry.
Credit and debit card payments continue to be the standard for payment around the world. According to the Federal Reserve, in 2018, Americans made 131.2 billion card payments worth $7.08 trillion. The growing popularity of card payments offers a tempting and lucrative opportunity for hackers. As the card payment industry grows, credit card fraud and theft grow too. Last year, the Federal Trade Commission received 271,000 reports of credit card fraud in the US.
When hackers steal card information, they don’t only impact the cardholders. The entire payment card ecosystem — from merchants to banks to customers — feels the impact. The Payment Card Industry Data Security Standard (PCI DSS) was created to ensure that all companies securely process their payment card transactions. For any business processing payment card transactions, maintaining PCI DSS compliance is critical. Failing to comply with PCI DSS will impact the organization’s customers and business — a breach can mean a potential loss of revenue, customers, brand reputation, and trust.
PCI DSS applies to all organizations, regardless of size, if they accept, transmit, or store payment card data. There are four levels of PCI compliance, which are determined by the annual number of Visa transactions a merchant processes over one year:
There are different requirements for different levels of compliance. Any business that falls under Level 1 needs to conduct a yearly on-site review by an internal auditor and must do a network scan by an approved scanning vendor. Level 2, 3, and 4 businesses must complete the PCI DSS Self-Assessment Questionnaire annually and do quarterly network security scans with an approved scanning vendor.
Personally identifiable information (PII) is any data that can identify a specific person. Some examples of PII include:
When it comes to PCI DSS, PII includes cardholder data, such as the cardholder’s name, the primary account number, and the card’s expiration date and security code. PCI DSS does not extend to any PII that is not considered cardholder data, such as protected health information (PHI) like diagnoses and lab test results.
You must protect your customers’ sensitive information to maintain compliance and stay in business, and knowing where protecting PII and PCI intersect can help.
Depending on the PCI DSS level your organization falls under, failure to comply can lead to strict ramifications. For example, Visa has the right to to change your level standards to a stricter level, regardless of the number of credit card transactions processed each year. For example, if your organization is currently a level 4, you may be bumped to a level 1 for failure to to meet the level 4 compliance requirements. At level 1, you’ll now be required to receive an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor) to determine if you have demonstrated compliance.
Every organization, regardless of its PCI DSS level, needs to use an approved scanning vendor every year. Ground Labs offers PCI DSS data discovery solution, Enterprise Recon PCI, that is trusted by PCI Qualified Security Assessors (QSAs) in 50+ countries. The solution easily and efficiently scans your servers, desktop, and cloud for PCI sensitive data, and it also brings security issues to your attention. Ground Labs’ PCI DSS solution can scan rapidly due to its low-impact distributed design, enabling co-existence with your company’s DLP solutions. Rapid scans will help your business reduce the time required to become compliant.
Interested in learning more about how to achieve compliance under PCI DSS regulations with Enterprise Recon PCI? Schedule a demo with a data discovery expert today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.