With the ongoing threat from cybercriminals using both high and low tech methods of identity theft, your data is your most prized possession. Like it or not you are no longer a person with a single identity. As we rely more and more on digital means to make our professional and personal lives more efficient and convenient, we have knowingly or unknowingly, created a whole new digital identify for ourselves. This digital or online identity is a gateway into our personal live, our professional lives and our financial means. As long as you keep the gate closed, you are relatively safe from the cybercriminals but they use ever ingenious ways to open the gate and take control of part or all of your identity. Over the last several months I have written in detail about cybercrime and the threats you face:
- Ransomware – The Complete Survival Guide
- Beware of Fake Purchasing Order Scam
- CEO Fraud Scam
- Enforce a Strong Password Policy
An area of obvious and vital importance to business is the upcoming implementation of the General Data Protection Regulation due to commence in May 2018 (please feel free to read our post GDPR and Your Business), however it is the area of data protection known as PCI DSS Compliance that I will write about today. Neither myself nor the team at IT.ie claim to be experts in the areas of PCI compliance or Data protection for that matter. We are however, on the front line in the battle against cybercrime and as a premium IT support service provider we endeavor to update our clients and friends in business, on the latest threats and trends in this area. The following information is compiled from several sources including, the PCI Standards Council, Bank of Ireland, Allied Irish Banks and Sage Pay.
What is PCI DSS
PCI DSS stands for Payment Card Industry Data Security Standards and is a set of minimum standards that is in place to help protect businesses and consumers from data theft and fraud. It was developed by the major payment card brands (Visa, MasterCard, Amex, JCB and Discover) in 2004. PCI DSS compliance is required of all merchant and service providers who store, process or transmit cardholder data and the requirements apply to all payment channels, including e-commerce business, retail shops and mail/telephone order companies.
The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.”
— Quick Service Restaurant (QSR) Magazine
Becoming PCI DSS Compliant
To become compliant you will need to speak to your merchant acquiring bank who can refer you to their preferred Quality Security (QSA). All the main banks including AIB and BOI have detailed guides and or portals to assist you in becoming PCI DSS compliant. No matter what type of payments you’re accepting, whether it be online, over the phone or using card machines, you will need a PCI certificate for your business.
Levels of PCI DSS Compliance
There are 4 levels of PCI DSS Compliance for merchants. Note that a Network Security Scan is required for all levels.
|Merchant Level||Criteria||Onsite Review||Self-Assessment Questionnaire||Network Security Scan|
|Level 1||All merchants, including electronic commerce merchants, processing more than 6,000,000 transactions per year
All merchants that experienced an account compromise
All merchants that meet the Level 1 transaction criteria as set forth in the PCI framework
|Required Annually||Not Required||Required quarterly|
|Level 2||All merchants processing 1,000,000 to 6,000,000 e-commerce transactions per year
All merchants that meet the Level 2 transaction criteria as set forth in the PCI framework
|Not Required||Required Annually||Required quarterly|
|Level 3||All merchants processing 20,000 to 1,000,000 e-commerce transactions per year
All merchants that meet the Level 3 transaction criteria as set forth in the PCI framework
|Not Required||Required Annually||Required quarterly|
|Level 4||All other merchants||Not Required||Required Annually||Required quarterly|
Benefits to Merchants
The benefits to merchants from PCI DSS include the following:
- The protection of the customers personal data.
- Increased customer confidence from a higher level of data security
- Enhanced customer trust and safeguarded reputation.
- Increased protection against financial losses.
Potential liabilities of non PCI DSS compliance
- Loss of customer confidence
- Reduction in sales
- Fraud losses
- Higher subsequent cost of compliance
- Legal implications – Costs, Settlements, Judgments
- Termination of ability to accept card payments
- Job losses
- Going out of business
Hackers will try many devious tricks to get your cardholder data and by obtaining the Primary Account Number (PAN) and sensitive authentication data, the thief can impersonate the person the card was issued to.
The following graphic was taken from the www.pcisecuritystandards.org and is a good representation of the data held on various payment cards. Everything at the end of the red arrow is sensitive cardholder data. Anything on the back and CID must never be stored.
This has been by no means an exhaustive guide to PCI DSS compliance but simply a springboard to guide you in the right direction. If you are not currently compliant I strongly urge you to contact your bank and take the required steps to PCI DSS compliance.