Achieving PCI CompliancePCI scans should be quick, easy, reliable, insightful and actionable reports to achieve PCI compliance, complete your SAQ, or to start getting serious about cybersecurity. By: Secureworks
As electronic payment has grown in popularity among all types of consumers, private data has become increasingly vulnerable. MarketWatch reports that according to the nonprofit Identity Theft Resource Center, the number of significant breaches at U.S. businesses, government agencies, and other organizations topped 1,300 in 2017, versus fewer than 200 in 2005.
High-profile, headline-grabbing data breaches have driven the payment card industry to search for ways to tackle the challenge of protecting user data. To achieve this goal, several major payment card brands collaborated to develop a set of standards known as the Payment Card Industry Data Security Standard (PCI DSS).
Compliance with the PCI DSS is required for any organization that transmits, processes, or stores credit card transactions. One of the important tasks required to be compliant, among others, is a quarterly internal PCI vulnerability scan, performed either in-house or by a third party like Secureworks®. Vulnerability scans are automated tests that seek out potential “weak spots” in your infrastructure and bring them to your attention.
PCI scanning gives you a PCI Vulnerability Report, which is like a home inspection report, an extensive detailed list of problems found and action steps to take. PCI scanning should not be confused with penetration testing which uses a live tester acting just like a hacker would, analyzing your network, identifying possible vulnerabilities or coding errors, and trying to exploit those errors to gain access to your network. PCI scanning is an automated test available on-demand, great for getting an overview of your network security — weekly, monthly, or annually.
Still not sure if you need regular PCI scans? Then let's take a look at PCI Compliance and what it involves.
What is PCI Compliance?
The PCI DSS was designed to enhance the security controls in place to protect payment card information from theft and misuse — and any organization that processes payment data is required to comply with it. Failing to comply with current PCI requirements can set you up to incur steep fines and penalties, revocation of credit card payment services — even suspension of accounts. PCI compliance standards continue to evolve; version 3.2.1 was released May 2018.
Complying with the PCI DSS takes a firm commitment to protecting your customers' private information. The standards require you to protect not just cardholder primary account numbers (PAN), but also any other cardholder data that is stored, processed, or transmitted alongside those account numbers — information like cardholder names, expiration dates and service codes.
Compliance with the DSS requirements is mandatory, no matter how big or small your organization is, or how many card transactions you process each year. And even if you outsource your payment processing to a third party, you may still be required to show documentation on up-to-date PCI reporting. In other words, consumer data safety is up to you, whether you're processing the transactions in-house or not.
Who Needs PCI Compliance?
In short: You do. PCI requirements apply to all organizations that transmit, process or store cardholder data, and to service organizations that can affect the security of cardholder data— even those that handle a small number of transactions and outsource payment processing. You need to establish policies and procedures that protect cardholder data at all stages — not only when you receive it, but also when you process chargebacks and refunds.
The PCI DSS requirements apply to all merchants, even those outside the U.S. Historically, enforcement has been stricter in the U.S. — but enforcement rates in the UK and Europe are on the rise, as evidenced by adoption of GDPR. As more countries enact stricter laws around customer notification of data breaches, global PCI compliance rates will increase.
How is PCI Compliance Determined?
PCI scanning will help verify that you've remediated opportunities for cyber criminals to access your critical IT assets and sensitive information.
PCI compliance requirements vary according to the size of your organization — especially regarding the number of payment transactions you're processing each year. Merchants must prove PCI compliance annually, and the requirements vary depending on the number of transactions processed annually and the payment card brand.
Organizations processing large quantities of transactions (6 million per year for merchants; 300,000 per year for service providers) must undergo an annual onsite audit performed by a Qualified Security Assessor (QSA) or by an employee who has gone through the PCI Internal Security Assessment Training Program.
Organizations with fewer annual transactions must complete a PCI Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance, then submit this documentation to their acquiring bank. Additionally, different payment card brands have different compliance requirements of their own, so organizations should look closely at what each payment card brand requires at each organization level to be sure they're satisfying every demand.
Regular PCI Compliance Scanning can help you secure your PCI readiness on all fronts — regardless of the size of your organization or the unique requirements presented by your bank.
How many PCI DSS requirements are there?
Altogether, the standards comprise 12 broad requirements and more than 200 line-item requirements. The 12 broad requirements can be grouped into six key areas:
- Building and maintaining a secure network;
- Protecting cardholder data;
- Maintaining a vulnerability management program;
- Implementing strong access control measures;
- Regularly monitoring and testing networks; and
- Maintaining an information security policy.
Why is PCI Compliance Important?
Failing to comply with PCI standards (yes, organizations today still fail PCI compliance) puts your organization at risk for data breaches, which risk a very expensive chain reaction for your organization. If your users' data is stolen, they face a threat to their cash reserves, credit scores, and peace of mind; meanwhile, you could incur a ripple effect of fees, loss of goodwill and clean-up duties for failing to prevent the theft in the first place. Keeping an eye out for common pitfalls related to PCI compliance therefore helps protect both you and your customers from mounting fees, stress, and inconvenience. To avoid these types of costs, both tangible and intangible, it's important to invest your time in establishing an extensive security protocol that includes PCI standards.
Fees and Penalties
In addition to amping up your bad PR and exposing your customers to identity theft, data breaches and non-compliance can rack up fines and penalties. Fines can range from $2,000 to more than $100,000 per month for PCI compliance violations, plus additional fines for repeat violations, depending on your bank.
Beyond the up-front fines, data breaches can cost you even more down the road. If your customers' cardholder data is compromised, you could also be subject to fraud losses incurred when thieves use stolen account numbers. You could have to take on the cost of re-issuing compromised cards, plus the costs of additional fraud prevention or monitoring required by the card associations. These types of costs may not make the same headlines as large data breaches, but they can be catastrophic for small businesses and hugely inconvenient for larger organizations. In short, if you suffer a breach, it can be difficult or even impossible to ever fully come back.
Don't Live For the Breach
While data breaches are scary enough to draw our attention, it's important to remember that focusing on one moment in time won't give you the strongest security posture. Over the last several years, many large companies have experienced breaches despite meeting PCI compliance requirements. While these standards provide an extra layer of protection against data breaches, PCI DSS alone will not cover all your security bases. However, you'll find that when you make security a consistent priority over time, you'll likely find that PCI compliance falls into place.
Who Enforces PCI Compliance?
An industry standards body called the PCI Security Standards Council (SSC) is responsible for developing and maintaining PCI DSS requirements. But enforcement is carried out by the five payment card brands: Visa, MasterCard, American Express, JCB International, and Discover. Each brand has its own guidelines for compliance, its own reporting and validation requirements, and unique deadlines, brand-specific definitions, and penalties for noncompliance. That's why it's crucial to get advice directly from the card brands to make sure all your bases are covered.
How Do I Become PCI Compliant?
When time and resources are limited, it can be difficult for an organization to execute the kinds of all-inclusive vulnerability management that should be a foundational part of its security approach. PCI scanning can offer businesses a more complete visibility of their existing vulnerabilities, as well as context of the risks involved and a plan for fixing the gaps.
If you're just getting started with PCI compliance, you can find a wealth of information on the PCI Security Standards Council website. There, you can find downloadable resources like the PCI Council's Getting Started Guide and Quick Reference Guide.
Some organizations assemble a team or task force to meet initial compliance requirements, then disband it after certification. Others will purchase new equipment or devices to meet certain PCI compliance requirements but fail to monitor or manage them after they are set up, rendering them useless against threats. Still others may create an employee policy document and never update it, even though there is frequent staff turnover — or they'll get initial management buy-in to become compliant but fail to commit ongoing funding and budgets to keep compliance up to date. Avoid all of these scenarios!
Third parties like Secureworks can provide on-demand scans of internal and external network devices, servers, web applications, databases, and other assets on-premises and in the cloud. These PCI vulnerability scans help identify real, exploitable security gaps in your network and help satisfy your annual compliance requirements. They also offer access to vulnerability management experts when you need a closer look.
Long-term PCI Compliance Management
Ongoing attention is your best defense against security breaches, so we recommend having a standing team to review policies, procedures, and everything else related to PCI compliance on a regular basis — not just once a year. Build a PCI compliance program that fits your business and addresses your overall security posture.
Remember, PCI compliance alone isn't enough to protect corporate data from expensive and time-consuming breaches. A once-a-year assessment loses its value when you don't pair it with continuing efforts to maintain PCI compliance. Secureworks' vulnerability scanning can help reduce your exposure, help you stay compliant year-to-year, and protect your devices and data. It's a solution that keeps you up to date on evolving global threats so that you can keep your attention on business priorities.
When you commit to putting a well-defined security program in place, you'll likely find that you'll not only meet and maintain PCI compliance — you'll also be prepared to address new and emerging threats. Only by establishing and maintaining field-tested security controls can your company achieve true security alongside compliance.