What is PCI DSS and Why Does it Matter?
Last month, mega-retailer Target admitted that credit and debit card information for up to 40 million of its customers had been compromised in a massive cyber-attack that stretched from November to December. We don't know yet exactly what happened at Target or the ultimate price Target will pay, but when you ask "Why does PCI DSS matter?" this is why.
Large companies like Target aren't the only ones under attack. The payment brands that comprise the Payment Card Industry know this and that is why they got together to create the standard.
PCI DSS: A Brief Explanation
Launched by five global payment brands (American Express, Discover, MasterCard, Visa, and JCB [Japan Credit Bureau]), PCI DSS is a set of information security regulations that apply to any organization that handles cardholder information. All organizations, large and small, must comply or risk penalties from the payment card companies.
The standard has gone through a couple revisions. The latest version is 3.0, but it is really more of a clarification of the previous version than a major overhaul. You can read the standard online at www.PCIsecuritystandards.org.
What Exactly is in PCI DSS?
The document that outlines the PCI DSS standards is pretty long. It's broken down into six major sections, each of which is broken down further into specific requirements. The six sections are:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
A key to understanding and implementing the PCI DSS is the concept of cardholder data environment (CDE). According to the standards, "The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data." In other words, any system that stores or processes cardholder information or has access to systems that store or process cardholder information are subject to the requirements of PCI DSS.
What are the Penalties for Non-Compliance?
Because most businesses work with a service provider like a bank to process credit and debit cards, it's usually the service provider that pays the direct penalty to the payment card brand for violating one of the requirements of PCI DSS. Fines for PCI DSS noncompliance can range from $5,000 to $100,000 per month per violation, but fines are relatively rare and reserved for more severe cases. More frequently, if it is a merchant's first case of noncompliance, the merchant would receive a warning and a notice to address the problem. Repeated offenses can cause a service provider to stop processing payment cards for a merchant, either temporarily or permanently.
If you're in retail, or you are an MSP or other IT service provider that works with retail clients, you probably understand the severity of that last penalty. For the majority of consumers these days, credit and debit cards are the primary way they pay for things. Most businesses can't afford to lose access to that lucrative market. If you're an MSP, you can't afford to allow your clients to lose access.
How do you Become PCI DSS Compliant?
I don't have a simple answer to that question, but I am going to steer you in the right direction. If you read the PCI DSS requirements, you'll notice that many of them have to do with password strength and password security. It's easy to understand why; most websites, networks, and systems these days are password protected in some form or another. Investing in a good password management system can go a long way toward beefing up password security in general and PCI DSS compliance specifically.