How PCI DSS Compliance Works
Credit and debit cards are an increasingly essential part of the life for individuals and businesses around the world. In one 2018 survey, a whopping 80% of respondents indicated they use either a debit or credit card as their primary payment method. This makes accepting card payments an essential component of nearly every business, from the SMB to the enterprise. To accept card payments from most major credit card vendors, however, organizations must ensure their payment process is PCI DSS compliant.
What is PCI DSS?
The Payment Card Industry Data Security Standard, or PCI DSS, is a security compliance standard that defines the policies and guidelines for payment procedure and security. The requirements for PCI DSS certification are designed to ensure organizations protect cardholder data they store, process, and transmit.
PCI DSS was issued by the Payment Card Industry Security Standards Council, an organization formed in 2006 by American Express, Discover, JCB, MasterCard, and Visa, but operating independently from any of the card vendors. There are four different levels of PCI DSS requirements, with Level 4 having the lowest level of security required, and Level 1 having the highest.
What are the PCI DSS levels?
The four levels have increasing security requirements as you progress from Level 4, which has the fewest requirements, to Level 1, which has the highest. The level a given organization is required to maintain usually depends on the number of transactions but can be influenced by other factors. These factors include the organization’s risk level (as determined by the sole discretion of the card vendors) and if they have a history of being breached. The number of transactions for each level are as follows:
- Level 1 – Six million or more transactions per year
- Level 2 – Between one and six million transactions per year
- Level 3 – Between twenty thousand and one million transactions per year
- Level 4 – Fewer than twenty thousand transactions per year
While it is an absolute requirement for any organization who wants to receive payment from and work with the major credit card vendors, it is important to note that PCI DSS compliance is not US federal law. Though not federal law, some US states (Minnesota, Nevada, and Washington at the time of this publication) have enacted legislation that refers to or reflects PCI DSS provisions.
Tips to Enhance Security and Enable PCI Compliance
Even though PCI compliance is a requirement for organizations working with cardholder data, it remains true that many organizations struggle to maintain it. In fact, according to Verizon’s annual payment security report for 2018, the percentage of companies successfully complying with PCI DSS requirements dropped from 55.4% in 2016 to 52.5% in 2017.
With companies struggling to maintain compliance and the increasing number of high-profile data breaches occurring globally each year, here are a few best practices to follow.
Use PCI Compliant Products and Services
Ellen Richey, Visa’s Chief Enterprise Risk Officer, stated in 2018 that, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of the breach.” While it is important to remember correlation does not necessarily mean causation, this data point does suggest that organizations maintaining a PCI compliant environment are generally more secure.
With the number of organizations failing to maintain PCI DSS compliance, it is important to verify the products your organization is using continue to meet the requirements. Even if they met the requirements in the past, they may no longer comply now.
While taking this step won’t automatically mean an organization using compliant products will be compliant themselves, it does help ensure adequate security is in place to prevent data theft.
Automate What You Can
Process automation software can remove the risk of human error from payment and cardholder data processing, helping to ensure that data is handled in a compliant manner. Less human involvement can also help reduce an organization’s attack surface for data breaches via bad actors, social engineering, or phishing.
Make Secure Sharing Simple
There are still cases where processes cannot be automated, such as in the event a sales support agent needs to receive cardholder information from the finance department in order to investigate issues with a placed order. In situations like this, absent a secure, simple to use solution, individuals may lean on email, instant messaging, or file sharing features that may not have an appropriate level of security.
Additionally, most of these solutions lack adequate retention policies to automate deletion of old data that is no longer needed. While email suites like Outlook do have retention policies you can set, doing so can be time consuming, tedious, and the rules may not be specific enough. Inversely, file sharing services generally require someone to manually delete shared files.
Beyond this, email offers little in the way of security, and information emailed can often be easily viewed by outside parties monitoring traffic to and from an organization’s network. With an ongoing rise in executive fraud, transferring information via email poses an additional threat. Email-based social engineering is increasingly common, making it a particularly risky method of sharing sensitive data of any kind.
XMedius can Help
XMedius is in the process of being certified as PCI DSS compliant on two of our products, XM SendSecure and XM Fax. Both of these products can help automate and streamline PCI compliant security practices.
XM SendSecure provides a simple to use way to securely share files and cardholder information while offering ephemeral storage designed to automatically delete contents after a set duration of time. This helps both automate and simplify security by eliminating the need for someone to manually delete shared files. XM SendSecure also leverages encryption for data in transit and at rest, as well as two-factor authentication, which helps ensure files are only ever accessible by their intended recipient.
Using the earlier example of a sales support representative requesting information from a finance team member, the finance department employee can immediately respond to the email request right in Outlook through an XM SendSecure connector. This creates an encrypted, ephemeral SafeBox for file sharing that automatically deletes itself after a set duration. The SafeBox can also leverage known contact information for the recipient, requiring them to verify their identify before accessing files. These safeguards greatly reduce the risk of accidentally sharing sensitive cardholder data with unintended parties.
XMedius also offers an industry-leading Fax over IP solution, XM Fax, that enables users to securely fax documents directly to recipient email inboxes rather than a central, office-wide fax machine. This helps eliminate the risk of sensitive information being inappropriately viewed by the wrong person.
If you would like to learn more about how our suite of communications solutions can help your organization achieve PCI DSS Compliance, please reach out to one of our industry experts.