Jan Michael Dervish
Loyola University School of Law JD 2020
While the legal community has spent much of the last year exhaustively dissecting the European Union’s new General Data Protection Regulation (GDPR), nearly half of businesses in the United States are still not compliant with standards governing the collection, storage, and disposal of payment (credit/debit) card data. Businesses of all sizes should work to ensure that they understand and are in compliance with these standards, or risk significant exposure in the event of a payment card data breach traced back to their organization.
Understanding the PCI-DSS standard
In 2001, the average rate of credit card fraud for electronic (online) transactions was nearly 20x higher than that of offline transactions. Alarmed by this sudden rise in fraud, major credit card companies banded together and created the Payment Card Industry (PCI) Security Standards Council – the industry body charged with creating and administering the Payment Card Industry Data Security Standard (PCI-DSS), commonly referred to as PCI. PCI standards govern the collection, use, and disposal of payment card data by businesses that accept electronic payments such as Visa or Mastercard.
No business is too small to be subject to some level of PCI-DSS scrutiny: if you accept payment cards, you are required to be in compliance with these standards under your merchant processing agreement. PCI validates compliance in varying levels of detail depending on the total size of your organization. Essentially, the more transactions your organization processes, the higher level of scrutiny you will face. Even at the lowest level of PCI scrutiny, your organization may still be required to contract with an ASV (Approved Scanning Vendor) to conduct a quarterly security scan of any public-facing systems (such as an online store) that accept, store, or have access to payment-card data.
Steps towards compliance
In order for companies to comply with PCI requirements, they must first understand what their responsibilities are under PCI-DSS. Requirements vary depending on the total amount of payment card transactions processed annually, but the following compliance measures are a good baseline for all businesses to start from:
- Develop and Enforce Security Policies
The development and enforcement of security policies is one of the most cost effective steps that a company can make towards full PCI compliance. Employees should be educated on the importance of data security, and organizations should have clearly-communicated requirements on the storage and handling of sensitive information.
- Maintain Critical System Security
Businesses of all sizes should be actively taking steps to maintain security of critical systems – especially those containing or protecting sensitive personnel or financial data. This includes ensuring that passwords are changed from the manufacturers default, appropriately isolating sensitive systems from public access (including via guest wi-fi), and ensuring that appropriate security protections are in place on end-user devices.
- Limit Access to Sensitive Information
Organizations should take steps to restrict access to sensitive information. A “need-to-know” baseline is ideal – employees should only have access to information necessary for their assigned responsibilities within an organization. Virtual measures include limiting access to folders and applications to authorized users and encrypting sensitive data, while physical measures can include securing sensitive data in locked file cabinets, restricting access to sensitive facilities where payment card data may be stored, and maintaining a comprehensive access control plan for their facility. Organizations should also take steps to ensure that sensitive customer data is encrypted while in transit between a customer and the business, or between the business and an outside service provider.
- Monitor & Audit Access to Resources
Regular audits and monitoring of both physical facilities and virtual systems can help prevent a minor lapse of security from turning into a major incident. Organizations should be regularly auditing access to both physical and virtual resources, as well as testing for vulnerabilities in existing software or services that could be exploited by someone seeking to improperly access sensitive information. Establishing a monitoring program that flags unusual access to systems – either at odd hours, from unfamiliar locations, or in atypical ways – can help organizations identify breaches in security and limit potential damage caused.
Challenges facing smaller businesses
Smaller businesses may face challenges in meeting some of these requirements: many small organizations have limited or no IT resources. For the smallest businesses with relatively simple operations, such as a food truck, flower shop, or small online store, outsourcing physical point-of-sale, online commerce, and payment card processing may be the easiest way to comply with these requirements. In an outsourced model, the small business never actually receives or handles payment card information, and thus is not responsible for complying with PCI standards. Instead, the outside vendor assumes responsibility for the security of payment data and compliance with applicable standards.
Completely outsourcing all payment processing may not be practical for many small businesses due to the nature of their operations. Such businesses include a bar needing to temporarily store payment card data to hold open a customer’s tab, or a service provider who automatically bills customers on a monthly basis. In these cases, companies without the necessary IT resources to ensure full compliance should engage with a qualified vendor to formulate a plan to ensure compliance.
Larger companies still face organizational challenges
Larger organizations with more sophisticated IT operations or dedicated compliance divisions may be better prepared to pass a PCI audit, but they face their own set of challenges. Legacy systems storing or processing data in a non-compliant manner may need to be updated or replaced in order to ensure compliance; these changes have the potential to introduce the risk of business interruption or burden the business with significant remediation costs. Competing priorities for limited financial and personnel resources may steer an organization towards prioritizing projects with a more visible return on investment over ensuring PCI-DSS compliance.
While PCI-DSS standards have existed for over a decade, a significant number of organizations are still not compliant and face a serious legal and regulatory risk as a result. The average cost to respond to a data breach for the largest United States corporations is over $7 million. Non-compliant companies who experience a security breach can face fines of tens of thousands of dollars per month, the loss of their ability to accept credit cards, and exposure to civil litigation from customers impacted by a data breach.
Complying with PCI-DSS standards should be viewed as a high priority for all organizations: failing to comply can prove to be a costly mistake that has the potential to destroy an otherwise successful business.