Target experienced a massive data breach in 2013, where hackers stole up to 40 million credit and debit cards. Over the ensuing years, the retail giant spent upwards of $200 million settling claims from financial institutions, state regulators and consumers affected by the data breach. The source of the attack was a third-party HVAC contractor with access to IT systems.
While Target is large enough to weather the storm, many small- to mid-sized retailers don’t survive a data breach. It’s estimated that 43% of major data loss victims immediately go out of business and only six percent survive two years. Merchants must ensure that credit card information is safely secured from all kinds of different attack vectors.
Let’s take a look at a set of data security standards known as PCI DSS, a framework that was developed by the payment industry to address these very concerns. We’ll also discuss how to ensure that you comply with these standards, and cover other important considerations surrounding them.
What is PCI DSS?
The Payment Card Industry Data Security Standard, or PCI DSS, is a set of standards developed by the five largest credit card brands in 2006. Facing a growing number of Internet transactions and increased risk of data theft, Visa, MasterCard, American Express, Discover, and JCB created the standards with the goal of preventing data breaches in the digital era.
The PCI standards target six goals:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
The standards apply to credit card readers, point-of-sale (POS) systems, store networks, storage systems, transmission mediums and even paper-based records. If a merchant isn’t compliant, fines range from $5,000 to $100,000 per month until they regain compliance, along with any losses from fraud, legal costs, loss of confidence and other unquantifiable costs.
The PCI Security Standards Council updates and maintains the standards, but the individual credit card brands are responsible for enforcing them among organizations that accept credit cards. Any fines are sent to the merchants’ acquiring bank, which usually passes them on to the merchants, and may decide to take other actions, such as terminating their accounts.
Does PCI DSS Affect You?
The PCI DSS standards have different levels depending on the merchant’s processing volume. Merchants that process fewer than 20,000 ecommerce transactions might mostly self-assess their security, while those processing more than six million transactions per year have extensive requirements that could cost more than $50,000 per year to meet.
Many merchants use third-party platforms to avoid PCI DSS compliance issues. For example, online merchants using Stripe or PayPal to process payments don’t need to comply with PCI DSS standards since they never actually capture, transmit or store credit card information — transactions are made by leaving the website or using programmatic techniques.
That said, any ecommerce or retail business processing transactions — including those not subject to PCI DSS compliance — should implement cybersecurity measures to protect both customer data and their own data. A data breach that compromises a customer’s order history may not be as severe, but you may still need to report it and handle the fallout.
How to Become PCI DSS Compliant
PCI DSS compliance covers everything from physical security measures in data storage locations to the encrypted transmission of cardholder data during e-commerce transactions. Depending on the merchant’s processing volume, it may be necessary to hire an Approved Scan Vendor (ASV) or Qualified Security Assessor (QSA) to audit these measures.
Let’s take a look at an example standard from the PCI DSS:
The “PCI DSS Requirements” column describes the standards that you need to meet in order to be compliant; the “Test Procedures” column describe how to audit your compliance; and the “Guidance” column provides more information about the underlying intent of the rule to clarify any uncertainty. Each of the 12 core requirements are broken down into these three subsections within the 139-page document.
A Qualified Security Assessor (QSA) will conduct the test procedures to ensure that the technology or policy meets the requirements. If it doesn’t, they may help address any shortfalls so that you can avoid costly fines and potential risks. It’s important to select knowledgeable QSVs that can help you not only reach the minimum requirements for compliance, but also integrate these standards within your larger cybersecurity framework.
How Lockstep Can Help
Lockstep Technology Group has a deep understanding of PCI DSS regulations. As a Qualified Security Assessor Company (QSA-C), we are certified by the PCI Security Standards Council to help merchants of any size conduct necessary audits. We also provide a wider range of cybersecurity solutions to mitigate risk and minimize the chances of a data breach.
Our comprehensive PCI DSS services include:
- PCI Penetration Testing
- PCI Gap Analysis
- PCI ASV Scanning Services
- PCI SAQ Guidance
- PCI DSS Reports on Compliance (ROCs)
- PCI Risk Assessments
- PCI Executive Workshops
- PCI QSA Remediation Guidance
- PCI Scope Reduction Strategy
Unlike many other ASV or QSA resources, we don’t just validate compliance with PCI DSS standards. We are a partner that helps you evaluate PCI DSS risks, identify gaps and develop a plan, as well as provide ongoing expertise to maintain compliance. If required, we also advocate on your behalf to payment partners to remain compliant.
Contact us today to receive more information about how your business can become compliant or regain compliance.
The Bottom Line
The PCI DSS standards are designed to prevent data breaches by enforcing security best practices. With 12 core requirements broken down into nearly 140 pages of specific, testable standards, the PCI DSS can be an intimidating requirement for many small- to mid-sized businesses — especially those that fear they may not be compliant.
If you’re capturing, transmitting or storing cardholder data, and you haven’t conducted a PCI DSS audit, you may want to consider hiring a certified auditor like Lockstep to ensure that you’re compliant. It could help you avoid fines of up to $50,000 per month.
Contact us today to learn more about PCI DSS compliance and how we can help. With our guidance, you can turn PCI DSS compliance into your competitive advantage moving forward.