PCI compliance is a set of standards and guidelines for companies to manage and secure credit card related personal data. The major credit card companies – Visa, Mastercard, and American Express – established Payment Card Industry Data Security Standards (PCI DSS) guidelines in 2006 in an effort to protect credit card data from theft.
Experts say credit card fraud costs businesses billions of dollars each year in the United States. It should be obvious that cybercriminals are currently winning the war on credit cards. Protecting customer data and payment information needs to be a priority for consumers, businesses, and banks so we can stop wasting billions of dollars on credit card fraud. Understanding and leveling-up your PCI compliance capability is a major part of winning the war.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
Why is PCI Compliance Important for Businesses to Follow?
PCI DSS compliance should be one of the most important ongoing projects in any business that stores and saves customer’s private credit card data. According to the 2018 Verizon Payment Security Report, only 52.5% of all organizations are 100% PCI compliant, and just 39.7% of companies in the Americas. We can do better!
Verizon’s research shows a correlation between companies that experienced a data breach and missing PCI DSS controls. In short: breached companies didn’t follow all of the requirements, which shocks no one.
More importantly, following the PCI DSS helps you keep compliant with data security and privacy laws, such as the General Data Protection Regulation (GDPR) or the Gramm-Leach-Bliley Act (GLBA). PCI DSS represents good data security practices for any organization to follow.
How Do You Become PCI Compliant?
PCI DSS is the roadmap you need to follow to become PCI compliant. For more details on PCI DSS please read our full article on the 12 PCI DSS Requirements.
For more on PCI DSS please read our in-depth article
How Much Does It Cost To Get PCI Compliant?
The answer to this question is complicated.
The cost to be PCI compliance is a pittance compared to the cost of a data breach.
PCI compliance is simply good data security practice and isn’t much different than the NIST or SANS security controls. Think of the cost of PCI compliance more like the “cost of good data security practices” and then make your calculations accordingly.
How Do I Validate My PCI Compliance?
Each credit card company has their own compliance validation levels that they need to adhere to. Either you can perform your own PCI Compliance Self-Assessment Questionnaire (SAQ), or you can contract with a certified PCI Quality Security Assessor (QSA).
PCI Compliance Qualified Security Assessors (QSA)
PCI QSAs are certified and trained to perform PCI security assessments. Different QSAs will be more familiar with one business or another, so if you do go this route make sure to find one that understands your business needs.
PCI Compliance Self-Assessment Questionnaire (SAQ)
The other option is to complete the SAQ, which is a series of yes or no questions to determine your level of compliance with the PCI DSS. Each organization performs the SAQ and submits their quarterly reports to their required organizations.
How Do I Maintain My PCI Compliance?
In order to maintain PCI compliance, you must also engage with PCI compliant credit card processors and banks. The data you protect only matters if that data remains protected across the entire transaction life cycle.
First, you need to employ good data security practices inside your organization and have regular internal audits and quality monitoring of your PCI compliant data. Here are some specific controls you can implement that will help protect your PCI data.
- Discover and Classify Sensitive Data
- Locate and secure all sensitive data
- Classify data based on business policy
- Map Data and Permissions
- Identify users, groups, folder and file permissions
- Determine who has access to what data
- Manage Access Control
- Identify and deactivate stale users
- Manage user and group memberships
- Remove Global Access Groups
- Implement a least privilege model
- Monitor Data, File Activity, and User Behavior
- Audit and report on file and event activity
- Monitor for insider threats, malware, misconfigurations and security breaches
- Detect security vulnerabilities and remediate
Penalties for PCI Compliance Violations
According to the primary PCI Compliance Blog, fines are not published or reported, and usually end up passed to the merchants. Banks pass the fines along as increased transaction fees or termination of business relationships.
Fines vary from $5,000 to $100,000 per month until the merchants achieve compliance. That kind of fine is manageable for a big bank, but it could easily put a small business into bankruptcy.
But, these fines issued by the PCI are small in comparison to credit monitoring fees, laws suits, and actions by state and federal governments that can result when you’re not truly PCI DSS compliant. For example, Target said the total cost of their massive breach of credit card data was over $200 million, which included an $18.5 million legal settlement with 47 state attorneys general.
The Varonis Data Security Platform provides the foundation you need to begin your PCI compliance journey. Varonis maps your folders and folder access and scans your files for PCI compliant data. Once you know where your PCI compliance data lives you can work to reduce the risk of breach and then monitor that data for abnormal access patterns. Varonis protects your PCI data for the long term. You can even run data access reports for your PCI compliance audits.
Frequently Asked Questions
What is the PCI compliance process?
Developed and managed by the PCI Security Council, the PCI compliance process involves a set of technical and operational standards for businesses to follow in order to secure and protect credit card data.
Is PCI compliance required by law?
PCI DSS compliance is a standard and not required by federal law in the U.S. However, some current and future state laws are effectively forcing components of the PCI Data Security Standard into law.
What is PCI compliance and do I need it?
To be in accordance with the PCI compliance Security Standard Council, any merchant planning to transmit, store, or process credit card data is required to be PCI compliant.
How do I get PCI compliance?
PCI compliance is a continual process that involves adhering to the 12 PCI DSS requirements. Generally, obtaining PCI DSS compliance for an organization involves the following four things:
- Reviewing the PCI DSS requirements for compliance in detail. There are 6 broader goals, 12 requirements, and roughly 251 sub-requirements to review.
- Identifying your organization’s compliance requirements. Depending on your business category, as defined by the PCI Council in terms of transactions per year, you will have a unique set of requirements for your organization to follow.
- Reviewing your current processes and creating a plan to operationalize the requirements you need in order to obtain PCI compliance.
- Filling out a Self-Assessment Questionnaire (SAQ) or obtaining the assistance of a certified QSA for your final PCI compliance assessment.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.