PCI compliance in plain English
PCI DSS compliance standards are quite complex and vary depending on how many and which types of credit transactions are processed each year. Merchants are required to go through a series of steps, including a Self-Assessment Questionnaire (SAQ) (for smaller merchants and service providers) to determine what compliance looks like for their business.
From there, many merchants have to complete—and provide evidence of passing—a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Other steps include an Attestation of Compliance in its entirety (you can find it in the SAQ tool). Merchants must then submit the aforementioned documentation—and potentially more—to the merchant’s acquirer. Enterprise merchants face a whole slew of additional requirements.
This is an extreme simplification of what is required for PCI compliance. While the PCI DSS outlines 12 requirements for compliance, the reality is that there are over 200 sub-requirements that may apply to your business in order to be compliant. It’s a complex maze that many eagerly believe will fully address the evolving threats to customer payment information.
But is that the case?
Is compliance enough?
Heartland Payments Systems Inc. is a great example of why the answer to this question is a resounding “no.” The N.J.-based company was breached in 2008, with hackers stealing data on a staggering 130 million payment cards. Here’s the kicker: the company insisted that it was certified as fully PCI DSS compliant when the compromise occurred.
If that isn’t enough to send shivers down your spine, consider this: that company was breached again in 2015, when burglars walked out of the Heartland Payroll office in California with televisions, monitors, and 11 password-protected desktop computers. Several of those computers contained personally identifiable information. This occurred just months after the company announced itself as the first in the industry to offer a breach warranty.
Cyber crime is dynamic
Heartland Payments Systems isn’t the only company that has fallen prey to the misguided conception that compliance is enough. Home Depot and Target both suffered data breaches while PCI compliant. Why does this happen? It happens when merchants rely on the minimum requirements and fail to plug every hole. Data security vulnerabilities are not isolated within the payment card information that may be stored on your servers. Cyber crime is dynamic and your security must be, too.
As cyber criminals evolve and becoming more sophisticated, merchants must be in lockstep to protect business assets and limit the fallout of any vulnerabilities. The entire payment infrastructure must be protected—and on guard for new vulnerabilities. Here are some ways an organization can achieve this:
Point-to-Point Encryption (P2PE)
Data in transit is data at risk. Employing a P2PE solution can ensure card data is protected while on the move, and it can reduce PCI scope. A validated P2PE solution encrypts data at the point-of-interaction and decrypts the data entirely outside of the merchant’s environment (at offsite data centers or the cloud). In this way, no sensitive cardholder information passes through the merchant’s POS in an unencrypted state.
Tokenization
Tokenization is complementary to P2PE by protecting card data at rest. Each customer’s primary account number (PAN) is replaced with an encrypted token, consisting of a series of randomly-generated numbers. The actual PAN remains secured in a token vault and can only be decoded by payment processors. Even if a breach were to occur, hackers would only gain access to the tokens, which are meaningless and without value.
Breath life into your security
Security, PCI compliance, and cyber crime are all living, breathing things. There is no one-size-fits-all solution, nor is security a set-it-and-forget-it proposition. Remaining PCI compliant is an ongoing process, especially as the standard is updated.
It doesn’t stop there for organizations that want to enjoy the full breadth of data protection. Payments security requires collaboration between all key stakeholders and business units and constant re-evaluation of the systems in place.
It sounds like a lot of work because it is. The good news is that Arrow Payments is a trusted payments partner with a storied history of helping organizations achieve PCI compliance (and remain compliant) and implementing P2PE and tokenization solutions. What’s more, we have never had a data breach.
Get in touch to see how we can create a tailored roadmap and execute on it to protect your data from end to end.