Chief Marketing Officer for BluePay
You’re expected to understand PCI compliance as a compliance officer at your company — and to keep pace with the ever-evolving security standards that relate to it as cybercriminals continually adopt new means of accessing sensitive information related to customer payments and similar data.
Yet PCI compliance can be a complex topic to interpret and execute, even for seasoned compliance professionals. This presentation is designed to help you separate common myths and facts that tend to surround PCI compliance, and decipher the most important aspects of PCI compliance that pertain to your company.
Your Company’s Transaction Patterns Dictate Your Specific PCI Compliance Standards
The Payment Card Industry security standards outline which PCI compliance standards merchants should follow based on the number of credit and debit card transactions they process over the course of a 12-month period. PCI compliance practices also vary based on the payment brands (such as Visa, MasterCard, Discover and American Express) a company accepts, and whether it processes payments at a point of sale, online, via a mobile device or in a call center environment.
PCI Compliance is Equal Parts Technology Preparedness — and People Development
Many PCI compliance standards pertain to the technology your company uses, including the security of firewalls, your ability to thwart ransomware and malware, your technology teams’ ability to proactively identify and address potential vulnerabilities in networks, and the PCI compliance measures that your third-party vendors and payment processors use.
Yet compliance officers must also instill companywide processes addressing human behaviors that violate PCI compliance and increase the likelihood of a security breach. Preventative measures to reduce a potential breach may include:
- Ensuring that your technology teams react to warning signs of suspicious activity. Target’s 2013 security breach compromised more than 100 million customer records, including card numbers, account information, emails and addresses, yet technology executives have publicly admitted that the corporation’s security software had provided warning signs of suspicious activity. The breach was ultimately successful because the corporation’s technology experts didn’t respond to them appropriately.
- Educating customer-facing staff on PCI compliant processes. All point-of-sale employees need to be consistently trained on best practices for how to handle customers’ sensitive data during standing payment transactions, and how to respond when disruptions to the payment processing network may occur. For example, PCI compliance states that an employee should never retain the three- or four-digit verification number on the card, or the full 16-digit personal account number.
- Establishing internal processes for network access to improve security controls. Nearly 95 percent of security breaches originate with email, yet an increasing number of employees need to access corporate email and work-related information from offsite locations, using mobile device and personal computers to perform their jobs. At the same time, many customers have come to expect that a business will provide access to Wi-Fi or similar connectivity. As a result, current PCI compliance standards now state that a company’s public Wi-Fi, Internet-connected security cameras and IP phones are not to be connected to the same network you rely on to process payments. Further, it addresses how to ensure the security of web applications — including those that were designed before the important of PCI compliance was widely understood.
Know How to Conduct Audits to Ensure PCI Compliance
PCI compliance can be challenging even for trained compliance officers, but in reality, a thorough audit involves only 12 steps. Compliance officers can partner with third-party vendors who specialize in guiding quarterly PCI compliance audits. These audits are designed to help companies of all sizes scan for external and internal vulnerabilities, and address them to ensure PCI compliance. (The PCI Security Standards Council also provides a list of Qualified Security Assessors who conduct on-site PCI compliance audits.)
Despite that PCI compliance standards have been in place since 2006, there remains quite a bit of misunderstanding about what it means to be PCI compliant — even for skilled compliance professionals. Use these guidelines to develop an understanding of how your company’s current business model may need to adjust some of its payment and data handling processes to enhance security and ensure PCI compliance, and to develop best practices so your company, staff and customers are protected.
[clickToTweet tweet=”PCI FAQs and Myths” quote=”PCI FAQs and Myths” theme=”style3″]