According to Verizon, in 2019 71% of data breaches were financially motivated. IBM estimated that last year a global average data breach cost reached a point of $3.86 million. These numbers indicate a need for tough cybersecurity measures throughout all industries.
The Payment Card Industry Data Security Standard is a set of security standards and measures aimed to secure debit and credit card transactions and information from fraudulent actions. They were introduced by MasterCard, Visa, American Express, Discover Financial Services, and JCB International.
Generally, there is no authority that would impose and follow a business’ abidance by PCI DSS regulations, but any business dealing with these data directly or indirectly must obtain the certification and follow the guidelines set by it.
Only 27.9% of businesses are PCI DSS compliant. This is not enough to ensure there are no leaks and breaches. It is not easy to obtain the certification, but it ensures all cardholders’ data is secure.
In this article, we'll cover:
Levels of PCI DSS Compliance
There are four levels of PCI DSS compliance and certification:
- Level 4 — can be obtained by merchants, processing less than 20 thousand e-commerce transitions or 1 million real-world transactions annually.
- Level 3 — can be obtained by merchants processing between 20 thousand and 1 million e-commerce transactions.
- Level 2 — can be obtained by merchants processing between 1 and 6 million real-world credit and debit card transactions.
- Level 1 — the toughest level. Can be obtained by the merchants processing more than 6 million real-world transactions.
On every level merchants have to pass annual checks and scans to make sure they can still hold a certain level of security and are eligible for the certification.
Requirements of PCI DSS Certification
To obtain the certification, merchants are to follow 12 steps:
- Firewalls must be installed to protect cardholders’ data.
- Password protection systems cannot be supplied by a third-party vendor.
- All stored cardholders’ data must be protected.
- Transmission of cardholders’ data via open networks must be encrypted.
- Antivirus systems must be used and updated regularly.
- All systems must be updated and maintained in accordance with all security policies.
- Only those who need access to cardholders’ data must have it.
- Each professional and piece of equipment must have a unique ID.
- Physical access to cardholders’ data must be restricted.
- All accesses to cardholders’ data must be tracked and monitored.
- All security systems must be scanned on a regular basis.
- Information security for the entire team must be addressed in a separate document.
A breach of at least one of these conditions will result in certification revoked.
There are several steps a business might take to make sure the certification process is smooth:
Make Security a Backbone of the Company
Business owners say cyberattacks have increased by at least 68%. Businesses have increased their cybersecurity budgets by 25% on average. More companies started treating cybersecurity as one of the core bases. This means security standards like PCI DSS will get more popular and more required though time.
Train the Team Properly and in Accordance With All Standards
On average 17% of sensitive company data is available to the entire team. Whenever this is the case, it is a big oversight on the security team’s part. The team needs to understand their responsibilities and limitations and be ready to report any violation they see from both in- and outside the company.
SupportYourApp team not only conducts training when onboarding, but our entire team regularly passes exams and tests to assure we know and remember everything there is about cybersecurity, compliances and certifications we have. This way we annihilate the risks of leakage or breaches from our team and ensure we all speak the same language.
Ensure There Are Logs and Records of Everything
Everything must be logged and recorded: from physical access to the office premises, to access to different files, server rooms and so on. This can not only prepare the team for future restrictions that come with PCI DSS, but will make identifying the source of the leak easier, if such a need arises.
Logs and records will establish a certain discipline within the team and will help prepare for any future certification.
Make Restricted Access a Norm
It is estimated that an average business encrypts only 5% of its folders.
30% of data breaches involve the members of the team, meaning they could be escaped or minimized if professionals only have access to folders and information they require. Making restriction and boundaries a norm will shield sensitive information from unlawful access and even breaches.
Besides possible difficulties with the certification and preparation for it, there are also consequences a business can suffer in case PCI DSS certification conditions are breached.
Breach of Conditions: What Are the Consequences?
The penalties for PCI DSS non-complaints starts from $5000 (for Mastercard), $10000 (for Visa) to $100000. The penalties are paid monthly until the complaint is resolved. This is only one penalty the merchant faces. There is also a possibility of lawsuits, inherent financial losses and a blow to their customer base and reputation.
Banking systems might also impose additional penalties like increasing the transactions fees and can even terminate the relationship with the merchant altogether.
‼️ The penalties go beyond plain breach of the PCI DSS certification. The business should also consider that a breach of PCI DSS also implies the breach of other compliances such as GDPR or ISO which can also result in lawsuits and additional monetary and reputational losses for any business.
Perks of PCI DSS Certification
⬇️ Reduced risk of data breach — getting the certification is not about compliance alone. It is about perfecting the company’s soft- and hardware up to standard. 63% of breaches occur because of the faulty or plain old hardware. PCI DSS certification could push businesses towards updating their entire system, further ensuring the safety of users’ data.
✨ Improved customer loyalty — 64% of customers are unlikely to do business with a company that had issues with personal data safety. Taking time and effort to make the system not only secure, but PCI DSS-eligible will establish a trusting bond and could turn customers towards a business.
💼 Makes cybersecurity a company culture feature — the reason for 95% of cybersecurity attacks is human error and only 31% of professionals get annual cybersecurity training. The majority of teams lack training and knowledge on what measure must be taken to prevent cyberattacks. PCI DSS certification could give any team a necessary push to make cybersecurity and data protection policies the core of company training and culture.
PCI DSS and SupportYourApp
💛 🔐 SupportYourApp security standards have always been up to the highest requirements of the industry. We have obtained out PCI DSS Level 1 Service Provider certification in summer 2020. Our clients’ and customers’ security is our primary concern. We take all measures to ensure top-level security for everyone using our services.
Anna has been working as a writer for 5 years. She previously wrote about financial markets, conducting the research on the state of bonds and stocks on a daily basis. She is a keen reader with interest in historical literature and international cuisine. Her latest obsession — customer communication and ways to perfect it. If you want to connect with Anna, follow her on LinkedIn.Posted on