Shoring up PCI compliance
- By Jack Blanchard
- Jun 08, 2017
As governments look for more ways to reduce costs, electronic payments have become an economical method of purchase. Using credit or debit cards reduces the time it takes to receive funds, is less error prone and makes it easier for residents to pay.
Any agency that stores, processes or transmits card data must comply with the Payment Card Industry Data Security Standard. This standard consists of 12 broad requirements in addition to over 200 line-item requirements. A full list of the requirements can be found at the PCI Security Council Standards website.
There are several advantages to becoming PCI compliant:
- It protects residents’ card data and reduces the risk of a data breach.
- It helps prepare agencies to detect and prevent both physical and network based attacks.
- It boosts residents’ confidence with using card payments for agency fees.
- It offers a security standard for agencies to follow.
- It can improve operational efficiency.
- It reduces the cost of a data breach.
“While PCI compliance is not a law, that doesn’t mean being out of compliance isn’t a big deal,” the mobile payment vendor Square said. “In fact, a 2015 Verizon Data Breach Incident Report found that there were almost 80,000 data security incidents this year . So it’s more important than ever that your payment processing life cycle is secure.”
For those agencies that don’t meet the PCI requirements, the card brands may levy penalties, revoke services or even suspend their accounts. In the event cardholder data is compromised, agencies may suffer the financial loss, be responsible for having cards reissued as well as for future detection and prevention services required by the card associations. Agencies may be fined by the card associations based on the quantity of numbers stolen, and they may see increased transaction fees in the future.
Up-to-date PCI compliance can prevent these repercussions.
After meeting the initial security requirements of PCI compliance, all agencies and service providers must annually validate that they are still in compliance by passing a vulnerability scan performed by an approved scanning vendor based upon their number of card transactions or size of the agency.
Merchants or agencies with less than 6 million transactions per year (levels 2, 3, and 4) must complete the PCI self-assessment questionnaire along with an attestation of compliance. After completion, the merchant’s acquiring bank must receive the results and documentation.
Level 1 – agencies with over 6 million transactions in the past year -- must submit to an annual on-site audit by a qualified security assessor that has passed the PCI Internal Security Assessment Training Program.
If a level 2, 3, or 4 agency has a breach where card data is compromised, it may be assigned level 1 validation and be subject to higher scrutiny in the future.
PCI is not just an “IT problem”
One of the challenges with PCI compliance is the myth that it is strictly an IT problem. Since a major part of compliance has to do with network security, it clearly falls under the umbrella of technology. The reality though is that attackers are more likely to find inroads to an agency’s sensitive card data through non-technical methods and people. Employees working with card payment systems must be trained on how their job role ensures within PCI compliance.
Agencies should shore up their PCI compliance before the end of the fiscal year. PCI compliance is not a once-and-done project, however. It requires agencies to meet all of the guidelines each year to maintain compliance.
Don’t wait until a resident’s credit information is stolen before taking action with PCI compliance. Plan now to update compliance and be sure it’s in the budget for the next fiscal year.
Jack Blanchard is lead federal SE for Core Security.