Page 36 - GS190801
P. 36
Education
PCI compliance simplified Use a third party from a processor to a processor-agnostic
payment gateway. Let the liability of maintaining
By Nicholas P. Cucci compliance lie with the "service provider." Gateways can
accept and store data while removing merchants from
Fluid Pay LLC PCI scope. Data will never touch the merchants' servers,
making the company's PCI compliance straightforward
ou'd think a titan like Capital One would be as a Self-Assessment Questionnaire.
PCI compliant, but a misconfigured firewall
was reportedly behind the recent theft of data 2. Storing data securely. This includes such actions as
Y related to approximately 100 million busi- encryption, ongoing monitoring and security testing of
nesses and individuals that applied for Capital One credit access to card data. If you or your merchants are going to
cards. If true, Capital One failed the requirement set forth store credit card data, you need to define the cardholder
in the Payment Card Industry Data Security Standard data environment (CDE). The CDE is described as the
(PCI DSS): Install and maintain a firewall configuration people, process and technologies that store/process/
to protect cardholder data. Unfortunately, Capital One is submit cardholder data. This is where mapping data
not alone. flows is extremely important. You need to identify every
consumer-facing area of the business. Ask questions,
The PCI DSS applies to all companies of all sizes that for example: Do you use a shopping cart? Terminals for
accept, store and transmit cardholder data, including, for retail? Orders over the telephone?
example, merchants, payment gateways and processors.
From each one of those standpoints, map the ways in
According to The Privacy Rights Clearinghouse, over which data is transferred and who has access to it. Fi-
11 billion consumer records have been compromised nally, after the data has been transferred, identify inter-
from more than 10,000 breaches. The purpose of PCI nal systems or technologies that touch the transactions.
compliance is to protect cardholder data and restore trust This is inclusive of everything from your network to
in the payment process. It sets forth a minimum standard data centers and even cloud environments like payment
for security and data. If you abide only by the PCI DSS, gateways. It is highly recommended that you use a third
you are already behind. party, for example, a payment gateway, to store and pro-
cess transactions.
Here are compelling facts from the in-depth Verizon 2017
Payment Security Report: Using a cloud-based service provides high availability
• Retail organizations demonstrated the lowest PCI included in a bundled price, while also offering multiple
compliance sustainability across all key industries. infrastructure solutions. It makes things a lot easier to
integrate to or even have data-redundant backups in
• The IT service industry achieved the highest ranking. multiple Internet grids. For instance, instead of large
• 77 percent of companies assessed after a data breach payment companies having to host in multiple data
were not in compliance with the number one PCI re- centers on different Internet grids, you can spin up
quirement to install and maintain a firewall configu- virtual machines in each grid using the cloud systems
ration. like Google Compute engine or Amazon Web Services.
• A "demonstrable" correlation exists between busi- Also take into consideration the cost of buying servers
nesses that are up to date on PCI requirements and for each location. It can quickly require millions of
businesses that have successfully defended them- dollars, depending on the infrastructure you want to
selves against cyber threats. achieve. Plus, if a company is sever based in multiple
• The number of fully compliant businesses is growing data centers, is it "hot swap" capable? Most likely not.
dramatically year over year.
3. Validating annually to maintain compliance. Your
Main areas of PCI compliance business is required to validate your compliance every
The PCI DSS can get muddy quickly. It contains over year. This is an absolute must and can take a variety of
1,800 pages of official documentation and more than 250 forms such as questionnaires, external scans and third-
security controls to follow. It can take reading 100+ pages party audits. Your business partners may request this
before you figure out what form of compliancy you are before engaging in future business with you to mitigate
required to abide by. their own risk and make sure things are as compliant as
they seem – hopefully more so.
The three main areas of PCI DSS compliance are:
Payment processors typically request this validation,
1. Handling and transmission of customers' credit card as they are responsible for reporting compliance to the
data and other sensitive information. If your merchant card brands.
or company doesn't need to handle sensitive data, don't.
36
