What is PCI or PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies accept, process, store and transmit credit card information in a maintained secure environment. These security standards are managed by the Payment Card Industry Security Standards Council (PCI SSC), an independent body that was created by some of the most recognised card payment brands. The payment card brands are responsible for enforcing PCI compliance, not the council itself.

Who must comply with PCI DSS?

PCI DSS applies to any organisation that stores, operates, processes, or transmits cardholder data. These security requirements remain the same for all traders and service providers, across any industry sector. PCI compliance is not a one-time event, it’s an ongoing activity which means actively monitoring business systems or technologies and maintaining these; by keeping up to date with regulations. Most security gurus agree that many of the requirements can be addressed with security best practice procedures. Businesses should be identifying and prioritising vulnerabilities, by conducting regular checks using strong cryptography, safe security protocols and deploying anti-virus software on all systems in order to safeguard sensitive cardholder data.

Why is PCI Compliance important for businesses?

Failure to uphold to PCI security standards, especially those leading to a data breach can result in damaging financial repercussions to your business, including fines, fees, and loss of business. Not complying with the standards can also be seen as bordering on negligence. Charges for a data breach can depend on a range of factors, including the number of cards that are compromised, the impact these have and the consequent financial scale of the breach. Your business can receive a fine ranging from £3,000 to £60,000 depending on your bank’s merchant account agreement. A breach could also land you with a ban from accepting cards and an increase in fees to process card payments.

Know Your Attack Surface

Organisations should make sure they have visibility into the devices and software they have on their networks. Are there unauthorised devices on the network? Is there unauthorised or unmanaged software throughout the network that brings risk into the environment?

From there, organisations can define their attack surface, or the total of points of interaction which could present access to a vulnerability or misconfiguration. An attack surface also covers fully authenticated and authorised connections. Indeed, every interaction to a corporate network presents a certain amount of risk, so it’s important an organisation documents every connection to understand the corresponding level of risk posed to the business.

Minimise Your Attack Surface

Once organisations know what they have on their networks, they need to make sure that all those devices, applications, and operating systems are configured properly and securely. They should be configured to a defined ideal and secure state following industry best practices and standards as well as internal policies. This is often called “hardening” systems to reduce the attack space.

Due to the number of interactions on most corporate IT environments, it’s unlikely that organisations can reduce their attack surface as an enterprise project. Even so, they can target certain points that amplify benefit. They should also review their vulnerability management program and other tools to determine if those solutions can be configured to provide insight into the attack surface.

Monitor Your Attack Surface

Once systems are configured and patched appropriately, they should be monitored for any changes and new risks. This includes checking for and fixing vulnerabilities, making sure secure configurations are maintained, managing administrative privileges, and paying attention to log data. Keeping track of administrative privileges and log activity will also help identify and investigate suspicious activity.

Organisations should then take this information and track it overtime. Whatever trends result from that process can eventually help them make business decisions that reduce risk.

Going Beyond the Check-Box

 Major data breaches happen because of a simple misconfiguration issue or failure to patch a known vulnerability. With that said, strong system integrity and adequate security posture must be built strategically and holistically, not through a check-box exercise. Only then can organisations effectively comply with PCI and GDPR and most importantly manage their risk against serious data breaches and cyber incidents.

To sum up, PCI DSS standards apply to all companies that ask for sensitive credit card information. To comply is to protect the privacy and security of customer data by conducting regular checks. Once you know where your PCI compliance data lives, you can work to reduce the risk of breach and then monitor that data for abnormal access patterns; by conducting regular vulnerability scans or penetration tests. Tripwire has a long history of helping companies achieve compliance since the earliest days of the PCI DSS standard. Both Tripwire and Nexus Fusion are working in Partnership to bring recommendations to your business, making implementation more efficient and effective. Let us know how we can help you!

Find out more information at https://www.tripwire.com/solutions/compliance-solutions and regulate your compliance with Tripwire.