Shopping online has become second nature for consumers around the world. Coupled with a plethora of capable devices, the explosive popularity of digital payment services has given us the means to buy goods and services any time, from practically anywhere. Conversely, businesses of all sizes have been tasked with building a fortress around the ongoing flow of transactions and the sensitive data that accompanies it. That challenge is confounded by a host of evolving regulatory demands.
In 2006, the five leading credit card institutions created the Payment Card Industry Data Security Standard (PCI DSS), a set of guidelines designed to preserve the integrity of e-commerce. The standard came along at a critical point in the digital age ―— when people grew increasingly comfortable buying goods and services from web-based storefronts. As e-commerce began to flourish with revolutionary payment solutions to accommodate online shoppers, cyber criminals set their sights on the precious data passing from consumers to merchants.
A Multi-layered Conundrum
When it comes to payment processing, the threat of a malicious attack constantly lingers. However, there is plenty of evidence to suggest that businesses can be just as detrimental to their own data security efforts.
In July 2021, cyber security researchers discovered a vulnerable database that contained more than 82 million records shared between Whole Foods Market, and public safety uniform retailer, Skaggs. The database exposed names, residential and email addresses, partial credit card numbers, and other sensitive details linked to customer orders. Perhaps the most alarming tidbit comes knowing the database was essentially left wide open, with no password or encryption to keep snoopers out.
Unlike HIPAA to the healthcare industry, the PCI standard is not bound by federal law ― that doesn’t make it any less paramount to data security. The penalty for non-compliance is costly on multiple fronts. Fines can run anywhere from $5000 to $100,000 per month depending on the specifics of the penalty. These fees are inflated further when factoring lawsuits, and intervention from credit monitoring agencies and local governments into the equation.
The Road Traveled
Established by the PCI Security Council, PCI compliance is characterized by a specific set of procedures online vendors, system administrators, and IT security professionals are required to follow in order to safeguard credit card data. Below, we have outlined the fundamentals of both achieving and maintaining PCI compliance.
1. Identify Pertinent Data
The first step to PCI compliance is identifying any cardholder data across the network, and classifying that information based on its level of importance and sensitivity. This assessment stage presents the challenge of devising a strategy that fits your data processing requirements, as determined by the PCI council, while keeping costs manageable. From here, you can develop a data protection strategy based on the size and complexity of your scope.
2. Implement Data Access Controls and Permissions
PCI compliance is impacted by every resource within the network that comes in contact with cardholder data. That goes for IT systems and processes as well as the personnel responsible for managing the technology. Once you have determined who needs access to which sets of data, you can implement permission-based controls, and monitor that access accordingly.
3. Consider the Data Lifecycle
The commitment to PCI compliance must be honored throughout the life span of the data hand. IT security specialists are encouraged to think beyond operational requirements to ensure that backups provide the same level of integrity and quality as production data. At the end of the life cycle, all data and associated media should be properly disposed of to preserve confidentiality. This includes local storage as well as remote systems that may be hosted via third-party service providers.
4. Devise a Response Plan
In the event that confidential data is compromised, businesses need the peace of mind that comes from knowing they can recover and resume business operations rapidly. A comprehensive response plan is marked by clearly defined roles and responsibilities, in addition to communication protocols that enable responders to quickly reach the appropriate parties. Whether it’s customers, business partners, or legal counsel, your recovery efforts will be determined by your ability to respond to adversity.
5. Educate Data Handlers
We all know what they say about assumptions. Well, keep that old adage in mind where PCI compliance is concerned. Data security is a team effort that requires alignment from the employee level to upper management. Only through continuous education can it be assured that all parties involved understand the importance of compliance and the rigorous procedures required to maintain it over time.
PCI compliance is a lot easier with the right technology at your disposal. DataLocker offers a line of encrypted drives for organizations that demand the utmost in data security and privacy. Contact our representatives for a custom demo.