According to the FBI, there have been 72,295 violent bank robberies since 2005. However, in the same time period, there have been over 234 million sensitive record data breaches. Banks have been, and will continue to be the main target for financial crimes as they have the big bucks. But that doesn’t mean your data should be vulnerable. Que PCI DSS Compliance.
So what really is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was established by American Express, Discover, JCB International, MasterCard and Visa in order to protect cardholder data. As merchants for payment card transactions, financial entities and vendors need to use standard security procedures and technologies to protect cardholder data.
According to the PCI Security Standards Council, “PCI DSS is a set of universally accepted standards that help protect the safety of customer data.” PCI DSS sets the operational and technical requirements for organizations accepting or processing payment transactions, as well as for software developers and manufacturers of the applications and devices used in those transactions.
Put simply, any business entity that accepts, processes, or stores payment card information is required to comply with PCI DSS. In the 21st Century, this is basically any and all businesses. Furthermore, compliance can be broken into 3 parts. As seen in the graphic to the left, PCI requirements are separated into PIN Transaction (PTS) Security Requirements, Payment Application Data Security Standard (PA-DSS), and PCI Data Security Standard (DSS).
The PTS requirements cater to the design, manufacturing, and delivering of the device to the facility that implements the transaction; ie the device you swipe your card on in the grocery store. However, the PA-DSS covers virtual transactions on applications and different software that store cardholder data; think PayPal, ApplePay, or any given website.
What are the consequences?
Noncompliance may result in a fine of $5,000 to $500,000 for the acquiring bank. The bank then passes the fines along to the offending merchant.
Who will validate my compliance?
Proving compliance with PCI DSS can be achieved through two ways: You can either answer a self-assessment questionnaire or have an external 3rd party annually audit your organization. Note: some banks and card brands may impose additional stipulations before they can declare your organization a level 1, 2, 3, or 4.
These rules are a lot to digest, but PCI DSS is a critical operational requirement for all covered organizations. Amid all the day-to-day hustle and bustle, meeting these requirements frequently becomes a check-box exercise. Just barely meeting minimum requirements leaves your organization, customer data, and company reputation vulnerable. The bottom line: making PCI DSS compliance a priority is essential. Compliance can be challenging and painful, but it doesn’t have to be. Your job as information security personnel should and can be easier!
At Qmulos, we pride ourselves on simplifying compliance.
As a native Splunk powered solution, Q-Compliance contextualizes your real-time data with a compliance lens. Furthermore, it assesses your data against each of the PCI categories and their relevant security controls, triggering alerts and actions.
Q-Compliance contextualizes the log data ingested through Splunk into a PCI DSS compliance lens, making compliance easy for anyone to prove. No longer does a team need to manually collect technical evidence from various data sources and vend, spend fortunes on audits, or spend hours sifting through static spreadsheets.
Q-Compliance is purpose-built to help you streamline and automate complex cybersecurity auditing and compliance requirements like PCI DSS, NIST 800-53, SOX, CMMC, and many others. By selecting one of Qmulos’ PCI DSS dashboards the user can track how an organization and its systems are scoring against each of the control categories, and where it needs to improve. The dashboards provide an ability to quickly drill into specific domains to view compliance against the capabilities, practices and processes set forth, and also drill into individual controls to see the specific systems, events, and assets that are non-compliant.
Q-Compliance provides the ability to upload policies, procedures and file evidence, as well as automatically log human activity. The software keeps evidence needed for audits all in one place, making things more organized and efficient. Q-Compliance uses real-time log data to automate assessments and align specific security controls with the PCI DSS policies and procedures. Additionally, Qmulos codified industry best practices into the application workflows. This enables your organization to optimize processes that improve your cyber posture and protect you and your customers cardholder data.
If there are further questions or you’d like to see a demo of our capabilities, contact firstname.lastname@example.org. You can also download our PCI DSS White-paper or use their easy-to-read PCI Security Standards Council Quick Guide.