PCI Compliance: What it is and Why You Might Need it as Part of Your Cybersecurity
More than 39 billion credit card transactions were made in the US in 2019 and, while credit card usage took a nose-dive during the early days of COVID, it's back to where it was.
With all that money whizzing around electronically, it may come as no surprise to learn that compliance is in place for the security of these transactions.
That's where the Payment Card Industry Security Standards Council (PCI SSC) comes in.
The PCI SSC was founded in 2006 by Visa, MasterCard, American Express, JCB International and Discover "to enhance global payment account data security". It developed a list of security standards, the Payment Card Industry Data Security Standard (PCI DSS).
However, while Governments require businesses to be PCI compliant, it isn't law. Businesses can be fined and held liable for damages, but no breach will end in a criminal court and no-one will go to jail.
THE PCI DSS
The PCI DSS describes itself as: "the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices."
These steps can be found in the PCI DSS Quick Reference Guide, and contain 12 Requirements outlining how entities can keep the data of (credit) cardholders safe:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
The Requirements are further broken down into points, such as:
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources, and assign a risk ranking (e.g. "high," "medium," or "low") to newly discovered security vulnerabilities.
Keeping across vulnerabilities is especially important. Leaving your software vulnerable can lead to cyber attacks using malware, ransomware, SQL injection, spyware and zero-days.
However, tracking vulnerability alerts from the multitude of software vendors a business may use can be time-consuming and one missed alert can be detrimental.
Vulnerability alert services, such as SecAlerts, act as the 'middle-man' between software vendors and its clients. It saves valuable time and effort by matching vulnerabilities - CVEs - and zero-days to a company's software, and is an essential part of PCI compliance.
QSAs and ASVs
A Qualified Security Assessor (QSA) is a PCI SSC-qualified independent security company that make sure an entity meets the Requirements set out in the PCI DSS.
The PCI SSC website offers a list of companies - currently 385 - around the world that act as QSAs.
An Approved Scanning Vendor (ASV) is needed to conduct the scans outlined in PCI DSS Requirement 11.2.2: "Perform quarterly external network vulnerability scans through the Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC)." (these differ from the internal vulnerability scans done by the likes of SecAlerts)
As with the QSAs, a list of ASVs around the world - currently 93 - can be found on the PCI SSC website.