Ensuring PCI DSS Compliance in Finance

In 2013, hackers stole data from up to 40 million customers' credit and debit cards at Target stores during the holiday season. The breach cost Target $292 million, including a $18.5 million settlement and over $202 million in legal fees. Investigators found that the breach was linked to PCI DSS non-compliance and cyber attackers had accessed Target's gateway server through credentials stolen from a third-party vendor.

Companies that process, store, or transmit credit card information must adhere to PCI DSS in order to achieve compliance, avoid penalties for non-compliance, and – most importantly – ensure that cardholder data is secure.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. Established in 2004 by major credit card companies like Visa, MasterCard, Discover, American Express, and JCB, PCI DSS aims to protect cardholder data from theft and fraud​.

The PCI DSS framework consists of 12 main requirements, structured around six key objectives:

Objective 1: Build and Maintain a Secure Network

The first objective ensures that a robust network security framework is in place to protect cardholder data from unauthorized access and breaches.

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Firewalls act as the first line of defense in network security by controlling the traffic between internal trusted networks and untrusted external networks. Proper configuration and maintenance of firewalls help prevent unauthorized access to cardholder data​
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.​ Using default passwords and security settings provided by vendors can make systems vulnerable to attacks. Changing these defaults and configuring systems securely reduces the risk of unauthorized access.

Objective 2: Protect Cardholder Data

PCI DSS requires that cardholder data is protected both at rest and during transmission. 

• Requirement 3: Protect stored cardholder data. Cardholder data must be protected through encryption, masking, or tokenization to prevent unauthorized access and breaches. Only essential data should be stored, and it should be securely disposed of when no longer needed​
• Requirement 4: Encrypt transmission of cardholder data across open, public networks​. Encrypting cardholder data during transmission prevents it from being intercepted and accessed by unauthorized parties. This includes using strong cryptographic protocols and secure channels for data transmission​

Objective 3: Maintain a Vulnerability Management Program

The third objective aims to continuously identify and address security vulnerabilities to protect systems and data on an ongoing basis.

• Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs. Implementing anti-virus and anti-malware software on all systems, especially those handling cardholder data, helps detect and prevent malicious activities. Regular updates ensure that the software can defend against the latest threats.
• Requirement 6: Develop and maintain secure systems and applications. Regularly updating software, applying security patches, and developing secure applications reduce vulnerabilities that attackers might exploit. This includes following secure coding practices and conducting regular security assessments​

Objective 4: Implement Strong Access Control Measures

Access to cardholder data should be restricted to only those who need it for their job roles in order to process transactions.

• Requirement 7: Restrict access to cardholder data by business need-to-know. Access to cardholder data should be limited to individuals whose job functions require it. This minimizes the risk of unauthorized access and potential data breaches.
• Requirement 8: Identify and Authenticate Access to System Components. Assigning unique IDs to users and implementing multi-factor authentication ensures that access to cardholder data is tracked and only authorized users can access it​.
• Requirement 9: Restrict physical access to cardholder data. Physical security controls, such as locked doors, surveillance cameras, and access logs, help protect cardholder data from unauthorized physical access​.

Objective 5: Regularly Monitor and Test Networks

PCI DSS compliance isn’t a one-and-done solution. Ongoing monitoring and testing ensures that security measures are working effectively and allows companies to detect and respond to security incidents promptly.

• Requirement 10: Track and monitor all access to network resources and cardholder data. Implementing logging and monitoring systems allows organizations to track access to cardholder data and detect suspicious activities. Regular review of logs helps identify and respond to potential security incidents​
• Requirement 11: Regularly test security systems and processes​. Conducting regular vulnerability scans, penetration tests, and security assessments ensures that security controls are effective and identifies areas for improvement. This helps maintain a strong security posture.

Objective 6: Maintain an Information Security Policy

The final objective requires that companies establish and maintain a comprehensive information security policy that addresses the protection of cardholder data across the organization.

• Requirement 12: Maintain a policy that addresses information security for all personnel​​. Developing and enforcing an information security policy ensures that all employees understand their roles and responsibilities in protecting cardholder data. Regular training and awareness programs help foster a culture of security within the organization

What companies need to be compliant with PCI DSS?

Any company that processes, stores, or transmits credit card information must comply with the PCI DSS. This includes a wide range of businesses, such as:

• Merchants
• Payment processors
• Acquiring banks
• Issuing banks
• Service providers
• E-commerce platforms
• Hosting providers
• Software developers 

Compliance is necessary to protect sensitive cardholder information, avoid penalties from credit card companies, and maintain customer trust. There are four levels of PCI DSS compliance, determined by the number of card transactions a business processes annually. 

• Level 1: 6 million or more transactions per year
• Level 2: 1 million to 6 million transactions per year
• Level 3: 20,000 to 1 million transactions per year
• Level 4: Less than 20,000 transactions per year

Each level has specific validation requirements, from annual self-assessment questionnaires to regular security scans and audits by Qualified Security Assessors (QSAs)​.

The cost of non-compliance with PCI DSS

Cardless credit card fraud, responsible for 72% of fraudulent card purchases, led to $8.75 billion in U.S. losses in 2022. While the growth in card fraud losses is slowing, projections show these losses reaching $13.73 billion by the end of 2024. As fraudsters increasingly target online transactions, issuers and merchants must rethink prevention strategies.

Non-compliance with PCI DSS can lead to several significant financial and operational repercussions that can severely impact a business’s reputation and ability to operate effectively. Here are the key consequences:

Financial Penalties

Non-compliance can result in hefty fines from payment card brands such as Visa, MasterCard, and others. These fines can range from $5,000 to $100,000 per month until compliance is achieved​​. Banks and payment processors may also impose higher transaction fees on non-compliant businesses as a risk mitigation measure​​. 

Legal Liability

In the event of a data breach, affected customers may file lawsuits against the company, leading to potentially expensive legal battles and settlements​​. In jurisdictions that have laws requiring compliance with PCI DSS, failure to comply can lead to regulatory actions, including additional fines and sanctions​.

Loss of Merchant Account

Payment processors and acquiring banks may terminate the merchant account of a non-compliant business, effectively stopping the business from accepting card payments​, leading to loss of customers who prefer or require card payment options​.

Reputation Damage

A data breach resulting from non-compliance can significantly damage a company’s reputation and lose customer trust​. Non-compliance and associated breaches often attract negative media attention, further harming the business’s public image​.

Operational Disruptions

The cost of addressing a data breach can be substantial, including expenses for forensic investigations, updating security systems, and compensating affected customers​​. This can lead to operational downtime as systems are audited, updated, & secured to meet compliance standards​.

Breach of Contract

Many contracts with payment processors include clauses requiring PCI DSS compliance. Non-compliance can be considered a breach of contract, leading to potential termination and additional penalties​​.

Mandatory Remediation Actions

Non-compliant businesses may be required to undergo additional assessments and audits at their own expense to verify compliance​​. Businesses may also be required to implement new security measures and controls, which can be costly and time-consuming​​.

Best practices to ensure PCI DSS compliance

Ensuring PCI DSS compliance in the financial industry requires a comprehensive approach that includes technical, administrative, and physical security measures. Here are some best practices to help achieve and maintain compliance:

1. Implement Robust Network Security

• Firewalls: Install and maintain a firewall configuration to protect cardholder data. Ensure that firewall policies are updated regularly to reflect the latest threats​.
• Segmentation: Segment the network to limit the scope of cardholder data environments and reduce the risk of breaches​.

2. Protect Cardholder Data

• Encryption: Encrypt transmission of cardholder data across open, public networks. Ensure strong encryption protocols are used and updated regularly​.
• Data Masking: Use data masking and tokenization techniques to protect stored cardholder data​.

3. Maintain a Vulnerability Management Program

• Regular Updates: Keep all systems, applications, and software up to date with the latest security patches. Regularly update anti-virus software and conduct vulnerability scans​.
• Penetration Testing: Conduct regular penetration tests to identify and address security weaknesses before they can be exploited​.

4. Implement Strong Access Control Measures

• Least Privilege Principle: Limit access to cardholder data to only those employees who need it to perform their job functions. Implement the principle of least privilege (POLP)​​.
• Unique User IDs: Assign unique IDs to each person with computer access and ensure multi-factor authentication (MFA) is used to access cardholder data environments​​.

5. Regularly Monitor and Test Networks

• Logging and Monitoring: Track and monitor all access to network resources and cardholder data. Implement security information and event management (SIEM) systems to analyze logs and detect suspicious activity​​.
• Security Testing: Conduct regular security testing, including quarterly vulnerability scans and annual penetration tests​​.

6. Develop and Maintain an Information Security Policy

• Comprehensive Policies: Develop, maintain, and enforce a comprehensive information security policy that addresses all aspects of PCI DSS compliance. Regularly review and update policies to adapt to new security threats.
• Training and Awareness: Conduct regular training sessions to ensure all employees understand their roles and responsibilities in maintaining PCI DSS compliance. Promote a culture of security awareness​​.

7. Use Trusted Third-Party Providers

• Qualified Assessors: Utilize Qualified Security Assessors (QSAs) to conduct thorough PCI DSS compliance assessments and provide validation​​.
• Vendor Management: Ensure that all third-party service providers that handle cardholder data are PCI DSS compliant. Regularly review their compliance status & conduct audits if necessary​.

8. Prepare for Incident Response

• Incident Response Plan: Develop and maintain an incident response plan to quickly and effectively respond to security breaches. Regularly test and update the plan to ensure readiness​.
• Forensic Readiness: Ensure the ability to perform forensic analysis in case of a data breach, including retaining logs and evidence for investigation purposes​.

9. Regular Compliance Audits

• Self-Assessment: Conduct regular self-assessment questionnaires (SAQs) to ensure ongoing compliance with PCI DSS requirements​.
• Independent Audits: Schedule regular audits by independent assessors to verify compliance and identify areas for improvement​.

By adhering to these best practices, financial institutions can significantly enhance their security posture, protect sensitive cardholder data, and maintain PCI DSS compliance. 

Simplify compliance and build customer trust

Ensuring PCI DSS compliance is not just a regulatory requirement but a critical step in safeguarding sensitive cardholder data and maintaining the trust of your customers. By 12 requirements of PCI DSS, financial institutions can effectively protect against data breaches, avoid costly penalties, and enhance their overall security posture. 

Learn more about how you can turn the challenge of security and GRC into your strategic advantage. Download our eBook: Navigating the Modern B2B Landscape with Customer Assurance.