PCI Compliance In The Workplace

Payment card industry (PCI) compliance refers to technical and operational standards followed by businesses in order to protect and secure credit card data provided by cardholders via card transactions.  As such, it is a key component of credit card security protocol. 

Although there is no regulatory mandate requiring PCI compliance, it is viewed as mandatory through court precedent. PCI Compliance is developed and managed by the PCI Security Standards Council, who are also responsible for developing the PCI DSS.

In the workplace, keeping organizations PCI compliant relates to the protection of sensitive and proprietary data.  For this reason, it’s important that staff at all levels of the organization understand how it works, and why it’s necessary.

PCI Compliance At Work

118.6  million individuals were affected by 10 major data breaches in the first half of 2021, with three taking place at tech companies. Although this is a significant drop from 2.5 billion (in 2016),  credit card security is still a major consideration for workplaces. 

The role of the Identity Theft Resource Center (ITRC) is to track incidents where hackers steal sensitive customer and employee records containing Personally Identifiable Information.  

In the past year, the center reported a significant rise in data compromises for  professional services, utilities and manufacturing. 

The Risks

In addition to increased vulnerability to data breaches, non-compliance may also result in 

  • Costs involved in reissuing new payment cards, higher subsequent compliance costs, fines and penalties or legal fees
  • Financial losses including fraud losses and diminished sales
  • Court action, including settlements and judgements
  • Termination of the right to accept payment cards
  • Job losses (including CISO, CIO, CEO and dependent professional positions)
  • Loss of credibility and customer trust
  • Loss of business and potential business closure

The Benefits 

The benefits of PCI compliance are simple, yet fundamental: compliance reduces the risk of data breaches and fines while protecting customers and helping companies to retain a positive brand reputation.  With so many risks involved, it’s vital to ensure compliance. 

What Needs to be Secured?

Secure cardholder data is captured at the point of sale and as it transfers into the payment system. A key step is to never store any cardholder data, which includes protecting:

  • Payment card data stored in paper-based records
  • Online payment applications and shopping carts
  • Point of sale (POS) systems
  • Card readers
  • Store networks and wireless access routers
  • Payment card data storage and transmission

Getting Everyone On Board

The Employees

Key areas to cover in PCI compliance training for employees include (but are not limited to) the following:

  • The challenges, risks and vulnerabilities, both to themselves and the organization of protocols are not followed, either knowingly or unknowingly. 
  • Data security protocols, particularly for those with direct access to computers and other online devices. 
  • The importance of cybersecurity including the protection of passwords, usernames and other sensitive employee information 

The Risk Management Team

In addition to working with the IT team to help strengthen network security, the risk management team can also help secure PCI compliance through creating comprehensive training programs and putting PCI-specific policies and procedures in place.  Additional steps to help secure and maintain PCI compliance include:

  • Setting internal and external traffic rules to address both inbound and outbound network activity
  • Strengthening network security including the firewall 
  • avoiding the use of default passwords and security parameters 
  • Ensuring passwords are updated regularly
  • Implementing a mandatory protocols and multi-level authentication
  • Mapping data flows to show where company data is and where it goes
  • Designing remediation workflows in case processes fails (including automatic remediate and rescan)
  • Creating an incident response plan 
  • Building risk mitigation processes that enable security to respond quickly to breaches
  • Strengthening access control using a “zero trust” model
  • Using access controls to mitigate risk
  • Using data tokenisation (this protects consumer data while reducing company liability, should a breach occur)
  •  Completing the DSE (Data Security Essentials) questionnaire

Ensuring Compliance

Organizations who follow and meet the Payment Card Industry Data Security Standards (PCI DSS) are considered PCI compliant. 

To meet requirements, they must complete a checklist for PCI compliance including 12 key requirements, 78 base requirements, and 400 test procedures.  More information on these can be found via the PCI Security Standards Council. 

When it comes to securing and maintaining PCI compliance, knowledge is power. By educating staff at all levels on the correct policies using appropriate training methods, companies have a better chance of staying compliant and securing their business reputation while protecting against data breaches.

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]