“The process of implementing the 12 requirements of the PCI DSS can take some larger businesses up to 6 months and cost more than $70,000.”
Gary Glover, VP Security Assessments, SecurityMetrics
- The purpose of PCI DSS in today’s e-commerce environment
- Good reasons to outsource PCI compliance
- Simplify PCI DSS compliance with PCI Proxy
Back in 2006, the major credit card issuers, Visa, Mastercard, American Express, Discover and JCB came together and formed a council called the Payment Card Industry Security Standards Council (PCI SSC). The purpose of this council was to collectively establish, administer and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies all had their own security standards programs—each with roughly similar requirements and goals. However, as the number of fraudulent transactions increased, and merchants increasingly struggled to comply with the varying standards, the payment card issuers decided that a standardization of the protective measures was needed.
Hence why The Payment Card Industry Data Security Standards (PCI DSS) was established. Today, any companies that that store, process or transmit cardholder data must adhere to the 12 requirements set out by the Council in the PCIDSS. These 12 requirements look at every aspect of an organization’s ability to keep customer data secure – internet firewall setup, physical and digital access controls, encryption at rest and transit, software development principles, information security policies and more. As the complexity of thee-payments industry grows and malicious attacks become ever more advanced, the policies and requirements need to adjust. Earlier this year the PCI SSC published version 4 of the Standards which includes 64 additional requirements aimed to protect against the most complex hacking attacks such as web skimming and others.
Becoming PCI compliant is a process that can be extremely complex, taking some companies months, or even years to achieve. In the past, companies looked to do this all in-house, which is a considerable drain on time and resources. New staff must be recruited, or existing employees must shift their focus away from other projects. Then the team must invest time to understand all the details about PCI compliance and its impact on the company's systems, products, employees, and overall infrastructure. Once the requirements are understood, the team must implement all of the requirements. And finally, after all of this is completed, it is time to start over again, since companies must be re-certified on an annual basis.
In addition to the time and resources taken to carry out PCI in-house, unless you outsource the collection, storage and use of credit card data to an external provider, your business will still be liable in the event of a data breach. As the number of data breaches increase and the fines relating to those breaches become more severe, it’s not surprising that more and more businesses turn to SaaS solutions to address the challenges posed by handling credit card data.
At PCI Proxy, we reduce the cost and burden of PCI compliance by putting the technical solution in place to keep our clients outside of PCI scope. By using our universal token vault solution, we prevent sensitive credit card data from ever touching our clients’ servers, regardless of their sales channels, and therefore significantly reduce the cost, risk and burden of PCI compliance.
Without access to sensitive credit card data, only the criteria for SAQ-A requirements apply to our clients, regardless of what PCI compliance assessment they have to undergo. As a result, entities can use the SAQ-A audit form as a reference to identify the applicable PCI DSS requirements for their environment and report remaining requirements as “Not Applicable”. This means even for level 1 assessments that require an on-site audit by a QSA, the audit is a fraction of what it would be if credit card data is managed in-house.
As PCI Standards become increasingly stringent and the risk of data-breach becomes more and more likely, those businesses which set themselves up for a cost-effective, technical solution now will ensure they can adapt and adjust effortlessly as the requirements change in future.
Gary Glover, VP Security Assessments, SecurityMetrics
.svg)
.jpg)
