Protecting cardholder data is no small task. Breaches are costly; according to a recent Security Intelligence survey, the average compounded cost of a cardholder breach is $4M. To aid billers in the struggle to secure financial information and avoid intrusion, the Payment Card Industry (PCI) Security Standards Council established an ever-evolving set of practices known as the PCI Data Security Standard (PCI DSS). The infrastructure and operations required to comply are strictly defined – for good reason – but the undertaking is essential to running a safe and effective modern payment system that won’t put you and your customers at risk.
Altogether there are 12 required controls and processes that must be followed in order to achieve PCI Compliance. Some are more difficult to comply with than others. According to a recent VeriSign study, 79% of failed PCI Compliance assessments did not fulfill the requirement to protect cardholder data — Requirement 3. It’s an oversight that is not only unsettling, but can also damage a business given the ramifications.
The good news is that there are steps that can be taken to avoid the pitfalls of handling cardholder data. The PCI Standards Council has created a helpful list Do’s and Don’ts that we wanted to share:
Cardholder Data Do’s:
- Do understand where payment card data flows for the entire transaction process
- Do verify that your payment card terminals comply with the PCI Personal Identification Number (PIN) Transaction Security (PTS) requirements
- Do verify that your payment applications comply with the Payment Application Data Security Standard (PA-DSS)
- Do retain (if you have a legitimate business need) cardholder data only if authorized, and ensure it’s protected
- Do use strong cryptography to render unreadable cardholder data that you store, and use other layered security technologies to minimize the risk of exploits by criminals
- Do ensure that third parties who process your customers’ payment cards comply with PCI DSS, PTS and/or PA-DSS as applicable. Have clear access and password protection policies
Cardholder Data Don’ts:
- Do not store cardholder data unless it’s absolutely necessary
- Do not store sensitive data contained in a payment card’s chip or magnetic stripe, including the 3-4 digit card verification code printed on the front or back of the payment card, after authorization.
- Do not have payment terminals print out personally identifiable payment card data; printouts should be truncated or masked
- Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones
- Do not locate servers or other payment card system storage devices outside of a locked, fully-secured and access-controlled room.
By following these best practices, you can be confident your business is taking the right steps to avoid the compliance errors that are found even at some of the world’s largest consumer brands.
Take the high-profile case of Target. Intruders were able to gain access to stored cardholder data including names, card numbers, expiration dates, and CVV codes — everything. They failed to properly handle financial information at a cost of $252 million and an indefinite period of consumer mistrust. In the words of Forrester analyst John Kindervag, “This is a breach that should’ve never happened…The fact that three-digit CVV security codes were compromised shows they were being stored.”
You can avoid this unfortunate situation by investing the care and resources necessary to follow the best practices outlined above. Assess whether it’s time to perform a comprehensive review of your PCI compliance. It is crucial to the long-term health of your business that you uncover and resolve any points of non-compliance as soon as possible.
To read more about PCI Compliance as it relates to your business, explore our 3-part blog series on the PCI here.