Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
PCI Compliance: Protect Your Business From Data Breach - Whitepaper
1. 1
Whitepaper
PCI Compliance: Protect Your Business from
Data Breach
The security and safety of personal and financial data is increasingly
threatened. Nowhere is that more apparent than in the retail industry
—a primary target for cyber criminals.
Retail businesses are particularly vulnerable because of the volume of credit
card information, the fact that this information is distributed among many
locations, the lengthy amount of time it can take them to detect a breach,
and the often inadequate staff and safeguards they have in place.
Some experts forecast that as many as one in six small businesses will be
breached.1
Small businesses are particularly vulnerable; according to Visa,
97% of U.S. events occurred at small merchants, and 91% of those were
brick and mortar merchants.2
Larger organizations, too, are vulnerable to the consequences of such a
breach. Examples from recent years include Bank of America, Boston Market,
Sports Authority, and Forever 21. A particularly devastating case was the
breach of TJX Corp., which resulted in the loss of at least 45 million credit
card numbers to a single hacker.
Merchants often underestimate the financial impact of a breach, which can
be significant. Smaller retailers that suffer a major and widely publicized
breach of credit card data may actually find themselves out of business
due to costs associated with fees, fines, and remediation, as well as
ongoing damage to their brands and reputations.
For example, the average cost of a breach is estimated at $80,000 per
location for Level 4 merchants, and can reach into the millions depending
on the size of the merchant and the extent of the breach.3
Direct costs include
mandatory forensic audits, credit card replacement, fees, fines, and breach
remediation to prevent a recurrence.
PCI COMPLIANCE IS ESSENTIAL FOR SECURE TRANSACTIONS
AND FINANCIAL STABILITY
Merchants often
underestimate the
financial impact of a
breach. Direct costs
include mandatory
forensic audits, credit
card replacement,
fees, fines and
breach remediation.
2. 2
Whitepaper
For these reasons, complying with PCI-DSS (Payment Card Industry Data
Security Standard, also known simply as PCI) is much more than just a
technical goal for retailers. It is necessary for business stability.
PCI was originally created as a joint initiative by Visa, MasterCard,
American Express, JCB, and Discover to protect card-holder information
and reduce data theft and fraud. The first version was released in
December 2004, and it has since then undergone two significant
updates. The current version, 2.0, was issued in October 2010.
PCI compliance is mandatory for all organizations who accept Visa
and MasterCard credit cards. If a retailer is found to be noncompliant,
it could incur significant fines and be restricted from accepting credit
cards until compliance is achieved.
While no standard can guarantee 100% prevention of a major
credit card data breach, PCI compliance can significantly reduce the
probability of such an event. Being PCI compliant means that merchants
are pursuing established best practices specifically designed to protect
sensitive credit card data from unauthorized access—critical both for
themselves and their customers.
What is PCI-DSS?
Table 1: Typical Breach/Remediation Timeline
Day 1
Notification of breach
Stop taking credit cards
Pay for a forensic audit
Monitor media/social media
Day 5
Forensic audit complete
Contact a Qualified Security Assessor (QSA)
Day 7
Obtain proposals for remediation
Day 10 to
Day 40 -180
Execute remediation and compliance plan
Replace credit cards
Disclose breach/address brand and media impact
Post breach plus one year - revenue impact
Breach remediation can take months, as shown in Table 1. For these reasons,
complying with
PCI-DSS (Payment
Card Industry Data
Security Standard,
also known simply
as PCI) is much more
than just a technical
goal for retailers.
It is necessary for
business stability.
3. 3
Whitepaper
All members of the PCI payment card network, including merchants and
service providers, must comply with 12 different requirements organized
into six core categories:
Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0,
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
PCI DSS Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configured to protect card-holder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Card-holder Data
3. Protect stored card-holder data.
4. Encrypt transmission of card-holder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to card-holder data within the organization on the basis of business
need-to-know.
8. Assign a unique identifier to each employee with computer access.
9. Restrict physical access to card-holder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and card-holder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all employees.
• Can you demonstrate that all of your cashiers have been trained upon
hire with a PCI-certified training program, and does that training recur
every year?
• Can you demonstrate that all of your employees have read and signed
an employee awareness security policy?
• Can you demonstrate that all members of your team or your approved
vendors are using a secure virtual private network with two-factor
authentication to access applications or systems behind your firewall?
Most retailers are aware of the importance of PCI compliance, but many
lack the essential safeguards required to fully achieve it.
For example, when retailers who accept credit cards are asked the
following questions, frequently at least one answer is “no,” indicating
that they are not compliant:
What is required for PCI compliance? All members of the
PCI payment card
network, including
merchants and
service providers,
must comply with
twelve different
requirements
organized into six
core categories.
4. 4
Whitepaper
On-Site Security Audit: Required for Level 1 merchants, this is also
known as a Report on Compliance (ROC) and must be completed
by a PCI-certified Qualified Security Assessor (QSA).
Annual Self-Assessment Questionnaire: In lieu of a ROC, Level 2-4
merchants must complete one of six Self-Assessment Questionnaires (SAQ)
to document PCI compliance status. This must recur annually to identify
compliance shortfalls.
Quarterly External Vulnerability Scans: All merchants are required to
have external network scans performed by a PCI-certified Authorized-
Scanning Vendor (ASV). Scan requirements are rigorous: all 65,000
ports must be scanned, vulnerabilities detected, “high” severity-level
vulnerabilities must be remediated, and two key reports completed
and filed with the bank card processor.
As this chart shows, merchant validation requirements fall into three groups:
PCI compliance is not a one-time achievement, but is validated on an
ongoing basis. The terms of validation vary based of the total number of
annual credit card transactions that merchants generate each year, and
are organized into four levels:
Level Criteria
On-Site
Security
Audit
Self-Assessment
Questionnaire
External
Vulnerability
Scan
1. Any merchant
processing more
than 6 million
transactions per
year
Required
Annually
Required
Quarterly
2. Any merchant
processing 1
to 6 million
transactions per
year
Required
Annually
Required
Quarterly
3. Any merchant
processing
20,000 to
1 million
transactions per
year
Required
Annually
Required
Quarterly
4. All other
merchants, not in
Levels 1, 2 or 3
Required
Annually
Required
Quarterly
PCI compliance
is not a one-time
achievement, but
is validated on an
ongoing basis. The
terms of validation
vary based of the
total number of
annual credit card
transactions that
merchants generate
each year, and are
organized into
four levels.
5. 5
Whitepaper
PCI is a complex set of standards, but is critical to financial stability for any
size merchant that accepts credit cards. EarthLink Business offers a full range
of services to support merchants on the path to PCI compliance.
This includes EarthLink’s PCI Compliance Solutions services, which provides
Level 2-4 merchants with $100,000 in breach protection4
per location subject
to per occurrence and yearly aggregate limits of $500,000 to cover eligible
expense, as well as tools to validate PCI compliance. Through an easy-to-use
web-based portal, merchants can conduct quarterly Authorized Scan Vendor
(ASV) scans, Self-Assessment Questionnaires (SAQ), and training, and have
access to a security policy and online knowledge base.
EarthLink also provides secure MPLS WAN, secure Point of Sale (POS)
transport, managed security and other services to address gaps.
PCI Compliance Solutions from EarthLink Business
Financially Protect Yourself from a Breach: Consider acquiring breach
protection for each of your site locations to help cover costs of a forensic
audit, fees, fines and credit card replacement in the event of a breach.
Validate PCI Compliance: Select and complete the Self-Assessment
Questionnaire (SAQ) based on your environment. Select an Authorized
Security Vendor and complete the External Vulnerability Scan. Document
the process and file the necessary reports.
Achieve PCI Compliance: Requirements will vary depending on your
environment, but basic requirements include: implementing a fully managed,
stateful inspection firewall; installing layered, dynamic security with unified
threat management; implementing secure remote access with two-factor
authentication; educating staff; and implementing and managing a
security policy.
Maintain Compliance: Manage and maintain PCI compliance within
your organization. This includes conducting regular employee training,
documenting and following security policies, and conducting regular
assessments and scans to identify and remediate gaps.
It’s advisable to be proactive in protecting your business and customers
from credit card data breach; once a breach occurs, much of the damage
will have already been done. If you are a Level 2-4 merchant, follow these
key steps to start on the path toward compliance:
Proactively protect your business from breachIt’s advisable to
be proactive in
protecting your
business and
customers from
credit card data
breach; once a
breach occurs,
much of the damage
will have already
been done.