It’s hard to believe the payment card industry data security standard (PCI DSS) is 16 years old at this point. Although it’s experienced different updates and iterations over the years, this standard has provided an industry-defined payment processing and data storage framework for more than a decade and a half.
Still, compliance remains a challenge for many organisations. Verizon’s 2020 Payment Security Report found that PCI DSS compliance continued on a declining trend, with only 27.9% of organisations granted interim validation achieving compliance during the previous year.
So how can your business rise above the fray whilst avoiding costly penalties and damaging headlines down the line? It starts with identifying the level under which you’re categorised for PCI DSS purposes.
PCI DSS Merchant Levels
Your merchant level provides crucial guidance for understanding what you need to do in order to become compliant with the standard. The tier or category to which you belong will also help determine the penalties your business will face if issues emerge.
While PCI DSS involves a great deal of standardisation, your merchant level may vary based on the card company in question. In general, according to the Discover Global Network, the merchant levels are:
- The top tier usually refers to merchants that process more than 6 million transactions through the card’s network per year.
- The transaction volume at Level 2 falls between 1 and 6 million
- The Discover Global Network puts all other merchants in Level 3, but according to Visa’s U.S. website, this threshold applies to merchants with between 20,000 and 1 million transactions.
- Those processing less than 20,000 transactions belong to Level 4, according to Visa.
It’s a good idea to cross-reference these levels based on the accepted forms of payment at your business.
PCI DSS Compliance Strategies for Success
Achieving PCI DSS compliance provides reasonable assurance that you are handling sensitive customer data responsibly whilst limiting your liability to fines from card companies in the future. To accomplish this goal, follow these strategies.
Minimise the Scope of Compliance
This strategy helps manage risk, minimise the cost of compliance and ensure that controls are focused on the areas of greatest risk. Adjusting the scope could be accomplished by techniques like changing business processes or leveraging options to segment components of technology that are used for handling cardholder data.
Don’t Overemphasise Compliance at the Expense of Security
That said, once your processes are optimised, compliance isn’t enough. Instead, you should view PCI DSS adherence as the minimum acceptable outcome for your operation. It’s true that you want to ensure you’ve successfully balanced customer convenience with security, but aim for policies, procedures and technologies that far surpass the minimum requirements.
Craft Robust Policies in Which Other Standards Are Rolled Up
As part of your efforts to go beyond the minimum, you should ideally identify technologies and processes that can help you surpass the expectations in the standard. Review your policy, enhance it, and then look for blind spots with the help of official questionnaires, which may be required for compliance purposes. Find out which assessment applies to your business by visiting the PCI Security Standards Council (PCI SSC) website.
Implement Your Updates Thoughtfully and Methodically
This strategy applies just as much to patching and software updates as it does to policy reviews and new workflow rollouts. After you complete your assessment, make sure you craft a detailed plan for establishing alterations on a brisk, reasonable timetable.
Test Your New Policies and Technology, Ideally With Outside Support
Even the most dedicated internal staff members may have some inherent biases about the systems with which they’ve worked so closely. Robust testing and external consultations can help you further refine your approach to security.
Codify Your Discoveries With Additional Security Updates
It’s important to systematise your data security strategies. If you identify gaps during your testing, don’t just patch what’s in front of you. Dig deeper to resolve the processes that led to this oversight in the first place. It’s also important to conduct new security reviews if you change vendors. Continue to revise your strategy on a rolling basis as needed.
The Impact of Remote Work on PCI DSS Compliance
The cyber security landscape is dynamic. As companies are forced to respond to changing global circumstances — like the shift to remote work that resulted from the Covid-19 pandemic — security efforts must keep pace.
A recent PCI SSC blog outlined some remote work precautions to be mindful of whilst ensuring PCI DSS compliance. The group recommends:
- Conducting employee education initiatives around security best practices.
- Verifying the security of relevant workers’ home networks, access methods and physical environments, as well as hard copies of documents.
- Mandating that only company-authorised equipment be used for work purposes.
As we’ve mentioned, outside support can be crucial for counteracting institutional blind spots with regards to cyber security and the steps that are necessary for achieving PCI DSS compliance. With the financial risks posed by potential fines and the devastating impacts of data breaches, an outside perspective can mean all the difference for business success. Contact 1 Cyber Valley today to find out how we can help.