By Nicholas P. Cucci
Fluid Pay LLC
You'd think a titan like Capital One would be PCI compliant, but a misconfigured firewall was reportedly behind the recent theft of data related to approximately 100 million businesses and individuals that applied for Capital One credit cards. If true, Capital One failed the requirement set forth in the Payment Card Industry Data Security Standard (PCI DSS): Install and maintain a firewall configuration to protect cardholder data. Unfortunately, Capital One is not alone.
The PCI DSS applies to all companies of all sizes that accept, store and transmit cardholder data, including, for example, merchants, payment gateways and processors.
According to The Privacy Rights Clearinghouse, over 11 billion consumer records have been compromised from more than 10,000 breaches. The purpose of PCI compliance is to protect cardholder data and restore trust in the payment process. It sets forth a minimum standard for security and data. If you abide only by the PCI DSS, you are already behind.
Here are compelling facts from the in-depth Verizon 2017 Payment Security Report:
The PCI DSS can get muddy quickly. It contains over 1,800 pages of official documentation and more than 250 security controls to follow. It can take reading 100+ pages before you figure out what form of compliancy you are required to abide by.
The three main areas of PCI DSS compliance are:
From each one of those standpoints, map the ways in which data is transferred and who has access to it. Finally, after the data has been transferred, identify internal systems or technologies that touch the transactions. This is inclusive of everything from your network to data centers and even cloud environments like payment gateways. It is highly recommended that you use a third party, for example, a payment gateway, to store and process transactions.
Using a cloud-based service provides high availability included in a bundled price, while also offering multiple infrastructure solutions. It makes things a lot easier to integrate to or even have data-redundant backups in multiple Internet grids. For instance, instead of large payment companies having to host in multiple data centers on different Internet grids, you can spin up virtual machines in each grid using the cloud systems like Google Compute engine or Amazon Web Services.
Also take into consideration the cost of buying servers for each location. It can quickly require millions of dollars, depending on the infrastructure you want to achieve. Plus, if a company is sever based in multiple data centers, is it "hot swap" capable? Most likely not.
Payment processors typically request this validation, as they are responsible for reporting compliance to the card brands.
The four levels of PCI compliance are usually based on volume during a 12-month period. Level 1 applies to:
Level 1 requirements include:
Simply summarized, Level 2 applies to organizations that process between 1 and 6 million transactions annually; Level 3 applies organizations that process between 20,000 and 1 million total transactions annually; and Level 4 applies to organizations that process fewer than 20,000 transactions annually.
Level 2, 3 and 4 requirements include:
For further details on Levels 1 through 4 and their requirements, visit the PCI Security Standards website at www.pcisecuritystandards.org. PCI compliance is a process involving continuous effort, not a once a year occurrence. And as your business/portfolio grows, so will your compliance needs. Being vigilant about this will provide you with confidence to keep your business on track and fraudsters away. Do not take the path of least resistance.
Nicholas Cucci is the co-founder and COO of Fluid Pay LLC and former director of marketing for NMI. Cucci is also a graduate of Benedictine University and a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. Fluid Pay LLC. is the first 100 percent cloud-based Level 1 PCI payment gateway processing transactions anywhere in the world. Contact Nick at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next