Everything You Need to Know About Payment Security
While there are a lot of ‘how to’ guides out there, the PCI compliance standards continues to change rapidly. The standards are continually revised to keep up with the ever-changing security landscape.
The current version of PCI DSS v3.2 encompasses the highest security standards globally and ongoing efforts to remain in compliance for anyone handling payment ransactions. According to Verizon’s PCI DSS Compliance Report, 80 percent of organizations are still not compliant.
While there is an increase in businesses noting the importance of PCI compliance, the number of compliant companies is still staggeringly low. Verizon reports that four out of five companies would still fail at the interim assessment. Failing an audit can have severe consequences on the business’ viability.
The fines for non-compliance range from $5,000-$100,000 a month. Other consequences include legal action, damage to reputation and loss of business. The fines alone would be the end for most companies accepting credit cards and ATM or debit cards.
While fines and legal action are two major repercussions, failing to comply with the processes laid out by PCI DSS could also result in a breach of security. The downfall from a cyber breach impacts not only the company attacked, but the financial safety of their customers. Once the customers’ secure information is compromised, it can be game-over. Even if a business survives a serious breach, the reputational damage can be nearly impossible to bounce back from.
In this blog, we will tackle everything you need to know about PCI DSS and payment security. From what PCI compliance encompasses to making the cultural change in your organization to support its guidelines, LightEdge will act as your security expert.
What is PCI DSS?
According to the PCI Security Standards Council’s requirements and security assessment and procedures, the Payment Card Industry Data Security Standards (PCI DSS) was created to enhance cardholder data security and facilitate the adoption of data security measures globally. These standards apply to every business or entity that is involved in payment card processing.
These standards also apply to all entities that store, process or transmit cardholder data and/or sensitive authentication data. PCI compliance standards are a minimum set of requirements for protecting data. Organizations are encouraged to enhance standards by adding additional controls and practices to mitigate risk on top of maintaining PCI DSS.
What Information is PCI DSS Protecting?
Cardholder data can be a confusing and broad term. PCI DSS helps to keep “cardholder data” secure, but what does that really mean? Cardholder data and sensitive authentication data are defined by the PCI Security Standards Council as:
Cardholder data
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data
- Full track data (the magnetic-stripe data or equivalent on a chip)
- CAV2/CVC2/CVV2/CID
- PINs and PIN blocks
The primary account number (PAN) is critical. If the name, expiration date or service code are stored, processed or transmitted with PAN, they must be protected and in compliance with PCI DSS requirements. While cardholder information is permitted to be stored, PAN must be rendered unreadable.
Sensitive authentication data must not be stored after authorization even if encrypted.
Why PCI Compliance Matters
Your customers put their trust in you every time they take out their credit card to make a purchase. By purchasing your product or service, they expect that you will keep their details safe in return. Right?
Hearing about major breach after major breach impacting the most well-known companies like Target, Panera, eBay, Home Depot and many more, customers’ trust might be on the decline. If companies that, in theory, should have the most advanced resources in place can’t keep their clients’ credit card information secure, then who can?
Is your business next? What will it mean for your reputation, financial standing, and future profits? Regardless of your position, payment security and protecting your customers should be a top priority.
PCI DSS provides a strong outline for looking at payment security. Now the only question is, why does it matter?
Data Breaches are on the Rise
According to new research, data breaches are on a disturbing upward trend. Many times, criminals will attack multiple areas to find a vulnerability. That may mean they go through a third-party to gain access to your critical infrastructure.
For instance, the Target breach of 2013 involved their third-party HVAC provider. The retail company announced that hackers had gained access through this HVAC provider to its point-of-sales (POS) payment card readers. Instead of directly attacking Target’s systems, the criminals found vulnerabilities and weak points through different vendors or partners.
By the end of Target’s breach, the company estimated that 70 million of its customer’s personally identifiable information (PII) had been stolen. The PII stolen included full names, billing addresses, email addresses and telephone numbers.
According to CSO Online, the final estimate is that the breach affected as many as 110 million customers. It cost Target $162 million, which doesn’t include ongoing losses from reputation damage and loss of brand loyal customers.
Looking at the news, it would be easy to assume that only retailers are affected by credit card breaches. Unfortunately, everyone from zoos and banks to the government are at risk or have already experienced breaches.
Entities across the world are targets for hackers. No company working in any industry located in any place is safe from becoming a target. According to Verizon’s PCI Report, 69 percent of consumers would be less inclined to do business with a breached organization.
Customer Confidence
With the constant wide-spread news on companies and industries getting hacked or breached, customer confidence may be lacking. Remaining compliant with PCI DSS requirements is a necessary first step to boosting customer confidence. Breaches are much less likely to occur behind stringent compliance processes.
While consumers may not understand the processes behind PCI compliance, the news coverage on breaches are making them aware. Just conveying that your business and the partners you work with are in line with PCI DSS will give your customers peace of mind.
Security is a big issue for any entity that provides their products or services in stores or online. PCI compliance shows that a company is serious about protecting their customers. Because of this, PCI DSS can bring in more clients. Buyers will understand that your company has taken every measure necessary to protect their personal information.
Cards Aren’t Going Away Any Time Soon
While apps and mobile payments are starting to gain traction, card payment use continues to grow. The Neilson Report noted that in 2026, global brand credit, debit and prepaid cards are projected to reach 767 billion purchase transactions for goods and services worldwide.
Different types of debit and credit cards have been around for decades. There have been upgrades like the most recent security chip update, but the fundamental idea has remained unchanged.
There continues to be an increasing level of interest in cryptocurrencies, such as Bitcoin. While, there is a place for their use and may even be a preference to some users, they are still not widely accepted in all mainstream market places. Many business entities view cryptocurrencies a high-risk option for transaction.
Make a Cultural Change
If you are an organization that transmits, processes, stores or could impact the security of cardholder data in any way, adopting PCI compliance should be the first thing on your list. Maintaining a “business as usual” approach to PCI monitoring will keep your company safe from breaches and your customers’ information safe from hackers.
It is worth completing an internal scan to identify any internal issues. A variety of open-source tools are available that will provide an overview of potential PCI compliance.
Implement Multi-factor Authentication
Multi-factor authentication is a method of confirming a user’s claimed identity and helps prevent an unsecure source from pretending to be a valid user. This type of authentication adds a new level of security to simply a user name and password.
According to Verizon’s Data Breach Investigations Report, 95 percent of security incidents involved stealing credentials from customer devices and using them in web applications.
PCI DSS Requirement 8.2 requires that at least two of the three authentication methods below are in place:
- Something you know: This could be a password or phrase, a PIN, or answers to security questions. The user must be able to correctly verify this information.
- Something you have: These are physical possessions such as a token device, smart card, key fob or smartphone.
- Something you are: This method involves verification of characteristics that are unique to the individual. Examples include fingerprints, retina scans, facial recognition, voice recognition, etc.
By implementing multi-factor authentication, you are providing a higher degree of assurance of an identity. The PCI Security Council released an information supplement on multi-factor authentication to educate organization on how to best implement these guidelines.
Some multi-factor authentication best practices include:
- Implement everywhere: You must consider all access points.
- Test and monitor frequently: Your MFA policy should be current and tested for vulnerabilities regularly. Engaging IT or a third-party to test this will lower the risk for a breach.
- You should prioritize user experience.
PCI Compliant Hosting Providers
A simple way to ensure your organization remains PCI complaint is to use a PCI compliant hosting solution. These solutions use technology and processes like MFA and stay current with PCI DSS requirements as they evolve.
Approved vendors can pinpoint network vulnerabilities from the outside looking in. Finding a reliable hosting provider that has expert knowledge on the ins and outs of PCI compliance will take the weight off of your shoulders when it comes time for audits.
The Benefits of PCI DSS Compliance
Since PCI DSS and other compliance standards have many moving parts and regulations, companies may see it as a burden. With pressure to cut costs and innovate, executives are not only wondering what is being dobe, but how and why.
While there are many clear benefits to compliance, many organizations don’t have bandwidth or expert knowledge to sufficiently comply with PCI DSS. We would like to show those organizations that the cost of non-compliance is much worse and finding expert help can be easy.
Reduced Breach Costs
Recent reports have shown a strong correlation between compliance and data protection. Organizations that have suffered breaches showed lower than normal compliance with PCI DSS. While there is no guarantee that your organization will never be breached, compliance has shown to reduce the likelihood.
There are many costs that come with a breach. By remaining compliant, there are a couple of costs that you are likely to avoid. Those avoided costs include:
- Third-party investigations and remediation costs
- Monthly fines
- Legal fees
- Lower share price
- Reputation damage leading to loss of business or partnerships
- Credit monitoring costs for affected parties
Customers make purchases with providers and businesses they can trust. If you are trying to cut costs in the compliance realm, you’ll likely cut your customer trust and business along with it. Not only can compliance save money in the long-run, but it can solve a range of other organizational challenges.
A strong company focus on compliance will help to increase employee awareness of security and create a more alert security posture. Improved business requirements will result in transparency into security best practices.
PCI DSS and other compliance standards have also been able to help build better partner and vendor relationships. The stringent security procedures ensure confidence in partners and show clarity over roles and responsibilities.
Find a PCI DSS Compliant Hosting Provider you can Trust
Your organizations, the threats they face each day and PCI DSS rules and regulations are evolving. Finding a PCI compliant hosting provider that you can trust allows you to refocus on your business core competencies.
LightEdge has secure and compliant data center locations at our Des Moines, Kansas City, Omaha, and newly acquired Austin and Raleigh data center facilities. With LightEdge, you can achieve auditable PCI compliance. With a specific background working with the financial industry, our data center and hosting solutions provide you with confidence you need to meet PCI DSS requirements.
LightEdge offers an included risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all our customers. Compliance and security are top priorities to guarantee that your data is protected. LightEdge’s completion of ROC (PCI) validates the company as a PCI DSS Level 1 Service Provider, assuring clients that LightEdge data center facilities meet the prescriptive PCI physical security requirements.
LightEdge is compliant with:
- PCI DSS 3.2
- ISO 27001
- ISO 20000-1
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
- HIPAA
If you are interested in getting a risk free assessment from our financial industry compliance experts, a tour of any of our PCI DSS compliant data centers or to learn more about LightEdge’s compliance offers, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.