According to the Identity Theft Resource Center and CyberScout, the number of U.S. data breaches tracked through the end of June hit a half-year record high of 791. If you’re accepting credit or debit cards, you need to have the proper procedures and technologies in place to protect your organization from compromise.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card companies (Visa, MasterCard, American Express, and Discover). The standard was created to increase controls around cardholder data and reduce fraud.
Who must comply with the PCI standards?
Companies that work with and are associated with payment cards are required to comply with these standards. This includes merchants of all sizes, card issuers, payment processors, point-of-sale vendors, service providers, and hardware and software developers that participate in the global ecosystem for processing payments.
What’s considered sensitive payment card data?
Everything on the front and back of the card – including the chip, Primary Account Number (PAN), cardholder name, expiration date, and CID (on American Express cards) – is considered sensitive data and should be considered vulnerable to threats. Further, the data stored in the magnetic stripe on the back, PINs, card validation codes/values, and PIN blocks are considered “sensitive authentication data” and must be purged post-authorization.
How is payment card data stolen?
According to the PCI Security Standards Council, sensitive cardholder data can be stolen from:
- Compromised card readers
- Paper stored in filing cabinets
- Data in a payment system databases
- Hidden camera recording entry of authentication data
- Poorly secured wireless or wired networks
How to stay compliant?
The card brands require that validation of compliance be performed annually. Depending on merchant or service provider level, that attestation may be through an audit conducted by either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA), resulting in a Report on Compliance (ROC) or by the completion of a Self-Assessment Questionnaire (SAQ).
As a Payment Card Industry Qualified Security Assessor (PCI QSA) company,Sirius can help ensure that organizations’ payment card data processes and their supporting systems are compliant with the PCI DSS and protected from the risks of theft or fraud.
PCI Security Council
Identity Theft Resource Center at CyberScout – Mid-Year, U.S. Data Breaches Increase at Record Pace