Cybercriminals are targeting smaller retail merchants for credit card information theft. Large national retail brands make headlines when their systems are breached, but smaller merchants often prove to be vulnerable targets, largely due to weak protections around point-of-sale systems and card handling procedures. The Payment Card Industry (PCI) Security Standards Council (SSC) was established to enhance the security controls and procedures for businesses and service providers that store, process and/or transmit cardholder data.
Depending upon the number of transactions processed, small merchants are required to have appropriate PCI compliance measures in place and may be asked by their bank or third-party payment processor for compliance reporting. If the annual volume of transactions is high, then merchants may be required to undergo a compliance assessment with a third-party PCI Qualified Security Assessor Company (PCI QSAC).
What does this mean for your organization’s compliance obligations? If you process payment card transactions, you must be aware of what PCI compliance requirements apply to your organization and understand necessary compliance and reporting requirements.
DHG has compiled a list of common challenges and recommendations for getting started with PCI compliance or validating that you are maintaining PCI compliance.
1. Understand the Cardholder Data Environment and Data Flows
Are you aware of all the methods in which your business is accepting payment cards? Knowing what methods of how your business is accepting payment card data is necessary to determine your PCI reporting requirements. Additionally, knowing what assets are associated with payment card transactions can help limit the scope of PCI compliance and minimize the scope and costs associated with PCI compliance.
2. Document Policies & Procedures
There are many policies and procedures that need to be documented to meet PCI DSS compliance obligations. The PCI compliance requires that security policies and procedures be documented and approved by management. Documenting these procedures is not only best practice for managing data security but helps those evaluating your PCI compliance understand what is expected to be discussed during your walkthroughs.
3. Perform a Risk Assessment
Performing a security-based risk assessment around cybersecurity infrastructure is necessary for PCI compliance and many smaller retailers struggle with conducting a thorough assessment of cyber risk. The risk assessment process is designed to clearly define the risks associated with accepting payment cards and, more importantly, where risks are high and need attention. The identified high-risk areas and mitigating controls should be documented with tracked remediation plans until the risk is mitigated.
4. Vulnerability Scanning & Penetration Testing
Technical assessment is often an overlooked requirement of PCI compliance. Vulnerability scanning is the automated scanning of IT systems designed to identify configuration vulnerabilities, while penetration testing is a manual simulation of a cybersecurity attack in your organization’s systems. Both are critical to identifying common vulnerabilities that could lead to data theft. Some organizations fail to remediate identified vulnerabilities, leaving their systems exposed to hackers. Technical assessments must be performed, and high-risk issues should be remediated as soon as possible.
If you need help understanding your compliance obligations or assessing your environment to determine your PCI reporting requirements, please reach out to a DHG Technology Advisory professional.