What is PCI DSS Compliance

Guides to PCI (Payment Card Industry) DSS (Data Security Standard) Compliance.


by Bernard Kohan

I'm sure by now you have heard many times in the news about hackers and scammers hacking into eCommerce systems and stealing consumers' sensitive information including credit card information.

When users or customers' sensitive information is exposed or stolen, it is called a Data Breach.

One important fact to know is that if there is an occurrence of a Data Breach on your website, and you are storing users or customers sensitive information, you are more likely to be liable for any identity theft or fraudulent credit card chargers and you can be sued for a substantial amount of money.

Most website owners are not aware of the seriousness of a Data Breach. They do not know that there are several Federal and State laws about the notification requirements if there is a Data Breach.

There is also a major misconception that if there is a Data Breach, the hosting company or website developer will be liable for such an occurrence and not the website owner, but that is not the case; the fact is that if you are the website owner and there is a Data Breach on your website, you are the first in line to be liable and getting sued. The argument is that a website owner should maintain and follow sufficient and recognized security standards such as PCI DSS Compliance by hiring specialists and qualified people to help maintain security.

Below is an example of the average cost a Security Breach and it will provide you some ideas of how the amount of liability and claims that can arise out of a Data Breach:

Average cost of a Data Breach based on 2012 Data Breaches (research and info is from Netdiligence):

Average cost of defense $582K
Average cost of settlement $2.1 million
Average record lost (accounts) = 1.4M accounts compromised
Average cost per breach $3.7M
Average cost for crisis services (forensics, notification to customers, call center, credit monitoring, legal counsel) $983K
Average cost for
Forensics $341K
Notification $180K
Call Center $50K
Credit Monitoring $354K
Legal Counsel $66K

If there is a Data Breach on your website, State and Federal laws require that you notify your customers by mail (or email if certain conditions are met). That by itself can cost you not only the mailing cost, but customers who are unhappy and can later file a lawsuit for stolen identity or fraudulent credit card charges.

The Payment Card Industry Security Standards Council was formed by Visa International, MasterCard Worldwide, American Express, Discover Financial Services, and JCB in order to set forth the necessary security standards to protect customers data. They put together the Payment Card Industry Data Security Standard (PCI DSS) and are requiring companies, organizations or stores that accept credit cards to adapt the standards (PCI DSS).

These standards are updated periodically; the most recent version of the PCI DSS is version 3.0, which was released in November 2013.

There are a lot of detailed requirements for following and adapting PCI DSS which is outside the scope of this article, but below is a summary list in order to provide you some ideas on these security measures:

One of the other misconceptions that site owners have regarding PCI DSS compliance is that they believe that it is a one-time implementation and once a site is PCI DSS compliant, it will continue to stay compliant. This is not the case; in order for a site to stay PCI DSS compliant, the site owner is required to continuously run and test the site for any new vulnerabilities that have not been discovered. For example, your website may have passed the PCI DSS Compliance last month, but if there is a new vulnerability found in the web server software that you are using, your site will fail a PCI DSS Compliance security scan until you fix the new vulnerability.

There are a few approved companies that can provide PCI DSS Compliance evaluation and scanning at a monthly charge. Trustwave and SecurityMetrics are the most popular approved companies. Most Merchant Service companies will provide PCI DSS Compliance scanning for their customers at no charge through an approved PCI DSS security companies. For example, Wells Fargo Merchant Services provides Trustwave PCI DSS Compliance evaluation and scanning complementary to its customers who accept credit cards using Wells Fargo Merchant Services in order for its customers to become and stay PCI DSS Compliant.

If your Merchant Service provider does not offer complementary PCI DSS compliance evaluation and scanning, you may need to seek the help of a professional consultant to help you become PCI DSS Complaint.

Final thought, it is important to know that keeping your customers' sensitive information secure is your responsibility and you can have a substantial liability if you do not invest into securing your site.

 

Special Offer

with the purchase of

Essential
Professional
or
Enterprise

INQUIRE Comentum eCommerce 858.410.1500 / 800.387.1920
San Diego Office