Running a business in the digital age is no easy feat. This is especially true nowadays, when consumer data security is at the forefront of the conversation.
Data breaches have hit even some of the biggest multinationals out there, enabling the exposure of sensitive user data and compromising the privacy and trust of their customers. When it’s payment card data that leaks on a large scale like this, the damage goes far beyond consumer confidence.
Table of Contents
- What is PCI DSS?
- Who needs to comply with PCI DSS requirements?
- What happens when you don’t comply with PCI DSS?
- The DIY approach to PCI compliance
- The easiest and fastest path to PCI compliance
Individual customers’ financial lives can be severely hurt when their sensitive data gets into the wrong hands.
That’s why it’s incredibly crucial to secure cardholder data, which is what PCI DSS aims to do.
Like many compliance programs, the Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure a more stable and secure vendor, which leads to a more reliable payment card industry overall. PCI DSS ensures that you, your fellow merchants, and all the stakeholders in the payment card industry are held to a rigorous industry standard for security.
But what about your business – do you need to be PCI DSS compliant?
If you store, process, or transmit cardholder data, the short answer is yes, but let’s go over a few things for you to understand exactly why this data security regulation is so vital and why it’s so important for your business.
What is PCI DSS?
All merchants and service providers that process payment card information must comply with PCI DSS, which is a set of controls and obligations that reduce the likelihood of cardholder data being compromised.
To put it simply: PCI DSS is a set of requirements that businesses who touch payment card data must follow as part of an industry-wide program against credit card fraud and loss.
The most recent DSS version from the Security Standards Council (SSC), which is a consortium of payment card brands like Visa and MasterCard, contains 12 requirements that merchants and service providers must implement.
A dozen boxes to tick doesn’t sound too difficult, right?
Not so fast: within these 12 requirements are hundreds of sub-requirements. Installing firewalls, encrypting cardholder data, performing patch management and maintaining traceable records are just a few of the requirements for PCI DSS compliance, many of which are complex and can require an entire cross-functional team to tackle.
Some of these requirements may be especially difficult for smaller organizations to meet, particularly without any expert help.
Who needs to comply with PCI DSS requirements?
So, how do you know if your business needs to worry about attaining and maintaining compliance?
PCI DSS applies to any organization, without regard to size, value, or number of transactions, if that organization collects, transmits, maintains, or transfers cardholder data. Anyone who transacts a major brand card such as American Express, Discover, MasterCard or Visa must comply with the PCI DSS requirements.
In other words, if payment card data touches your network at any point, you must comply.
For smaller organizations out there, the journey to reaching full PCI DSS compliance without any help may seem incredibly daunting – but failing to fulfill the requirements can and does lead to hefty consequences.
What happens when you don’t comply with PCI DSS?
Like GDPR and CCPA requirements, non-compliance is not an option for PCI DSS requirements. While it is technically not a law, like GDPR and CCPA both are, businesses agree to adhere to PCI requirements when they engage in any activity related to the payment card industry.
Failure to comply with PCI DSS could cost you dearly, particularly if you ever have a breach of payment card data. The penalties for non-compliance range from sizable monetary finesto getting your ability to process payment cards revoked – both of which can be detrimental for an early-stage company.
These can be just the tip of the iceberg compared to the total financial harm caused by non-compliance.
From there, businesses may have to pay to inform every individual impacted by the data breach, reissue cards, pay legal fees – the list goes on. The fines for non-compliance are just the start, and don’t even factor the brand damage a data leak causes and the loss of consumer trust that follows. Brand image is, in fact, one of the biggest vulnerabilities when it comes to data security.
According to research from the Ponemon Institute, 61% of Chief Marketing Officers believe that the largest cost of a security incident is the erosion of brand value.
Not only should you, as a business leader, want to maintain a secure cardholder data environment (CDE) for your customers, but you should also want to avoid the liability of not implementing these compliance requirements.
The question, therefore, should not be “is PCI compliance mandatory” (it is), but rather “why would you take the risk of not implementing it?”
Understanding that PCI DSS compliance is absolutely vital is the first step – but how would a business go about becoming compliant?
The DIY approach to PCI compliance
To build a PCI compliant network you will, at a minimum, need to follow the following steps.
Step one: Download and review the PCI DSS details from the Security Standards Council and study it. There are resources that will help you understand how to comply. Read through them and understand the challenges ahead.
Step two: Conduct a risk assessment to determine the robustness of the controls and how you will mitigate the risks. Not every control applies to every environment. Use your risks to find the gaps you need to fill. It can be helpful to work with an expert for this step. Budget-busting solutions often exceed the needs of most smaller businesses, but untrained personnel often struggle to identify which controls do not apply, or how to compensate for them.
Step three: Determine which of your current resources can be leveraged for one or more of the controls indicated by your risk assessment. Identify any gaps that will require new resources, including servers, routers, communication equipment, physical security, and full-time employees.
Step four: Create a project plan with budget and timeline/milestones. Be careful with how long you take to get compliant, as your risks don’t drop until you are compliant. For many smaller businesses, this process will take 3-6 months, usually requiring significant consultation from experts as well as costly technology, including firewall(s), access control systems, vulnerability scanning services or tools, and more.
Step five: Gather your resources and build or rebuild your network. It is likely you will need at least one full-time employee to manage your network for PCI DSS compliance.
Step six: Test and verify that your controls reduce the risks you identified as expected. Controls do not always work as intended, since technology changes rapidly, so the method you chose a few months ago may have been circumvented in the intervening time.
Step seven: Go live with your solution and hope it works as designed. It might not but you will tweak it until it does.
Step eight: Have your system audited by a Qualified Security Assessor listed on the PCI Security Council website. You won’t really know how well you have done until you are audited (that is unless you have a breach, in which case, you did poorly).
Step nine: Revise your controls or infrastructure based on the audit findings.
Once all nine steps are completed, constant vigilance, testing and reworking are required on a regular basis.
The human resources and funding required to complete all of the above is, unfortunately, out of reach for many younger companies.
For this reason, many small-and-medium-sized organizations opt to work with a trusted third-party data security partner to manage all their PCI compliance needs.
The easiest and fastest path to PCI compliance
Rather than have a cross-functional team undertake the arduous process of gaining PCI DSS compliance the DIY route, the fastest and simplest way to become compliant is to make sure payment card data never touches your business’ servers.
But how can you possibly transact payment cards and run an online business without ever touching cardholder data?
The solution is an innovative approach called data aliasing, during which sensitive user data – like cardholder information – is redacted in real time and replaced with a synthetic data alias so that none of the original data ever passes through your system.
Data aliasing is the foundation of Very Good Security’s Zero Data solutions, which enable businesses to collect, store and transmit any sensitive data they want without ever coming into possession of it.
This effectively removes most of your business systems from PCI DSS compliance scope, so your burden is drastically reduced – and your risk of data breaches plummets to almost zero.
Very Good Security offers nearly instant compliance for smaller merchants and service providers upon integration. For organizations that are PCI Level 1, either because of transaction volume or because their bank or partners require it, compliance can be achieved in as few as 21 days.
By taking the DIY path, the same result can take several months – after you’ve already poured a substantial amount of human and financial capital into securing your databases and processes.
Very Good Security is a completely scalable solution that grows with your business, and can take your PCI burden off your plate almost entirely.
Interested in descoping your company’s networks from PCI requirements and achieving compliance the simple way? Try a demo of VGS by clicking here.
37,250 total views, 434 views today
Fidelity’s Crypto Subsidiary Targets Asian Investors To Buy Bitcoin
- Fidelity Digital Asset Services (FDAS) has partnered with Stack Funds to enable Asian investors to purchase and store cryptocurrency assets more freely and securely.
- Based in Singapore, Stack Funds is a regulated fund manager focusing on Bitcoin and other digital assets.
- According to the Bloomberg report, Stack Funds will make Fidelity’s secure custody services available to its clients, primarily based in Asia. The company outlined that the Asian market has been continuously growing in demand towards the cryptocurrency industry, especially from high-net-worth investors and family offices.
- Stack further explained that all assets under its management will be audited monthly. The firm will provide insurance coverage, weekly contributions, and redemptions to enhance capital security.
- Stack’s co-founder, Michael Collett, said that Fidelity’s involvement will enable its company to attract even more investors from the region.
- On the other hand, Christopher Tyrer, head of Fidelity Digital Assets Europe, believes that “there’s a critical need for platforms which have a deep understanding of what local and regional investors are looking for.” However, he admitted that the digital asset space has “historically lacked” such platforms.
- After its success in the US, Fidelity Digital Assets expanded its cryptocurrency services to Europe last year. The company aims at entering the Asian market as well now with the Stack Funds partnership.
Hacked? Crypto Lending Platform Cred Suspends Deposits And Withdrawals While Cooperating With Authorities
The popular cryptocurrency lending service Cred has announced that it has temporarily suspended all funds inflows and outflows. Without disclosing many details, the platform said it’s cooperating with law enforcement authorities to investigate an incident.
Cred Suspends Deposits And Withdrawals
The United States-based crypto lending platform, which recently announced joining Visa’s fast track program, updated its customers on Twitter regarding the latest troubling developments with a brief message.
“Unfortunately, we are unable to comment further at this time, but we will undertake to provide an update within the next two weeks. During this period, all inflows and outflows of funds will be suspended.” – read the statement.
Staying true to its fashion, the cryptocurrency community lashed out at Cred and its lack of details about what’s going on. This reaction prompted the lending protocol to comment once again. Firstly, Cred apologized for the concerns and inconveniences it has caused while it’s assessing the “business impact connected with a recent fraudulent incident.”
Furthermore, the post explained that Cred is currently cooperating with law enforcement authorities. However, it provided some reassurances claiming that “no client personal data or account information was compromised.”
It’s worth noting that Cred’s website reads that the platform works with “trusted security and insurance providers Fireblocks and Lockton to ensure that our customers’ digital assets have enterprise-grade security.” Nevertheless, several community members have questioned the state of their holdings on the platform, as they weren’t satisfied with Cred’s brief updates.
A Dissolved Partnership Saw This Coming?
Although it’s still unconfirmed if the so-called “incident” is indeed a hack, it seems that the issues have been transpiring for a while now. Days before Cred suspended deposits and withdrawals, one of its partners ended its relationship with the lending protocol.
The cryptocurrency wallet and trading platform, Uphold, announced on Sunday that users could no longer link their Uphold wallets to the third-party crypto lending provider Cred.
At the time of this writing, neither Uphold nor Cred have disclosed why their partnership agreement ended.
Renowned Indian-American Author Deepak Chopra May Buy Bitcoin
Deepak Chopra’s name is synonymous with meditation, mindfulness, and healing through healthy living. And according to the latest update, the world-renowned author and thought-leader is considering buying bitcoin. Mr. Chopra is also about to launch ‘Love in Action,’ his own blockchain-based token.
Deepak Chopra Officially Enters The Blockchain Space
It is important to note that Mr.Chopra had already stoked the ire of Ethereum bigwigs more than 2 years ago for being announced as a speaker at the Ethereal conference in New York in 2018. Vitalik Buterin himself blasted him as a ‘fraud’ publicly on Twitter. Nonetheless, the talk went well, as per Mr. Chopra.
Fast forward to 2020, the globally revered public speaker has announced his plans to officially launch his own token. Termed ‘Love in Action,’ its launch will coincide with Suicide Prevention Week. In the words of the Chopra Foundation, the token is a “worldwide campaign to heal the world.”
When the ex-United States (FDIC) regulator turned blockchain regulation commentator Jason Bretts tapped Chopra for technical details about the token, the latter said:
We are currently working on our strategic roadmap for the ‘Love In Action’ token. Our goal is to leverage the ‘proof of state/work’ on the Hedera platform to incentivize healthy behaviors and promote wellbeing via the token. We will initially leverage hbar as the currency and convert to our own coin in the latter part of 2021.
Mr.Chopra Also Considers Buying Bitcoin
Taking cues from Mr.Chopra’s famous interview with Oprah Winfrey, Jason marveled at the idea of Deepak sending some bitcoin to the popular celebrity talk show host. He contemplated mass adoption being sparked by that one event alone, recalling his prime goal to convince the meditation guru to buy BTC.
When the Value Technology Foundation President finally asked Mr. Chopra about his bitcoin holdings, the latter replied:
I have not bought any Bitcoin to date, but have been keen on cryptocurrency and how it can be used.
The mind-body healing practitioner also said that he doesn’t own any hbars, the native token of the blockchain protocol, which will power his own DLT project.
Brett, in his article, notes that it is not necessarily for everyone to buy bitcoin or any other cryptocurrency for that matter. It can also be just about leveraging the underlying technology for social good, which in Mr. Chopra’s case, involves improving people’s mental well-being.
Lastly, the ex-ConsenSys Policy Ambassador appreciated Mr. Chopra’s efforts at utilizing blockchain to help people live better. He said:
To the degree blockchain can be used by mental health professionals – or any professional – to help validate the truth of a person’s certification or to validate a person’s well-being seems like an excellent use of it.
Featured image courtesy of CNBC
Blockchain1 month ago
Bitcoin price volatility expected as 47% of BTC options expire next Friday
Blockchain2 months ago
Market Wrap: Bitcoin’s Powell-Induced Price Swing; Ethereum Still High on Gas
Blockchain1 month ago
Bitcoin Bouncing From Bull Market Support Points To 2021 As The Year Of Crypto
Blockchain2 months ago
Blockchain Bites: Is DeFi an Inside Deal?
Blockchain1 month ago
Ethereum: Is the HODLing in yet?
Blockchain1 month ago
Hackers Have Been Trying To Crack Bitcoin Wallet Worth $750 Million But Here’s The Catch
Blockchain1 month ago
YFI Founder Puts Himself Forward for Uniswap (UNI) Delegation Duties
Blockchain3 months ago
Wealthfront Lures Millenials With Crypto Memes and Tactics