According to an analysis by Atlas VPN, credit card fraud cases surged by 104.7% when you compare Q1 of 2019 and 2020. Likewise, Julie Conroy, a research director at Aite Group, reported that by the end-2020, credit card fraud losses in the US amounted to a staggering $11 billion! These facts make it clear that the digital payment ecosystem is rife with vulnerabilities. After all, security gaps can emerge at various points of handling, storage, and transmission, such as at POS devices, e-commerce apps, Wi-Fi hotspots and personal computers.
To create a safer payment ecosystem, major players, namely, American Express, JCB, MasterCard, Visa, and Discover formed the Payment Card Industry Security Standards Council (PCI SSC) and subsequently, a standard for data security, the PCI Data Security Standards (PCI DSS). The latest version of PCI DSS is v.3.2.1 and though PCI DSS is not a law, it is expected that the industry needs to be compliant with its requirements as non-compliance entails hefty fines and lost business opportunities and customers.
If you handle, store, process, or transmit credit card data you ought to be PCI DSS compliant. Moreover, your card processing agreement normally requires you to be so. Depending on how much sensitive information visits and resides in your systems, your compliance requirements could be more or less, complex or basic.
Achieving PCI DSS compliance entails adhering to 12 high-level requirements, and depending on your compliance needs, 300+ controls. Here is more on how to comply with PCI DSS.
PCI DSS compliance is validated against a list of PCI DSS requirements. Read on to know more.
Depending on your compliance level, you will determine which networks and components are in PCI DSS scope.
Assess system components within scope: Each PCI requirement has corresponding testing procedures, and at this stage you must check for compliance and identify gaps. Level 1 businesses need to conduct an onsite assessment and draft an Annual Report on Compliance (ROC). A Qualified Security Assessor or an internal auditor will be involved in the process. A QSA is a PCI-SSC-approved independent security organization that validates your business’ adherence to PCI DSS.
If you belong to Level 2-4, assess your compliance by filling out an annual Self-Assessment Questionnaire (SAQ). There are 9 SAQs and these comprise Yes-or-No questions for each PCI DSS requirement. You need to use the SAQ relevant to you only. Every quarter or less, businesses at all levels engage the services of an Approved Scanning Vector (ASV) to check for external scanning requirements of PCI DSS. Depending on the gaps present, you will need to adopt certain security controls and protocols. The 12 PCI DSS security requirements outlined above indicate how you should go about protecting sensitive information.
Report, attest, and submit: After assessing and taking remedial measures, documentation of the SAQ/ ROC and compensating controls occurs. You can then fill out a formal Attestation of Compliance (AOC) and have it verified by a QSA to show that you are in full compliance with PCI DSS. You can submit your SAQ, ROC, AOC, etc., to any organization requesting them with everything in order.
Remember, PCI DSS compliance is not a one-time task. It involves an ongoing process of assessing, repairing, and reporting. It requires you to bring together your legal, technology, finance, and security teams for a common purpose, and a software solution like VComply can help you manage and monitor the 300 odd security controls you may need to set in place. With it, you can easily delegate responsibilities, conduct gap analysis, generate reports, get prompt alerts, and more. With PCI DSS 4.0 slated to arrive in mid-2021, getting compliant today is the best thing you can do to prepare for the future.
Explore what makes VComply a consistent G2 high performer in Compliance Management. Request your demo today and transform your approach.
Discover the immediate impact VComply can bring to your compliance program. Move beyond the limits of spreadsheets with a system of record designed for complete compliance management.