Meeting PCI DSS Compliance with Globalscape EFT
Payment card data is a constant source of concern for consumers and companies alike, from small businesses to large international organizations. Cybercriminals are always looking to take advantage of payment card data that is being managed or processed.
Recent stats are not promising, either. According to a Gallup Poll, nearly 70 percent of American consumers worry about their payment card data, and they have just cause to be so concerned, as data from the UK shows: there were more than 2.46 million cyber incidents in 2015 alone in the UK. These incidents can happen to all types of businesses, with data showing that hackers focus on both large and small businesses, and 71 percent attack businesses on the smaller end, with less than 100 employees.
So, what to do about all these threats?
What is PCI DSS?
PCI DSS is a compliance requirement is enforced and managed by the Payment Card Industry Security Standards Council. The set of standards was established to help mitigate credit card fraud and protect consumers’ payment card data. At the same time, the set of standards were meant to evolve with the current data security landscape that organizations face.
PCI DSS compliance applies to any organization that accepts payments from the major credit card brands, like Visa, MasterCard, American Express, Discover, and JCB. Additionally, PCI DSS compliance requirements also include the use of peer-to-peer, mobile payment services like Venmo, Square, and PayPal.
The Challenge of Meeting PCI DSS Compliance Requirements
In 2015, more than 80 percent of businesses failed the interim Payment Card Industry Data Security Standard (PCI DSS) compliance assessment. (Verizon’s 2015 Compliance Report) Complying with PCI DSS is no simple feat. It requires a full scale data security and management process that involves active participation across an entire company, regardless of its size.
"Your data is vulnerable when it travels to your bank, and when it’s kept stored or on your computers and devices.”
PCI DSS is a complex regulation meant to safeguard sensitive payment information, which means that complying with the regulation can be a challenge. One of the latest releases of PCI DSS expressly states how organizations must maintain security protocols and defenses. This could require more check-ins on PCI DSS compliance, which could also be costly if a full audit is requested.
“Fines of $500,000 per incident for being PCI non-compliant”
The financial damages that an organization can incur extend beyond the PCI DSS noncompliance fines. Noncompliance is a reflection of an organizations security profile and speaks to their potential security vulnerabilities and weaknesses. What’s worse than a compliance fine? In two words, a data breach. Consider the December 2013 story, when 110 million Target customers had their credit and debit card information stolen. The breach cost the national retailer “nearly $162 million of expenses related to the breach, including $444 million in insurance payments.” (The Cost of Failing a PCI DSS Audit)
Are you PCI DSS compliant? The PCI Security Standards Council offers a Self-Assessment Questionnaire to help you determine the security of your card holder data on their website. You can check it out on the PCI Standards Security Council website.
PCI Data Security Standard—High Level Overview (from PCI DSS)
|Build and Maintain a Secure Network and Systems||
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
How MFT Supports a PCI DSS Compliance Strategy
Meeting data privacy compliance requirements while securing transferred data is top IT challenge for many organizations. When an organization that manages payment card data uses a managed file transfer (MFT) solution to help manage transferred data, it means two very important components can be achieved: secure file transfers and meeting PCI DSS Compliance.
Without a secure data transfer solution in place, a company can face an onslaught of expensive and time consuming problems, from lawsuits to data breaches to insurance claims, among others. By using an MFT solution you can keep your customers valued and protected payment data secure, while still meeting and maintaining the necessary regulations, like PCI DSS.
How Globalscape Helps with PCI DSS Compliance
While assessing the security of their cardholder data, a Globalscape customer that operates in the financial services industry had determined that they were not meeting all of the PCI DSS compliance requirements. One such PCI DSS compliance requirement that was not being met occurred while they were transmitting data over a secured network: credit card data was not stored in their Demilitarized Zone (DMZ), which was a compliance violation of PCI DSS.
To resolve that risk, among a few others, they chose Globalscape EFT to benefit from the High Security Module (HSM), the Auditing and Reporting Module (ARM), and the DMZ Gateway.
With Globalscape’s advanced MFT solution, the financial services company was able to overcome the challenges that came with meeting and maintaining PCI DSS compliance. With their new solution:
- All data transfers were kept secure, while organization always retained full operational visibility over all data activity and IT infrastructure by using EFT Enterprise
- The organization used flood and DoS prevention settings, along with user credentials not being persisted in memory by using HSM
- They were fully prepared and could catch any potential data transfer problems before an audit was conducted by using ARM
- Payment card data was better protected because card data was never stored in the DMZ by using DMZ Gateway
Globalscape’s enterprise-level MFT solution provided the financial services organization a secure and efficient way to not only protect payment card data, but also to ensure that their organization would have the preventive data security measures in place so that they could continue to meet and maintain PCI DSS compliance with ease.
If you’re ready to learn how Globalscape can help your organization meet PCI DSS compliance, contact us today.
More Compliance Resources
Out of Order! The Risks of Being Out of Compliance
“The average cost for organizations that experience non-compliance related problems is $9.4 million.”
(Ponemon Institute, True Cost of Compliance)
Data privacy matters and it’s a core reason why compliance regulations are in place. Non-compliance often indicates that an organization doesn’t have the minimum data security protections and processes in place to protect the data they manage. Is your organization meeting its compliance mandates? Do you know how non-compliance can impact your organization?
If you need to learn more about compliance mandates and how a strong data management solution can positively impact the role you play in maintaining your organization’s compliance download our latest guide.
In the guide, “Out of Order! The Risks of Being Out of Compliance,” you will learn:
- Common compliance regulations and which businesses are affected
- Three ways compliance problems can negatively affect your business
- How data management plays a role in your compliance strategy