If your organization’s third parties suffered a data breach, would you be informed about the incident? According to Ponemon Institute, over 61% of organizations reported that they are unsure they would be told about the incident by their third parties. Another 50% revealed that they don’t monitor third parties that have access to sensitive or confidential information, which is why regulations such as PCI DSS are in place to help ensure that financial companies handle, store and process this type of data safely, with concern for privacy of cardholders.
While PCI-DSS regulations aren’t law; they are a set of security regulations credit card companies voluntarily agree to uphold. As a result, any merchant that stores, processes, and/or transmits cardholder data through the major credit card networks must also agree to uphold these security standards. Third-party vendors may or may not be required to comply, depending on the function they provide for your organization.
If your organization is in the financial industry, one of the best ways your organization can ensure third-party compliance is by working with a PCI compliance third-party processor.
What Is a PCI Compliance Third-Party Processor?
A PCI compliance third-party processor is any third party not related directly to payments that is involved with processing, storing or transmitting payment card data for another company or organization and meets PCI-DSS compliance. In other words, if your organization handles credit card data, it is a PCI compliance third-party processor.
The Payment Card Industry Security Standards Council (PCI SSC) created the PCI-DSS regulations as a set of security standards for the major credit cards: American Express, Visa, Mastercard, Discover, and JCB International. These standards are designed to keep payment accounts secure while reducing fraud.
All five major credit card companies have agreed to comply with the PCI-DSS standards and bear the responsibility of enforcing compliance with every payment transaction. This means that all merchants must agree to comply with PCI-DSS regulations in order to be approved for payment processing. For example, when a grocery store wants to accept Visa card payments, that merchant must sign a contractual agreement with Visa binding them to PCI-DSS compliance.
When a merchant is found to be non-compliant, a card network such as Visa has the right to ban that merchant from accepting payments through their network.
What Does PCI-DSS Require?
PCI-DSS regulations differ based on the volume of payments processed by any given merchant as well as how much access an organization has to credit card information.
At a basic level, PCI-DSS regulations prohibit the storing, processing and/or transmission of certain aspects of cardholder data and require strict protection for account numbers.
Specifically, PCI-DSS has six main objectives that are to be achieved under 12 requirements. These goals include:
- Build and maintain a secure network and systems.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
These six goals are achieved in specific ways, as outlined in the PCI security standards documents:
- Build and maintain a secure network and systems.
Under this section, an entity must install and maintain a firewall that protects all cardholder data. Entities are not allowed to use default or vendor-supplied system passwords or other security settings. In other words, every entity must change all default security settings for software used to process payments. Default passwords are one of the easiest ways hackers gain unauthorized access to a network.
- Protect cardholder data.
Cardholder data must be encrypted in transit across all unsecured, public networks. Open networks are common since many businesses offer free Wi-Fi to guests. However, entities processing card payments should have a separate, secured and encrypted network for payments.
- Maintain a vulnerability management program.
Having a vulnerability management program protects against malware and other viruses. This also includes regularly scanning for viruses with anti-virus software and ensuring all systems and applications are secured.
- Implement strong access control measures.
An entity is required to permit access to cardholder data on an as-needed basis. This means implementing a tight security system that grants levels of access to network users based on their credentials and need for the information. For example, customer service agents may only need access to the last four digits of a cardholder’s card number to verify a caller’s identity.
Physical access to cardholder data also needs to be restricted. This can include locking rooms with stored paperwork and securing on-premises server rooms.
- Regularly monitor and test networks.
Under this requirement, entities must track and monitor every instance when either network resources or cardholder data is accessed. Testing to ensure security is required on an ongoing basis. Most of this testing is performed automatically.
- Maintain an information security policy.
Organizations that are PCI-DSS compliant must maintain an information security policy. The policy addresses organizational policies, procedures and other relevant information for all personnel who have access to a network containing cardholder data.
Who Is Regulated By PCI-DSS?
Generally speaking, any entity that enters into a contract agreeing to comply with PCI-DSS is bound by PCI-DSS regulations. This can include issuers, acquirers, processors, merchants and banks.
Third-party service providers
If your third party service providers store, process and/or transmit cardholder data, they would need to comply with PCI-DSS regulations and provide an AOC (Attestation of Compliance) to prove compliance .
Even if they are not involved in any of these data processes above, the services they provided must be in accordance with the terms delineated in the vendor agreement throughout the vendor’s business relationship with your organization.
What Are the Penalties for PCI-DSS Violations?
PCI-DSS is not a law, but there are consequences for non-compliance. The consequences will vary depending on the PCI DSS compliance level. However, in general, the consequences of non-compliance include:
- Fines that range from thousands to hundreds of thousands of dollars.
- Recurring charges that can cost an entity up to hundreds of dollars each month.
- A higher fee for certain types of business insurance because non-compliance puts cardholder data at risk in case of a data breach. In some instances, non-compliance with PCI-DSS regulations can prevent a business from cashing in on a claim.
- Lawsuits are always a potential consequence.
How Panorays Can Help You Comply With PCI-DSS
When you’re bound by PCI-DSS or any regulation, you can’t make assumptions about your vendors’ compliance. However, Panorays can help you quickly and efficiently understand who is compliant, who is not but needs to be and how to streamline the process of ensuring vendor compliance. With customizable security questionnaires, your vendors can meet the expectations of regulatory measures as well as your own internal company policies. In addition, Panorays continuously monitors and evaluates the vendor, and sends live alerts about any security changes that may affect your vendors’ regulatory compliance.
Want to learn more about how Panorays can help you keep your third-party vendors PCI-DSS compliant? Sign up for a free Panorays demo to learn how we can help.