PCI

September 2020: Compliance Certification Roundup

ZenGRC Team · September 1, 2020 ·

Each month, ZenGRC highlights companies that have earned compliance certifications for information security frameworks. Here’s our September 2020 roundup of recent compliance news from around the United States and around the world.

PCI Certification

PCI certification and compliance are two different, but related, designations.
PCI certification is a more rigorous process. It involves an intensive audit performed by a Qualified Security Assessor (QSA).
PCI compliance means a company follows best practices to help protect Cardholder Data (CHD) following the guidelines set by the PCI Council.

In August, SmartStream, New York City, New York, financial transaction lifecycle management solutions provider, announced certification for PCI-DSS version 3.2.1, level 1, the highest level. Read more about SmartStream’s PCI-DSS certification.
In August, eBizDocs, Albany, New York, an electronic content solutions provider, completed its SOC 2 Type II attestation with zero defects. The Moore Group conducted the audit. Read more about eBizDocs’ SOC 2 certification.
In August, iQIYI, Inc., Beijing, China, an online entertainment service in China, completed its PCI DSS certification. Read more about iQIYI, Inc.’s PCI DSS certification.
In August, Payment International Enterprise, Jidhafs, Bahrain, an alternative payment solution, attained the PCI DSS Compliance Certification. Read more about Payment International Enterprise’s PCI DSS certification.

ISO Certification

ISO standards concern many industries. The three primary ISO standards that help organize compliance for companies looking to create IT programs: IT, ISO 27001, ISO 31000, and ISO 9001.

In August, Tangoe, Parsippany, New Jersey, an enterprise technology expense management firm, successfully completed certification to the ISO 27001 standard. Read more about Tangoe’s ISO certification here.
In August, The Securities and Exchange Commission of Pakistan (SECP), Islamabad, Pakistan, has secured Phase2 of ISO certification for its Information Security Management System (ISMS). Read more about The SECP’s ISO certification.
In August, Folio, Mclean, Virginia, a smartphone-based digital identity and verification solution provider, completed its certification for ISO/IEC 27001. Read more about Folio’s ISO certification.
In August, Innomar Strategies, Oakville, Ontario, Canada, specialty pharmaceuticals service provider, announced it is the first and only service provider in Canada to have all of its clinics and home care nursing services achieve certification by Intertek under the ISO 9001:2015 standard. Read more about Innomar Strategies ISO certification.
In August, Remind, San Francisco, California, a communication platform in education, announced its achievement of ISO 27001:2013 certification for its information security management practices. Read more about Remind’s ISO certification.
In August, Glassbox, London, United Kingdom, a digital customer experience solution, completed its ISO 27701 standard. Read more about Glassbox’s ISO certification.
In August, Comply365, Beloit, Wisconsin, the industry leader in mobile solutions for content management and document distribution, received ISO 27001:2013 certification. Read more about Comply365’s ISO certification.
In August, PACSHealth, LLC, Scottsdale, Arizona, developer of medical imaging informatics software, announced the company has earned ISO 9001:2015 certification for its quality management system. Read more about PACSHealth ISO certification.
In August, Silicon Creations, Lawrenceville, Georgia, supplier of high-performance analog and mixed-signal intellectual property, achieved ISO 9001 Quality Management System certification by the British Standards Institute. Read more about Silicon Creations’ ISO certification.
In August, The New Science Degree and PG College, Telangana, India, a College in India, was accredited with ISO 9001:2015. Read more about The New Science Degree and PG College’s ISO certification.
In August, IoT.nxt, Centurion, South Africa, an Internet of Things technology provider, received triple ISO certification and finalized compliance with EU GDPR requirements. Read more about IoT.next’s ISO certification.
In August, Peak Performance Compounding, Leominster, Massachusetts, a medical and industrial compounding company, obtained ISO 13485:2016 and 9001:2015 certifications. Read more about Peak Performance Compounding’s ISO certification.
In August, Corporate Prime Solutions Inc. (CPSI), Vancouver, British Columbia, a management system consulting firm, announced it was awarded the ISO 9001:2015 QMS Re-Certification and ISO/IEC 27001:2013 ISMS Certification. Read more about Corporate Prime Solutions ISO certifications.
In August, WasteServ, Marsa, Malta, waste management services, achieved ISO 9001:2015, and ISO 14001:2015 certification. Read more about WasteServ’s ISO certifications.
In August, Axion Polymers, Manchester, United Kingdom, waste management service providers, has been recertified for the ISO 9001. Read more about Axion Polymers ISO certification.
In August, Aerofloat Australia, Taren Point, Australia, an Australian wastewater treatment company, became ISO certified in multiple international standards. Read more about Aerofloat’s ISO certifications.
In August, The Metropolitan Atlanta Rapid Transit Authority Department of Safety and Quality Assurance, Atlanta, Georgia, public transportation provider, achieved ISO 9001:2015 certification for its Quality Management System. Read more about MARTA’s ISO certification.

SOC 2 Certification

SOC 2 concerns all organizations and enterprises providing services that process and store customer data. SOC 2 reports are based on five Trust Services Criteria: security, availability, confidentiality, processing integrity, and privacy.

In August, True Influence, Princeton, New Jersey, an intent-based sales and marketing solutions provider, announced that it had successfully completed the Service Organization Control (SOC) 2 Type 2 audit. Read more about True Influence’s SOC 2 audit.
In August, EmployStream, Cleveland, Ohio, provider of onboarding automation to the staffing industry, announced the completion of their SOC 2 Type 1 audit. Read more about EmployStream’s SOC 2 Type 1 audit.
In August, Foko Retail, Gatineau, Quebec, Canada, announced it completed its SOC 2 Type 2 certification. The audit was conducted by Assure Professional. Read more about Foko Retail’s SOC 2 Type 2 audit.
In August, Panorays, New York City, New York, a provider of automated third-party security lifecycle management, announced the completion of its SOC 2 Type II audit. Read more about Panorays’ SOC 2 Type II audit.
In August, True Influence®, Princeton, New Jersey, provider of intent-based sales and marketing solutions, announced that it has successfully completed the SOC 2 Type 2 audit. Read more about True Influence’s SOC 2 Type 2 audit.
In August, Criterion Networks, Santa Clara, California, a network transformation enabler for managed service providers and enterprises, announced that it has successfully completed the SOC 2 Type 1 certification for its Criterion SDCloud® platform. Read more about Criterion Networks SOC 2 Type 1 audit.
In August, Meperia, Santa Fe, New Mexico, a content management company focused on solving supply chain challenges for healthcare providers, announced the completion of its SOC 2 Type 2 examination. Read more about Meperia’s SOC 2 Type 2 audit.
In August, Driven Technologies, Norcross, Georgia, provider of IT managed services, managed security services, and hosting services announced the completion of their SOC 2 Type 1 examination. Additionally, it completed a HIPAA security compliance assessment, PCI DSS assessment, and penetration tests. Read more about Driven Technologies SOC 2 Type 1 audit.
In August, Tower MSA Partners, Delray Beach, Florida, a Medicare Secondary Payer compliance and Medicare Set-Asides services company, completed its SOC 2 Type I audit. Performed by Kirkpatrick Price. Read more about the Tower MSA Partners audit.
In August, Solvvy, San Mateo, California, the next-gen chatbot platform, announced the completion of its SOC 2 Type 1 examination with zero exceptions. This independent audit was conducted by Linford & Company. Read more about Solvvy SOC 2 Type 1 audit.
In August, Contract Room, San Mateo, California, contract lifecycle management platform provider, announced the completion of its SOC 2 Type 1 certification. Read more about Contract Room’s SOC 2 Type 1 certification.
In August, Fireminds, Hamilton, Bermuda, an automated technology provider, renewed its SOC2 accreditation. Learn more about Fireminds’ SOC 2 audit.
In August, Accio Data, Dripping Springs, Texas, a background screening platform provider for consumer reporting agencies, announced it completed the SOC 2 Type 2 audit for its flagship Accio Enterprise platform. Conducted by Holtzman Partners. Read more about Accio Data SOC 2 Type 2 audit.
In August, Employment Screening Resources®, Novato, California, a global background check provider, completed its SOC 2 Type 2 accreditation. Read more about Employment Screening Resources’ SOC 2 Type 2 audit.
In August, AQuity Solutions, Cary, North Carolina, a clinical documentation service for healthcare provider clients, announced the completion of SOC 2 Type I Audit examination. Read more about AQuity Solutions SOC 2 Type I audit.
In August, Aithent, New York City, New York, a cloud solutions company, completed the SOC 2 Type 2 audit. Read more about Aithent SOC 2 Type 2 certification.
In August, SWORD Health, New York City, New York, digital musculoskeletal care provider, completed its SOC 2 Type 2 examination with zero exceptions. Read more about SWORD Health’s SOC 2 Type 2 audit.
In August, Randstad RiseSmart, San Jose, California, outplacement and talent mobility provider, completed its SOC 2 Type I examination. Read more about Randstad RiseSmart’s SOC 2 Type 2 audit.

FedRAMP Certification

The Federal Risk and Authorization Management Program (FedRAMP), is a government program that determines if the cloud products and services offered by cloud service providers are secure enough to be used by federal agencies.

In August, Zscaler, Inc., San Jose, California, provider of cloud security, achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status at the High Impact level. Learn more about Zscaler’s FedRAMP Certification.
In August, Slack, San Francisco, California, a business communication platform, completed its FedRAMP Moderate certification. Learn more about Slacks FedRAMP Certification.
In August, IronNet Cybersecurity, Mclean, Virginia, Collective Defense and network detection and response provider, announced it has been approved as FedRAMP Ready. Learn more about IronNet’s FedRAMP certification.
In August, Geotab, IoT and connected transportation service provider, achieved full FedRAMP authorization for its cloud-based telematics platform. Read more about Geotab’s FedRAMP certification.

HIPAA Compliance

Compliance with the Federal Health Insurance Portability and Accountability Act (HIPAA) ensures that health care organizations protect the privacy, security, and integrity of protected health information.

In August, SOCi, San Diego, California, all-in-one platform for “next-level” multi-location marketers, announced that it has successfully met HIPAA compliance standards. Read more about SOCi’s HIPAA certification.
In August, Catalytic, Chicago, Illinois, a no-code cloud platform for efficient and digitized operations, announced it completed its HIPAA Type 1 compliance examinations. Read more about Catalytic’s HIPAA certification.
In August, C2 Computer Services, Coral Springs, Florida, a managed services and security provider, announced it has achieved HIPAA compliance. Read more about C2 Computer Services’ HIPAA certification.
In August, Medallia, San Francisco, California, experience management provider, announced it achieved HIPAA compliance. Read more about Medallia’s HIPAA certification.
- In August, CoreSite Realty Corporation, Denver, Colorado, a provider of secure, reliable, high-performance data center, cloud, and interconnection solutions, announced it achieved HIPAA compliance. Read more about CoreSite Corporations HIPAA certification.

PCI Audit Interview Questions

ZenGRC Team · July 9, 2020 ·

The Payment Card Industry Data Security Standards (PCI DSS) defines the framework for protecting cardholder data. The framework was developed by the Payment Card Industry Security Standards Council (PCI SSC) and enables organizations to assess how well they are protecting cardholder data, training staff, and conducting PCI DSS audits.

PCI compliance and accepting credit cards go hand in hand. PCI DSS is a good baseline for any cybersecurity and information security program, regardless if they take credit cards. The PCI security standards council bases PCI DSS compliance on industry best practices and enables Qualified Security Assessors (QSA) to grant organizations PCI compliant status.

Most wonder, what does a typical PCI auditor interview look like? If you are choosing someone who holds the power to grant compliance, it is important to know more about them.

What kinds of questions should you ask your soon to be QSA before the audit starts?

Questions to ask your PCI auditor

Qualifications

What level of qualifications does the QSA auditor have? A PCI auditor should have a background in information technology and experience in auditing. Becoming a QSA does not mean that the candidate has a strong technology background. Someone with a good technology background will be better suited for offering sound advice on how to improve upon the program they are evaluating.

Look for a QSA that understands the impact that phishing and malware have on IT security.

What experience do you have in the industry?

The auditor should also know the industry of the company they are auditing. There are subtle differences for example between manufacturing, e-commerce, and energy companies.

An auditor with previous auditing experience in an industry is more likely to complete an audit quickly as they have “seen it before.” They need to understand the security controls that matter and the best way to determine that is with experience.

What is the delivery methodology of the QSA?

PCI assessors bring their own unique blend of methods to perform an audit. Firms should be more than happy to walk through the way they perform an audit. Some need a great deal of access to people, processes, and technology. Look for the best blend of hands-on and hands-off to fit your unique business requirements.

Will security improve after the audit?

The whole point of an audit is to assess the information security environment and to look for areas of compliance and improvement.

What sets a good QSA apart from the rest is one that will provide remediation steps to areas that they find are not meeting requirements.

Some PCI auditors simply point out that they discovered an area of non-compliance and that it needs to be remedied, but not how to remedy the problem and how to make the overall cybersecurity footprint better. It is important to look at a sample anonymous PCI audit from your assessor to validate it contains instructions for remediation.

Who will perform the assessment?

It is common practice for organizations to bring the “A” team for initial sales calls. Often, once the customers sign the contract and the audit commences, a different team shows up.

Organizations need to make sure they meet the team and evaluate skill sets before they sign the contract. Make sure you have a good understanding of the PCI firm’s background as well as the individual QSA that will assess the organization.

Are assessments all that the firm does?

Many QSA firms have other parts of their business focused on security. Whether the firm is selling products or other services, beware of the cross-and-upsell. Organizations look for opportunities to “land and expand” with current and future customers. Make sure you are prepared for the inevitable upsell or instead, focus on a firm that only scopes for the PCI audit.

What references does the auditor have?

Make sure that the PCI auditor has a plethora of references in your industry or a related industry. Check for rankings and testimonials on the auditor’s website and also ask to speak with a past customer to get a firsthand account of the end-user experience.

Be wary of organizations that have a minimal online presence or few QSAs on staff. The auditor should be a good match for the size and scale of the organization they will assess.

Read more about resources for PCI audit requirements and what’s on a PCI DSS audit checklist.

May 2020: Compliance Certification Roundup

ZenGRC Team · May 25, 2020 ·

Beginning this month, ZenGRC will highlight companies that have earned compliance certifications for information security frameworks. Here’s our May 2020 roundup of compliance news from around the United States, and around the world.

PCI Certification Roundup

On April 29, GreenBox POS, San Diego, completed an audit of its technology infrastructure resulting in PCI Level 1 Compliance Certification. The company builds customizable, Blockchain-based payment solutions. Read more.
In late March, Semafone, Boston, announced it achieved PCI DSS certification for its omnichannel digital payments solution, Cardprotect Relay+. Read more.
Also in late March, multilingual outsourcing firm Open Access BPO, Manila, Philippines achieved PCI DSS certification for its transaction safety and security protocols and infrastructure. Read more.
In late February, Instaclustr, Redwood City, California, achieved PCI DSS certification across its managed Apache Cassandra and Apache Kafka services running in AWS. Read more.

ISO Certification Roundup

ISO standards concern many industries. The three primary ISO standards that help organize compliance for companies looking to create IT programs: IT, ISO 27001, ISO 31000, and ISO 9001.

In April, xMatters, San Ramon, California, achieved ISO 27001 certification with zero nonconformities for its Digital Services Availability Platform. Read more.
In April, Intuiface, Chicago, received its ISO 27001 certification. The company says it’s the first digital signage company to comply with the standards. Read more.
In April, Pakistan Gas Port Consortium Limited, Lahore, Pakistan, which owns and runs Pakistan’s single largest LNG storage and regasification terminal, has received ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018 certifications for its compliance to global standards for management system standards in LNG, transfer, storage, regasification and RLNG delivery and safety. Read more.
In April, Medullan, Boston, a digital medicine & digital health consultancy, has attained a renewed ISO 27001/27018 certification for information security management accreditation. Read more.
In April, the National Identity Management Commission (NIMC), Abuja, Nigeria, passed the ISO/IEC 27001:2013 re-certification audit. Read more.
In April, the Securities and Exchange Commission of Pakistan (SECP), Islamabad, successfully completed the phase 1 scope and audit of security standard certification ISO/IEC 27001:2013 for its Information Security Management System (ISMS). Read more.
In April, Provar, a test automation platform for Salesforce worldwide, today announced it has achieved ISO/IEC 27001:2013 certification, the global standard for information security management. Read more.
In April, logistics tracking technology company Position Imaging, Stratham, New Hampshire, earned its certified ISO/IEC 27001:2013 certification. Position Imaging’s certification was issued by A-LIGN, an independent and accredited auditor. Read more.
In April, Conga, Broomfield, Colorado, earned certifications for ISO 27001 and ISO 27701, among others. Coalfire Controls, LLC, performed the assurance activities. Read more.

SOC 2 Certification

In April, Sisu, San Francisco, achieved its SOC 2 Type II certification, with independent attestation from Linford. Sisu is also HIPAA compliant and certified accordingly under the Privacy Shield Framework. The company runs a diagnostic platform for enterprise data. Read more.
In April, ZL Technologies, Milpitas, California, earned its SOC 2 Type II compliance certification. The company builds cloud solutions and hybrid information management tools. Read more.
In April, Thycotic, Washington, D.C., which makes privileged access management (PAM) solutions, completed its SOC 2 Type 2 certification for its flagship product Secret Server Cloud, as well as its Privilege Manager Cloud, Privilege Behavioral Analytics, Account Lifecycle Manager, and DevOps Secrets Vault. Read more.
In April, Anitian, Portland, Oregon, completed its SOC 2 Type 2 audit for its Cloud Security Platform’s 24×7 SecOps and Managed Detection and Response services. Read more.
In April, INKY Technology Corporation, College Park, Maryland, announced the completion of the Service Organization Control (SOC) 2 Type I audit of the company’s internal controls and systems. Deloitte conducted INKY’s audit. Read more.
In April, Securly, San Jose, California, completed its SOC 2 Type 1 Audit Certification. Securly builds student safety and device management solutions for K-12 districts. Read more.
In April, INVISR, New York, announced the successful completion of its 2020 SOC 2 Type 1 examination. INVISR is a product development and consulting company that created Polystack, a low-code application development platform.
In April, Actionable Science, San Ramon, California, announced its successful completion of the Service Organization Control (SOC) 2 compliance audit. The company provides enterprise-grade conversational AI Virtual Assistants for auto-resolution of enterprise service desk issues. Read more.
In April, T-REX, New York, completed a SOC 2 Type 2 examination of its proprietary cloud-based data and analytics systems. T-REX has achieved SOC 2 Type 2 compliance since December 2016. Read more.
In April, Tempus Resource, Cleveland, earned its SOC 2 Type 2 certification. The company says it’s the first and only resource portfolio management RPM platform to achieve the distinction. Read more.
In March, Showpad, with US headquarters in Chicago, announced it’s a SOC 2 Type 2 accredited company. Showpad is also an ISO/IEC 27001:2013 certified company. Read more.
In March, Devolutions, Montreal, completed its SOC 2 Type 2 examination. The company creates solutions for remote desktop management, password management, and privileged access management. Read more.

FedRAMP Certification

In April, Blackboard, Reston, Virginia, the educational technology platform, earned a FedRAMP Moderate designation from the U.S. federal government for its Blackboard Learn SaaS. Blackboard says this authorization makes Blackboard one of the only commercial off-the-shelf SaaS providers authorized in AWS GovCloud (US) as an Educational LMS. Read more.
In April, Dynatrace, Waltham, Massachusetts, announced it’s “In Process” to attain FedRAMP certification at a moderate impact level. Dynatrace is a software-intelligence monitoring platform. Read more.
In April, Palo Alto Networks, Santa Clara, California, achieved the designation of “In Process” for FedRAMP for its Prisma Access, which is a secure access service edge (SASE) that delivers protection to mobile users and remote offices. Read more.
In April, Oracle, Redwood Shores, California, announced its Oracle Cloud Infrastructure-Government Cloud has achieved FedRAMP High Authorization. Now, Oracle Cloud can provide government customers with the stringent standards of security necessary to protect the federal government’s data. Read more.

NIST

The National Institute of Standards and Technology (NIST) is a non-regulatory government group under the Department of Commerce. NIST creates standards to inspire U.S.-based organizations to be more competitive in the science and technology industry. Cybersecurity in the U.S. is heavily influenced by the NIST framework and special publications.

In April, StackRox, Mountain View, California, announced the StackRox Kubernetes Security Platform now supports continuous compliance checks for container-relevant controls in NIST 800-53. Read more.

What are the PCI DSS Security Audit Procedures?

ZenGRC Team · April 16, 2020 ·

The Payment Card Industry Data Security Standard (PCI DSS) represents an information security standard designed for organizations that store, process, or transmit credit cards and are exposed to cardholder data. The card brands themselves have advocated for the PCI standard which is administered by the Payment Card Industry Security Standards Council (PCI SSC). Given organizations are interested in compliance, many ask the question “what are the PCI DSS Security Audit Procedures”?

The PCI DSS Audit Procedures are designed for use by a qualified security assessor (QSA) conducting an audit on merchants or service providers that are required to validate compliance with the PCI data security standard. The payment card industry has outlined the requirements in the data security standard which outlines how to obtain PCI compliance. In addition to the PCI DSS, there is also the Payment Application Data Security Standard (PA-DSS). This is the standard to which all PCI-approved payment applications are assessed. Payment applications must adhere to specific security requirements including:

Applications must not store full magnetic stripe or card data.
Applications that require the disabling of other security countermeasures like antivirus or firewalls are not PCI DSS or PA-DSS compliant.
Vendors that are able to use unsecured methods to connect to payment card applications are not PCI DSS or PA-DSS compliant.

PA-DSS goes hand in hand with PCI DSS requirements but has a more focused scope on applications. PA-DSS does not evaluate the operating system that the application runs on, nor does it examine the database for security countermeasures. Back office systems are also immune to the purview of data security standards. Where PA-DSS does apply is as follows:

All payment card application functionality,
The guidance that the payment card application provides customers and potential customers,
Selected platforms and application versions,
Tools used by or within the application.

When a QSA is conducting the PCI DSS Security Audit, they must prepare a report that will later prove the validation of their findings. The PCI Security Standards Council has given the QSA a sample report which outlines all components of the audit procedures that merchants or service providers can leverage as an audit plan template before an audit. The report is broken down into the following sections:

Description of scope of the review (what is being assessed).
The Executive Summary (The high level about the environment, applications, systems, and people).
Findings and Observations (What did the auditor find and observe in the audit).
Contact information and report date (Who was interviewed and when was the report finished).

The security audit procedures include a checklist created by the PCI Security Standards Council. The checklist includes columns that capture the requirement, testing procedures if the control is in place, not in place, target date, and comments.

Retrieved from https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_security_audit_procedures_v1-1.pdf

PCI DSS compliance was designed to protect credit cardholders and credit card data. The standard represents solid information security practices, encourages security policy, and encompasses both traditional business as well as e-commerce. Organizations are seeking a Report on Compliance (RoC) that proves they have a secure network. A great way to achieve compliance is by following several cybersecurity basics such as access controls, anti-virus software, vulnerability management, and conducting risk assessments, especially when interfacing with public networks. Penetration testing can help in pre-PCI audit scenarios where merchants and service providers want visibility into potential weak spots in the PCI network. The Self-Assessment Questionnaires (SAQs) are used by lower-level merchants (with fewer transactions) to perform a self-assessment of their compliance. Merchants are classified into levels based on the number of transactions processed in a given year.

The PCI DSS audit procedures assist the QSA in performing the specific audit testing steps while providing guidance for merchants and service providers on how they will be assessed.

Understanding the Consequences of Failing PCI Compliance

ZenGRC Team · March 10, 2020 ·

The Payment Card Industry Data Security Standard (PCI DSS) does a great job of outlining how an organization should go about protecting cardholder data. Most organizations take the best practices from the PCI council and implement a strong information security strategy bent on enforcing PCI standards, compliance requirements, and vulnerability management.

What happens when an organization doesn’t follow the rules as they should or they suffer a data breach because of negligence?

The organization loses credibility and suffers a reputational loss, which has an unmeasurable impact on the bottom line.
The organization may no longer accept credit cards, significantly impacting its ability to sell products and services.
The organization may have to pay fines, strengthen its information security, and have an independent assessment performed by a qualified security assessor (QSA). Note that a QSA-performed assessment is required for all level 1 merchants, regardless of compliance.

Reputation

The inability to stay PCI DSS compliant may have far-reaching consequences when it comes to business brand value. The old adage comes to mind where when something good happens, people typically tell a friend, but when something bad happens, they tell everyone they know. There is nothing like a data breach that exposes credit card information to truly impact a business’s image and reputation.

Take, for instance, the Target breach. Excessive permissions granted to a third party impacted the network and allowed for the theft of countless customers’ cardholder data. Large organizations typically have cybersecurity insurance to help mitigate the cost of a data breach, but it does little to repair the damage done to the masses impacted by the theft.

While Target would have been required to pay more fines without cybersecurity insurance, the impact on the brand was immeasurable. Stock prices fell for an extended length of time and customers visiting stores dropped significantly. Failure to comply with PCI DSS or a data breach has long-lasting negative brand implications.

Loss of ability to accept credit cards

Imagine how many transactions are conducted using cash or check. Now, think about how many card transactions leverage Visa, Mastercard, American Express, Discover, or JCB. Picture how commerce has become dependent on card payments and the impact of losing the ability to accept them because of a failed PCI compliance assessment or data breach.

The inability to accept payment cards would be a major inconvenience for a brick and mortar organization. If an organization survives on e-commerce, losing the ability to accept credit cards can, in essence, put them out of business. It is easy to see why being PCI compliant is such a necessity for businesses of all types.

Fines, Infrastructure, and Audit

The most potentially damaging effect of failing PCI compliance is the fines. Fines can range anywhere from $5,000 to $100,000 per month until compliance is obtained. Fines might be scary, but not as scary as the many noncompliant organizations that are missing key infrastructure, information security, and vulnerability management capabilities.

The remediation cost ranges depending on how far behind the organization has fallen on following PCI DSS. Rounding out fines and additional infrastructure is the QSA audit itself. The price of having a QSA evaluate an organization ranges, but can cost upwards of $100,000.

PCI DSS provides all the direction an organization will need to obtain and maintain PCI compliance. Failure to follow the standards outlined by PCI can quickly earn an organization the status of non-compliance. Organizations that are non-complaint will experience fines, loss of market share, and need ongoing audits to prove compliance.

It is critical for any business that accepts, transmits, or stores credit card data to follow PCI requirements. A sound information security program is a good start, as well as a robust vulnerability management program. PCI compliance is all about protecting cardholders, cardholder data, and preventing data breaches. Organizations that choose to ignore requirements when it comes to accepting payment cards will quickly find themselves a cash-based business or out of business entirely.