Financial institutions are one of the most heavily regulated industries around, and for good reason. Access to the personal information and funds of their customers makes banks a popular target with hackers and a dangerous location for a cybersecurity breach.
With all the regulations a bank needs to obey, you may have overlooked the Payment Card Industry Data Security Standard or PCI DSS.
All parties that handle credit card data from one of the four major U.S. credit card brands (Visa, Mastercard, Discover, and American Express), as well as JCB International (an international payment brand based in Japan), are required to comply with PCI DSS requirements.
The PCI Security Standards Council maintains the PCI DSS. If your bank works with these companies (and most do), then you’ll need to meet the compliance standards that the council has put in place.
There are many benefits to PCI compliance for financial institutions. In addition to providing a solid foundation for credit card security, achieving compliance can also help you gain the confidence of your customers and give you an edge against your competitors.
The requirements are specifically designed to protect against security breaches, which means that your data is automatically more secure. The PCI DSS guidelines also overlap with many other security frameworks, giving you a head start if you need to achieve compliance in other areas.
What Is PCI DSS?
PCI DSS is a set of information security standards put in place to assure that organizations that accept, process, store, or transmit payment card information maintain secure environments to protect consumers and merchants.
Simply put, the PCI DSS standards apply to any organization that holds, processes, or passes cardholder information from any credit or debit card branded with the logo of any of the card brands.
Even if an organization processes just four credit card transactions a month, it must be PCI compliant. A company that uses a third-party payment processor must still comply with PCI standards.
Also, if an organization doesn’t store credit card data, but cardholder data does pass through its server, it must comply with PCI requirements.
The PCI Council offers information to financial institutions and other organizations about how to prevent and detect fraud and data loss and how they should react during data breaches.
Is PCI DSS a Legal Requirement for Banks?
No, PCI DSS is not required by law. Instead, PCI DSS compliance is required by the contracts that govern participation with the major payment card brands.
Financial institutions, including issuing banks and acquiring banks, as well as merchants and service providers that process transactions, enter into contracts with the five card brands that enable those financial firms to process credit card information.
Issuing banks are banks that offer credit cards to consumers. Acquiring banks are the financial institutions that hold merchants’ bank accounts, facilitate payment processing through the card processors, and deposit funds on behalf of the merchants.
If your organization falls under either of these categories, then PCI DSS compliance will be legally required of your company.
Becoming a PCI Compliant Bank
The PCI DSS has 12 primary requirements for those wishing to prove compliance:
- Protect all cardholder data with a system of well-maintained firewalls.
- Change all passwords from any defaults to unique and secure options.
- Any stored cardholder data should be protected.
- Encrypt any cardholder data that is transmitted via open networks.
- Use antivirus software and make sure it is up-to-date.
- Make sure that your systems and applications are secure.
- Access to cardholder data should be permitted only on a need-to-know basis.
- Any staff members with access should be assigned a unique ID.
- Any physical access to cardholder data should be restricted.
- All-access from staff should be closely monitored.
- All security measures should be tested regularly.
- Your information security policies should be consistent and clear to all employees.
Within these 12 main requirements are 281 additional directives, which may or may not apply to you based on the size of your company and how many credit card transactions you process in a given year.
To become PCI DSS compliant, you first must determine which standards you need to meet. Then, assess your existing program to see where your data protection is sufficient and where you may need to make changes to meet the necessary security requirements.
Establishing and proving compliance with all of the appropriate standards can be a challenging and time-consuming process.
Fortunately, the PCI SSC provides organizations with the tools to implement the PCI data security standards, including PCI Self-Assessment Questionnaires (PCI SAQs), training and education, assessment and scanning qualifications, and product certification programs.
Should Banks Complete a PCI Assessment?
Yes. PCI assessments result in either a Report on Compliance (ROC), an Attestation of Compliance (AOC), or both. The merchant provides its RoC or AoC to its credit card acquirer annually to prove compliance with PCI requirements.
As with the assessment methods, the proof of compliance method is determined by the merchant level and the requirements of the specific card brand. Higher-level merchants may also need to provide quarterly network vulnerability scans performed by an Approved Scanning Vendor (ASV).
A PCI Self-Assessment Questionnaire (SAQ) is used by lower-level businesses (with fewer transactions) to self-assess their compliance.
There are multiple SAQs available, and the specific SAQ to use is determined by how customers perform credit card transactions (for example, card not present versus card present or fully outsourced authorizations versus partially outsourced authorizations).
If you work for a financial institution, you may have met some or all of the PCI DSS requirements based on previous compliance requirements or government audits. This head start is convenient, but you must ensure all PCI DSS standards are accounted for to prove compliance.
The bottom line is that if your bank issues credit cards on behalf of the major credit card companies, it must assure PCI DSS compliance.
Non-compliance could result in the loss of your privileges for both issuing and processing credit cards, as well as potential fines. Moreover, loss of your customers’ data due to a breach can result in loss of consumer confidence and lawsuits.
PCI Compliance Best Practices for Banks
The PCI Security Standards Council has a comprehensive list of resources to help you achieve and maintain compliance. Here’s a summary of the recommendations made in their “Best Practices for Maintaining PCI DSS Compliance” supplement:
Develop and Maintain a Sustainable Security Program
To maintain compliance, banks must first comprehend the PCI DSS’s principal goal, securing cardholder data.
Cardholder information and other consumer data should only be kept for as long as is required. Any cardholder data not necessary for business purposes should be deleted from the environment per the organization’s data retention policy.
Develop Program, Policy, and Procedures
A compliance program is a structured collection of policies, processes, and procedures inside an organization with assigned responsibilities to assure the business’s long-term compliance with applicable and essential standards and regulations.
A structured compliance program enables a company to monitor the health of its security measures, be proactive if one fails, and effectively communicate actions and compliance status throughout the company.
When developing a compliance program, it is critical to grasp the distinctions between the following concepts:
- A program usually contains strategic objectives, roles and duties, and a plan for achieving company goals.
- A policy often contains a declaration of management purpose or mandatory restrictions.
- A process/procedure often defines the step-by-step actions responsible staff must accomplish per the program and supporting rules.
Develop Performance Metrics to Measure Success
By defining a set of metrics that describe the performance of the installed security controls and compliance program, organizations should be able to quantify their capacity to sustain security practices and PCI DSS compliance.
Compliance managers may utilize metrics to illustrate the performance of security programs, distribute resources correctly, and show stakeholders the efficiency and return on security investment.
Metrics can be computed using a mix of security-status monitoring, security-control evaluation data, and data gathered from one or more security controls or technologies.
Assign Ownership for Coordinating Security Activities
Maintaining PCI DSS compliance demands a well-managed program that integrates security into the organization’s day-to-day operations. Centralizing multiple technologies, procedures, and people helps ongoing compliance. A person in charge of compliance should be:
- Assigned overall authority for these operations,
- Qualified to carry out such duties.
- Knowledgeable of the organization’s corporate structure and payment methods.
- Given sufficient funds and resources.
- Given the necessary power to manage and utilize such resources efficiently.
Emphasize Security and Risk Management to Attain and Maintain Compliance
PCI DSS establishes a minimal set of security criteria for payment card account data protection. PCI DSS measures may not be sufficient to fully mitigate the financial risks connected with various forms of sensitive data that enterprises may have and should not be regarded as a comprehensive checklist for addressing all security concerns.
A more robust strategy would be to focus on developing a security culture, protecting your organization’s IT infrastructure, and then allowing compliance to follow. Choosing security controls using a risk-based approach will enable businesses to adjust particular security measures to address varied degrees of operational risks.
Continuously Monitor Security Controls
The first stage in developing a continuous monitoring strategy is to create systems for conducting periodic audits of all relevant security measures. These procedures should:
- Be closely connected with the organization’s business and security objectives.
- Cover all facilities and sites included in the scope, including retail shops, data centers, and back-office locations.
- Ensure that PCI DSS standards are in place and functioning correctly.
- Ensure that workers continue to adhere to acceptable security practices.
- Consider any changes inside the company, the operational environment, and the technologies that have been adopted.
- Produce adequate documentation to demonstrate ongoing compliance with security standards.
Detect and Respond to Security Control Failures
Organizations must be able to detect security control failures during the control review or control monitoring procedures. It is also critical that businesses have mechanisms in place for responding to security control failures promptly and that those processes are tested regularly.
Maintain Security Awareness
Data breaches are increasingly including the use of social-engineering tactics in addition to the exploitation of technological weaknesses.
While implementing security monitoring and access-management solutions allows the company to minimize its risk profile, it does not ensure that risk can be reduced to negligible levels. No security technology can offer this level of risk reduction.
This is when information security awareness training comes in handy. PCI DSS Requirement 12.6 specifies the requirement to develop a security awareness program, define communication methods, give such training upon hiring and yearly, and execute effective security awareness communication channels.
Monitoring Compliance of Third-Party Service Providers
Third-Party Service Providers (TPSP) are frequently in charge of implementing and maintaining the security measures necessary to comply with PCI DSS. Entities and their TPSPs must have an explicit knowledge of their roles and duties to comply with applicable PCI DSS criteria.
Monitoring TPSP compliance status is an essential part of ensuring compliance because it allows the entity to assess if a change in status necessitates a change in the relationship.
Evolve the Compliance Program to Address Changes
Continuous compliance demands concentrated effort and collaboration. Organizations used to a point-in-time approach to PCI DSS compliance may struggle to nurture security across their people, processes, and technology as needed to ensure long-term compliance.
Compliance Managers should devote resources to monitoring and effectively communicating to all impacted parties newly detected risks, organizational structure changes, and industry developments that may influence the organization’s PCI DSS compliance activities.
Failure to assess how such changes affect the organization’s risk environment and PCI DSS scope may expose critical business processes to disruption or non-compliance.
ZenGRC Helps Organizations Manage Their Compliance
If you need to prove PCI DSS compliance, you’ll need the right tools. Spreadsheets and other outdated risk management methods can lead to confusion, redundancies, and dangerous gaps in your data security controls.
Whether performing a self-assessment or preparing for an audit, ZenGRC is a software platform designed to make compliance more straightforward than ever before. By centralizing your information and automating assignments and requests, ZenGRC can streamline your compliance process and ensure no detail is left to chance.
Schedule a demo today and learn how ZenGRC can help you enhance your vulnerability management program and keep your customer’s data secure.