Remember that massive data breach Target fell victim to in 2013 that compromised more than 40 million of the company’s credit card account holders prompted and $18.5 million multi-state settlement last year? You can’t blame Target’s own security platform for that doozy. Hackers went elsewhere to access credentials: one of Target’s third-party vendors, an HVAC provider whose system was not Payment Card Industry (PCI) compliant.
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) refers to payment security standards that ensure all sellers safely and securely accept, store, process, and transmit customers’ credit card information during a credit card transaction. Any merchant with a merchant ID that accepts payment cards must follow these PCI-compliance regulations to protect against data breaches. And it’s not just merchants – If you operate an agency that assists with booking engines, hosting or any type of customer reservations, chances are you also need to comply with PCI DSS.
Many organizations often cram for yearly PCI evaluations, instead of adopting long-term compliance policies. This can involve shoring up some PCI security policies right before evaluations, but letting those protections slide for the rest of the year. But all of that changed on February 1, 2018 which marked the deadline for businesses to adopt the new industry standard, PCI DSS 3.2, aimed at reducing and better responding to cyber attacks resulting in payment data breaches. The new policy aims to make security an everyday priority, not just once a year, with new requirements such as:
- Requiring the use of multi-factor authentication for administrators accessing the cardholder data environment
- Additional security validation steps requiring evidence that device inventories and configuration standards are kept up to date, and security controls are applied where needed.
According to Verizon’s 2017 PCI DSS Compliance Report, 80% of organizations are still not compliant. And of those that do pass compliance validation, only 29% are still compliant a year later. With PCI DSS 3.2 already live, you simply cannot afford to be behind in your security practices. A failure to comply with PCI standards could put your business at risk for data breaches, fines, card replacement costs, costly forensic audits, reputation damage, and more if a breach occurs.