What is PCI DSS Compliance?PCI DSS lists specific steps to protect cardholder data. Whether shopping online or at a point-of-service system, your customers are trusting you with information that can lead to identity theft. PCI DSS compliance protects cardholder data so your customers can confidently purchase goods and services knowing that their identities will be protected.
How PCI DSS Compliance Can Avoid a BreachOver the last few years breaches at well-known stores have made the news. The Home Depot and TJX breaches put over 100 million consumer records at risk, rocking the consumer world. In the Home Depot case, malware entered through the point-of-sales systems. Meanwhile, TJX’s noncompliance with 9 out of 12 PCI DSS requirements led to its downfall. Immediately after its breach, Home Depot shares were down 2.7%.
How PCI DSS Compliance Drives ConversionsCustomers don’t look up your PCI DSS audits, but they do pay attention when your name ends up in the news. Unless your company controls a target market, you want to drive conversions. More than 90% of total retail sales come from traditional sales, but e-commerce expanded 8-12% in the first quarter of 2017, compared with 2.8% for brick-and-mortar. In 2016, only 11% of consumers used cash. Electronic payments, and the cardholder data accompanying them, are the main source. Staying competitive requires protecting customer information.
How PCI DSS Compliance Drives Conversions Using Approved VendorsUsing Square, accepting PayPal, or offering security verification at the time of sale allows customers to trust you because they trust your service provider.
Does Having an Approved Vendor Make Me PCI DSS Compliant?PCI DSS compliance drives conversions because people trust brand names, but you can’t just trust the first answer that comes to you. Like when you do a math problem, you need to check your work. In this case, your “work” is your vendor management. Goal 5 of PCI DSS (“Regularly Monitor and Test Networks”) encompasses the ongoing monitoring of your vendors in Requirement 10 (“Track and monitor all access to network resources and cardholder data”) and Requirement 11 (“Regularly test security systems and processes”). Controlling your cardholder data environment to increase conversions requires focusing on Requirements 10.8 and 11.3. Requirement 10.8 states,
Service providers must implement a process for timely detection and reporting of failures of critical security control systems. (Note: Requirement 10.8 is a best practice until 31 January 2018, after which it becomes a requirement.)Requirement 11.3 states,
Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually and after any significant upgrade or modification. If segmentation is used to reduce PCI DSS scope, perform penetration tests at least annually to verify the segmentation methods are operational and effective. Service providers using segmentation must confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after making changes to these controls. (Note: The additional requirement for service providers is a best practice until 31 January 2018, after which it becomes a requirement.)Monitoring vendor risk strengthens your PCI DSS compliance.