PCI scans are one vital way of achieving PCI Compliance.
They’re ability to provide insightful, actionable reports that expose vulnerabilities in your IT systems help ensure your business is protected from data theft.
Electronic payments have evolved and grown considerably over the last decade enabling businesses to scale and customers to benefit from improved user experience. But with technology comes the increased risk of data theft, with frequent headline-grabbing news stories, driving home the importance of protecting your business and your customers from cyber-attacks.
In the event of a data hack, best practice would be to demonstrate you have been carrying out PCI scans and have taken the necessary steps to protect cardholder data. However, as PCI-DSS is a standard and not a legal requirement, many businesses choose to ignore this area of compliance until it’s too late. The result can be hefty fines that cripple businesses, damaging brand reputations and customer confidence. So, here is the low-down on the ins and outs of PCI-DSS Compliance and how Zuri Technologies can help you protect your business.
What type of business is affected by PCI Compliance?
Any organisation that transmits, processes and stores cardholder data is affected by PCI Compliance. You could be a bank, an e-commerce business or any type of service business whose work involves debit or credit card transactions.
What is PCI Compliance?
The Payment Card Industry (PCI) is made up of the major credit card companies who formed the PCI Security Standard Council (PCI-SCC) and the PCI- Data Security Standard. In short, this is a set of standards set up by the council of major payment card issuers to help businesses process card payments securely. By enforcing strict regulations around storage, transmission and processing of cardholder data, the aim is to protect cardholder data from misuse or theft. However, if organisations don’t follow these security standards, there can be serious financial repercussions in the event of data being compromised, where there is no evidence of reasonable steps taken to mitigate data theft.
What are the requirements of the PCI-DSS?
The main requirements of the PCI-DSS are:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control
- Monitor and test networks regularly
- Maintain an information security policy
You can find more information here from the IT Governance website.
What is a PCI scan?
PCI scans are vulnerability scans designed to find weaknesses in your infrastructure that could potentially be exploited by hackers. They’re carried out by ASV’s (Approved Scanning Vendors) that the Payment Card Industry (PCI) officially recognises. The frequency of scans can vary depending on many factors but once every 90 days is usual.
What’s involved in a PCI scan?
There are 6 stages a business must go through when it comes to PCI scans by ASV’s to reach PCI- Compliance and best practice. Your ASV will be able to go through these with you and it would look something like this.
Scoping: We can work with you to scope the project and assess both the internal and external parts of your system that can be accessed from the internet for vulnerabilities.
Scanning: This would be carried out by the Zuri Technologies ASV partner, Qualy’s.
Scan Reporting: From the scan, you would in short be able to find out whether you passed or failed. If you’ve failed, the report would provide real insight and visibility of existing vulnerabilities and how these issues can be solved.
Scan Dispute: This raises the problems relating to the scan that must be addressed in order to move forward with compliance
Rescanning: Once any issues found in the first scan have been addressed, you can resubmit for approval
Final Report: This is your proof that you have passed your PCI scan and may be seen as a positive step to protecting customer data, in the event of a breach.
PCI Compliance can seem like a daunting task. But failing to comply would put your business at greater risk. So, here are 3 compelling reasons why PCI Compliance should be part of your overall cyber security strategy:
1. PCI Scans provide proof you’re taking responsible steps to protect customer data.
Essentially PCI scans help verify that you’ve attempted to mitigate opportunities for cyber criminals to access sensitive data through your IT systems. It should therefore form an essential part of your cybersecurity and compliance strategy. In the UK, PCI-DSS is not a legal requirement and neither are PCI scans. However, with both financial and personal credit card data at risk of being hacked, you would be breaching the Data Protection Act if cardholder data was compromised. In the event of a data breach, the ICO (Information Commissioners Office) would always factor in whether the company was PCI-DSS compliant and whether it had carried out the basic steps like PCI scans to protect cardholder data.
2. You risk incurring substantial fines
In the event your business suffers a breach and you are non -PCI compliant, you risk facing hefty fines that could literally bring your business to its knees. Fines can range from a few thousand or run into hundreds of thousands. In addition, you may need to pay costs associated to forensic investigations or remediation costs. If you’re a small business this would be catastrophic.
3. The long-term effects of data theft could seriously damage your business.
Even if you manage to stay standing as a business, credit card companies may charge higher transactional fees or in the worse, revoke your right to processing credit card transactions. Imagine not being able to take any payments via credit card? It goes without saying that this would literally be the death of your business. In addition, data fraud could damage your brand image, consumer confidence and could result in you losing business that you may or may not recover from.
How Zuri Technologies can help you achieve PCI-Compliance
We work with approved security vendors who can help to identify the vulnerabilities which currently exist with your payment process as well as help you with the remediation which may be necessary, helping you to stay compliant year on year and offer you peace of mind, so you can concentrate on your core business activities. Contact us to see how we can help your business.