Heading to Arabian Travel Market 2025? So Are We
PCI Compliance: What is it good for?
by PCI Booking | March 3, 2020
The short answer:
Absolutely everything to do with secure transactions.
Having control over the movement of money is vital in a world where financial cybercrime is at record levels. The Federal Trade Commission (FTC) recorded 1.4 million consumer fraud reports with $1.48 billion lost in 2018 for U.S. consumers alone. And the situation is getting worse; Juniper Research predicts that global losses from online payment fraud will reach $48 billion by 2023.
If you are in the business of handling financial transactions, be it from a merchant perspective, intermediary or a financial institution, you will have heard about PCI-DSS compliance. But what is PCI-compliance about and what can you do to meet the standard’s requirements?
What is PCI-DSS Compliance About?
The Payment Card Industry Data Security Standard (PCI DSS) is maintained by the Security Standards Council (SSC). The SSC is made up of Mastercard, Visa, Discover, American Express and JCB. PCI-DSS is a global standard used to help maintain a safe environment for payment card data. If you are a business that deals with payments, you must demonstrate you comply with PCI-DSS.
Which types of organizations need to comply with PCI-DSS?
Merchants
(off all sizes)
Financial Institutions
Payment Processors
both hardware and software-based
Point-of-Sale (POS) Vendors
What data does PCI-DSS include?
The data that PCI-compliance includes is:
- Cardholder data: e.g., cardholder name. Expiration date, etc.
- Sensitive Authentication Data: e.g., full track data, PIN
Fines for PCI-DSS non-compliance
Fines can be up to $500,000. The amount issued to an organization is generally dependent on company size and transaction volume. However, other areas are impacted by non-compliance and include customer compensation, compensation costs, sometimes in the form of credit monitoring and ID theft insurance; costs associated with a damaged reputation if you suffer a data breach.
Why PCI-DSS Compliance is Important
PCI-DSS compliance may seem like, yet another, regulation that you have to tick boxes to meet, but the ethos behind the standard is about so much more. The process that you go through to become compliant is all about understanding how you handle financial data. PCI-DSS ensures that you look carefully at the measure you apply to secure these data. Perhaps one of the best ways to look at why PCI-compliance is so important is to look at examples where it would have prevented a major data breach
Examples of Where PCI-Compliance Would Have Prevented a Breach
Equifax
In 2017, credit reference agency, Equifax, suffered a major data breach. The personal and financial data of 147 million individuals was stolen. The company is dealing with a class action as well as fines and is likely to be fined up to $700m, with $425 million for customer losses. The breach exposed personal information as well as credit card details and Social Security Numbers. The cause of the breach was a vulnerability in a web component called Apache Struts. This allowed hackers to effectively access any data held by Equifax.
Equifax was recently noted to be recruiting for a “Senior Director of PCI DSS Compliance”.
Capital One
The Capital One breach of 2019, exposed the personal and financial data of 106 million people. Data losses included credit scores, credit limits, balances, and 80,000 linked bank account numbers. The likely cause was a vulnerability in an open source Web Application Firewall (WAF).
British Airways
A hacking group called Magecart was behind the loss of credit card details and personal data of half a million customers. British Airways has subsequently been fined £183 million ($240 million) for the breach.
How Tokenisation Helps in PCI-DSS Compliance
In all of the example cases of data breaches discussed here, a method known as payment tokenization could have reduced the impact of the breach. Payment tokenization provides a mechanism that results in never having to store financial cards or other data; instead, irreversible tokens that represent that data are stored.
Tokenized data is typically associated with a credit card which can then be linked during a transaction. The important part of the tokenization process, in terms of PCI-DSS compliance, is that if the tokens are exposed, for example, during a data breach, they cannot be reversed to reveal any financial card data.
Typically, data such as the PAN or credit card numbers are tokenized. But tokenization can potentially be applied to any type of personal or financial data.
“Tokenization is not the same as encryption. Whereas encryption, with the right conditions, is reversible, tokenization can never be reversed – tokenization is an irreversible process.”
PCI-DSS compliance recommends the removal of financial card data from your system being a best practice. Using a process of tokenization when you handle payments, goes some way towards meeting the requirements of PCI-DSS compliance. But importantly, it also provides a way to reduce the general impact of a data breach.
Conclusion
A recent survey by Cisco into consumer privacy attitudes found that 32% of customers would move to another company if they were not happy with the data-sharing policies. PCI-DSS reduces the chances of a data breach and puts measures in place to protect data during its lifecycle, from sharing to storage. PCI-DSS benefits both businesses and customers. Providing a robustly secured payment system helps to build trust between your organization and your customers. This, in turn, offers you a competitive edge, because people choose business they can trust. Tokenization of data helps you achieve PCI-compliance and reduces the costs and impact of a data breach.
Learn More About The Tokenization Solution
With PCI Booking’s tokenization services, your system never holds financial or personal sensitive data. When using the credit card tokenization or data tokenization services, you keep a token representing the data while the sensitive information is stored securely in the PCI Booking vault. So, if the worst happens and your organization is breached or a staff member permits access to your system (accidentally or not), there is no access to sensitive data as it is simply not there.
