The financial services industry is continuously evolving, and it is essential to optimize collections strategies to maintain liquidity and minimize risk. One of the most critical choices for credit un...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS)
Many of the lenders we partner with often feel like there's a never-ending list of regulatory and compliance requirements to meet. However, if you're lending, you're most likely accepting borrower payments, and you need to be informed about the intricacies of PCI DSS, or the Payment Card Industry Data Security Standard.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a group of standard security processes aimed at guarding the acceptance, processing, storage, and transmission of credit card data. The standards were created and agreed upon by major credit card payment companies, and those credit card companies are responsible for ensuring compliance. All organizations that accept, transmit, or store American Express, Discover, JCB, MasterCard, or Visa credit card data are expected to comply with mandates of the PCI DSS.
Why is PCI DSS important?
Unfortunately, fraud and security breaches are rampant. In fact, according to Experian, almost half of all organizations fell victim to a security breach in the last year. Safety of credit card customers' information is the main goal of the PCI DSS. Recognizing consumers' need for greater security in credit card transactions, the major credit card companies established the PCI DSS in an effort to safeguard credit card users against having their information misappropriated or misused. The standards cover protection of stored data, encryption of transmitted data, and controls at all points in the payment process, including back-end storage and card holder data usage.
Related reading: 5 Useful Tips to Protect Your Financial Institution from Cyber Attacks
PCI DSS requirements
The PCI DSS outlines six goals and 12 specific steps that credit card handlers and processors must take to ensure the security of their account holders' card data.
Goal |
PCI DSS requirement |
Build and maintain secure network |
1. Install and maintain firewall configuration to protect card holder data 2. Do not use vendor-supplied defaults for system passwords or other security parameters |
Protect card holder data |
3. Protect stored card holder data 4. Encrypt transmission of card holder data across open, public networks |
Maintain vulnerability management program |
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
Implement strong access control measures |
7. Restrict access to card holder data by business need-to-know 8. Assign unique ID to each individual with computer access 9. Restrict physical access to card holder data |
Regularly monitor and test networks |
10. Track and monitor all access to network resources and card holder data 11. Regularly test security systems and processes |
Maintain information security policy |
12. Maintain policy that addresses information security for all personnel |
How the PCI DSS affects your financial institution
Since all companies that accept, transmit, or store credit card data must comply with the PCI DSS, it's very likely your financial institution is subject to compliance. Even if you use a third-party credit card processing company, you still must comply and are held accountable. If your financial institution suffers a security breach and the Payment Card Industry Security Standards Council (PCI SSC, the governing body that enforces the PCI DSS) finds that your institution is in violation of any PCI DSS edict(s), you may be subject to fines of $5,000 to $100,000 per month!
The rules and regulations that apply to financial institutions are indeed vast. I hope this summary of the PCI DSS helped you understand what and how you must comply. For more specific guidance on the changing landscape of consumer payments, click here.
Let Us Know What You Thought about this Post.
Put your Comment Below.