Credit Unions Have Unique Road to PCI DSS Compliance
You often hear about companies having their data compromised by malicious individuals or organizations, but not all companies are affected in the same way. Due to their distinct situation as a possible merchant and service provider, credit card data breaches can have a different effect on credit unions.
Like all businesses, credit unions must comply with the Payment Card Industry Data Security Standard (PCI DSS). The standard is complex and the journey to reach it can be confusing. The following tips can help credit unions navigate the standard and succeed at compliance.
Where to start
Experience has shown that there are some clear, focused steps you can take to begin your journey to PCI DSS compliance. Yes, a journey. PCI DSS compliance is not a “checklist” to be completed but a set of security processes and practices that should become part of your credit union’s security framework and day-to-day operations.
- Understand how PCI DSS applies to your credit union. Merchants and service providers have unique requirements and in some cases both sets of requirements apply to credit unions, depending on how you interact with the credit card/payment process. Start by getting to know your merchant and/or service provider level. For example, many credit unions are both a merchant because they allow cash withdrawals from credit cards at the teller line or the accept loan payments by credit card, AND they are service providers because they have their members credit card information stored electronically in their systems.
- Read the PCI DSS and the testing procedures to gain insight and understanding of the expectations and intent of the requirements. Depending on your merchant or service provider level, there are different reporting requirements that impact how many items in the standard apply.
- Define and document the business processes and technologies that are used to process credit card payments or transactions, including the path that card data travels through your network.
- Identify the vendors you partner with in the payment process and validate that they are also PCI DSS compliant. Many credit unions believe that because they outsource the credit card process to a business partner who claims to be compliant, they do not need to worry about PCI compliance. This is NOT a valid assumption and credit unions should confirm they are PCI DSS compliant.
- Bring your policies and procedures up to PCI DSS standards. There are many specific documentation requirements and this is a key step in achieving compliance.
- Understand your options for reducing the scope of PCI DSS, such as network segmentation, tokenization, or outsourcing.
Successful PCI compliance
Successful compliance is based on the following core tenants:
- Minimize the attack surface of your card data footprint.
- Apply standards-based controls as defined by the PCI DSS. Controls should be part of day-to-day operations and they need to be diligently followed, with a rigorous exception management processes in place.
- Monitor your card data environment closely for changes to systems and suspicious activity.
- Test your card data environment. External and internal penetration testing must occur annually or after significant changes. External and internal vulnerability scanning and wireless testing must occur at least quarterly. Most credit unions already do some or most of this to satisfy the National Credit Union Administration and Federal Financial Institutions Examination Council requirements. Be smart about this testing so that you are not duplicating efforts.
- Engage an expert to help you through the process. This is not a task to hand off to your IT staff to just figure out on its own.
Get help if you need it
Understanding the lengthy PCI DSS compliance requirements is a daunting task at best. It is a huge benefit to have a friendly “translator” on this journey who can understand the language of the standard and guide you through the process. Look for Qualified Security Assessor (QSA) companies, which are organizations that have been qualified by the PCI Security Council to have their employees assess compliance to standard.
Qualified Security Assessors are employees of these organizations who have been certified by the council to validate an entity’s adherence to the PCI DSS. QSAs know the standard and can assist in determining how your organization stacks up and how to close any gaps. A QSA can also determine if your approach or solution meets the requirements defined by PCI DSS.
Yes, the move to PCI DSS compliance will be a journey, but you can get there, one swipe at a time.