The amount of sensitive data that organizations gather and store increases daily, and it needs to be protected in order to comply with federal data privacy laws. In general, these standards regulate how sensitive data gets collected and ensure its security.
What is PCI compliance?
Some data privacy laws are pretty broad in terms of the information they protect. The Payment Card Industry Data Security Standard (PCI DSS) is more specific, protecting sensitive data that’s processed, stored, and transmitted during a payment card transaction. Whether that’s paying for groceries via card reader or bills through an online portal, any entity that processes payment cards must be PCI-compliant.
Why the law exists
In 2006, as online payment processing systems became increasingly popular, the five largest credit card companies — Visa, MasterCard, Discover, American Express, and JCB International — formed a council and created the PCI DSS to help prevent costly data breaches of sensitive financial information. Essentially, the PCI DSS mandates that any organization allowing card payments must safely and securely accept, store, process, and transmit cardholder data.
How to be PCI-compliant: 12 requirements to know
In order for organizations to be PCI-compliant, they must meet the PCI DSS’s definition of “safely and securely,” which involves implementing these 12 requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Create original passwords for systems and do not use vendor-supplied defaults.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Install, use, and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict cardholder data access to a need-to-know basis only.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to cardholder data and networks.
- Scan and test security systems and processes regularly to check for vulnerabilities.
- Maintain a policy that addresses information security for all personnel.
Consequences of noncompliance
In addition to putting your organization at risk for data breaches, which are costly, failing to comply with the PCI DSS can result in fees from the PCI Security Standards Council ranging between $5,000 to $100,000 a month, or incident-specific fines costing as much as $500,000 per incident. You also face losing the ability to continue processing payments, which could substantially impact business.
Protecting sensitive financial data in higher education
Universities and higher education institutions are more vulnerable to potential cyberattacks because of the sensitive data they possess related to students and faculty. In addition to payment card data collected from on-campus vendors and online payment portals, educational institutions gather and store highly personal information like health and academic records. Not only must they maintain PCI compliance, but they need to comply with other student privacy regulations like HIPAA, which protects students’ health information, including anything relating to one’s physical or mental health, medical conditions, and demographic data, and FERPA, which protects student academic records.
The need for accurate data discovery
Remaining compliant boils down to implementing and maintaining security measures that keep existing and future data safe. But without knowing where all your existing data resides, how can it be confidently protected?
That’s where data discovery can help. An accurate data discovery tool searches for sensitive data in every crevice of an organization’s digital infrastructure to provide clear visibility into what needs to be secured. Overlooking any sensitive data means that it could go unprotected, putting you at risk for noncompliance and data breaches.
Maintain PCI compliance with Spirion’s data discovery tool
With the sheer amount and variety of sensitive data collected every day, you need a data discovery solution that enables you to comply with all privacy laws pertaining to what you collect.
Spirion’s Sensitive Data Platform automates data discovery, classification, and remediation. Our discovery tool thoroughly combs through locations in the cloud or on-premise—such as PDFs, images, databases, employee laptops, and more—in search of sensitive data. Whether that data is structured or unstructured, our tool can discover it, so you remain compliant with privacy laws like PCI. To see our platform in action, watch a free demo here.