Just released: How to raise venture capital in 2023

Download

Cyber Liability and PCI DSS Compliance [Why it Matters]

TL:DR

Key Takeaways

Carl Niedbala - Founder Shield
Carl Niedbala

COO & Co-Founder

Cybersecurity is arguably one of the most prominent concerns for businesses and customers alike. Companies must protect their patron’s information to nurture an ongoing professional relationship and keep customers coming back. When that trust is broken, such as in a data breach, a company’s reputation can spiral downward rapidly—not to mention the cost of mitigating the damage. In this post, we dive into the details of what PCI DSS is, how cyber liability plays a role, and how to tell if you’re compliant.

What Is PCI DSS?

According to the Privacy Rights Clearinghouse, more than 8,500 data breaches have played out since 2005, compromising over 11 billion consumer records. In response to these stark numbers, five credit card companies joined forces in 2006 to develop the Payment Card Industry Security Standards Council (PCI SSC). These companies included Visa, Mastercard, American Express, Discover, and JCB. 

The PCI SSC aimed to regulate and manage security standards for businesses that handle credit card information. While each of the five companies had their similar requirements, the PCI SSC aligned requirements on a single standard policy. This baseline plan is known as the PCI Data Security Standards, or PCI DSS for short. 

What Role Does Cyber Liability Play?

Keep in mind that PCI DSS isn’t law. Instead, it’s a blueprint to help protect consumers and banks operating on the web. However, companies who aren’t PCI DSS compliant face multiple vulnerabilities—damaging business relationships, fines and penalties, etc. Mainly because when you accept, transmit, or store any credit card information, you run the risk of a data breach. Cybercriminals love to get their hands on loads of customer data, after all.

Data Breaches

What this means is that your business must hold cyber liability at the utmost importance. Even more than merely complying with PCI DSS requirements, cyber liability refers mostly to data breaches and recovering from them—which is where a cyber liability insurance policy can help you, too. 

That said, cybercriminals are becoming more sophisticated with multi-tiered attacks, so experiencing a data breach is something that most companies will have to navigate. Unfortunately, nearly 30% of data breaches are small businesses. Plus, 67% of the recovery costs following a data breach happen in the first year following the attack, which is often enough of a blow to shutter a business. 

Consider this; cybercriminals can earn up to $2.2 million by stealing only ten credit cards per website through formjacking attacks. PCI DSS compliance works to prevent such losses—but how vulnerable are you?

Cyber Liability

For example, how do you store your customers’ data, such as credit card information? Some companies use a service provider or a gateway to stash away vital information. No matter how you store data, the mere act of collecting and using sensitive information makes you liable for it. 

Unfortunately, payment brands can fine an acquiring bank $5,000 to $100,000 for PCI compliance violations. Eventually, these fines trickle down to the merchant, aka your company. As a result, the PCI DSS created a baseline to help companies protect both their customers and the financial institutions involved in transactions. 

What Are the Requirements for PCI DSS Compliance?

PCI DSS compliance involves three main elements, which include handling credit card data, storing it securely, and completing a PCI validation form each year. However, the most current PCI DSS Version 3.2.1, consists of a 12-point requirement list with 300+ sub-requirements. The 12 main requirements are:

PCI DSS Compliance 2
Source: PCI SSC Security Standards Guide

Who Must Comply with PCI Data Security Standards?

PCI DSS applies to any business—regardless of its size— that collects, transmits, or stores any cardholder information. According to the PCI DSS Quick Reference Guide Order Form, “While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs.” 

Nevertheless, if you handle any cardholder information, it’s best to know where you fit in concerning PCI DSS compliance. Mainly because merchant levels exist, requiring companies to comply with an even more complex set of standards based on their operations. Here is an outline of the merchant levels:

PCI DSS Compliance 1
Source: PCI Compliance Guide

Is Your Business Compliant with PCI DSS?

Complying with PCI Data Security Standards is a chief goal when it comes to cyber liability. But reading through a 300-page document is no one’s idea of fun. In other words, compliance can be a confusing process. That said, here are a few simplified steps to take to be PCI DSS compliant, including:

  1. Figure out which parts of your systems and networks need to be PCI DSS compliant.
  2. Assess your system compliance by using PCI DSS testing requirements.
  3. Allow an assessor to complete the essential documentation, such as the Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). 
  4. Complete the correct Attestation of Compliance (AOC).
  5. Submit the SAQ, ROC, AOC, and other documentation to the appropriate party.
  6. Address any non-compliant parts of your systems and networks, and then submit an updated report. 

To break it down even more, here are some details to consider when executing your step-by-step compliance plan.

Know Which Requirements Apply to Your Company

As mentioned above, different parts of PCI DSS apply to varying levels of business. Each organization must know exactly where it falls regarding compliance requirements. The PCI DSS Self-Assessment Questionnaire can help you determine categorization. Once you know your company’s PCI DSS “level,” you can move forward with compliance.

Create a Map of Your Data Systems 

It’s best to recruit your IT and security team for this portion, which is to map out your systems and networks. Knowing how everything works together is a vital step in PCI DSS compliance. Leave no stone unturned, focusing on payment transactions first, moving on to how you handle cardholder information, and finally pinpointing any systems that touch payment transactions.

Ensure Security Configurations and Protocol 

This part is where the 12-point requirements (listed above) enter stage left. After your team maps your data systems effectively, it’s time to review all your security configurations and protocol. Again, due diligence will pay off significantly in terms of cyber liability and PCI DSS compliance. Be mindful of other regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation(GDPR). 

Make PCI Compliance an Ongoing Process

As you might have guessed, PCI  DSS compliance isn’t a one-time deal. Instead, it’s an ongoing process as your business evolves, and technology develops. It’s standard for card brands to require quarterly or annual reports to ensure compliance. Also, because compliance will typically require multi-departmental collaboration, it’s not a bad idea to establish a “PCI team.” 

Understanding what coverages your company needs can be a confusing process. Founder Shield specializes in knowing the risks your business faces to make sure you have adequate protection. Feel free to reach out to us, and we’ll walk you through the process of finding the right policy for you. 


Want to know more about cyber liability insurance? Talk to us! You can contact us at ​info@foundershield.com​ or create an account ​here​ to get started on a quote

Related Articles

cyber insurance pricing trends 2024
March 13 • Cyber Liability

Cyber Insurance Pricing Trends 2024

Uncertain about cyber insurance costs in 2024? Our article explores pricing trends, expert predictions on rate increases, and strategies to potentially reduce your cyber insurance premium.

cyber liability insurance premiums
March 4 • Cyber Liability

7 “Must Haves” For Cyber Liability Insurance in 2024

With cyber liability insurance premiums rising, business leaders must have the inside scoop to keep costs low. Our partners at Blacksmith InfoSec delve into those tips and tricks.

Cybersecurity Data Breaches
November 9 • Cyber Liability

Top 10 Cybersecurity Data Breaches of 2023

Today’s digital landscape is frightening for business leaders. Here’s a glimpse into some of the most cringe-worthy data breaches in 2023 — plus, how to avoid them.

Cyber Insurance Pricing Trends
July 19 • Cyber Liability

Cyber Insurance Pricing Trends 2023

After a hard-hit 2022, let’s explore the lessons learned, what currently impacts the cyber market, and cyber insurance pricing trends to expect in the future.

multi factor authentication
January 24 • Cyber Liability

Securing Your Company With Multi-Factor Authentication: A Complete Guide

Cybersecurity is a priority for most company leaders, with multi-factor authentication spearheading the endeavor. Here’s how to make it a reality in your organization.

cybersecurity-awareness-month
October 6 • Cyber LiabilityRisk Management

Cybersecurity Awareness Month 2022 — Data, Data, Goose!

As the leaves turn golden and the wind blows colder, cybersecurity awareness month is upon us! Here’s what it’s all about and how your company can stay cyber-safe.