Do Banks Need to be PCI Compliant

Financial institutions are one of the most heavily regulated industries around, and for good reason. Access to the personal information and funds of their customers makes banks a popular target with hackers, and a dangerous location for a cybersecurity breach.

With all of the regulations a bank needs to obey, it’s possible you may have overlooked the Payment Card Industry Data Security Standard, or PCI DSS.

All parties that handle credit card data from one of the four major U.S. credit card brands (Visa, Mastercard, Discover, and American Express) as well as JCB International (an international payment brand based in Japan), are required to comply with PCI DSS requirements. The PCI DSS is maintained by the PCI Security Standards Council. If your bank works with these companies (and most do) then you’ll need to meet the compliance standards that the council has put in place.

There are many benefits to PCI compliance for financial institutions. In addition to providing a strong foundation for credit card security, achieving compliance can also help you gain the confidence of your customers and give you an edge against your competitors. The requirements are specifically designed to protect against security breaches, which means that your data is automatically more secure. The PCI DSS guidelines also overlap with many other security frameworks, which will give you a head start if you need to achieve compliance in other areas.

What Is PCI DSS?

PCI DSS is a set of information security standards put in place to assure that organizations that accept, process, store, or transmit payment card information maintain secure environments to protect consumers and merchants. Simply put, the PCI DSS standards apply to any organization that holds, processes, or passes cardholder information from any credit or debit card-branded with the logo of any of the card brands.

Even if an organization processes just four credit card transactions a month, it must be PCI compliant. A company that uses a third-party payment processor must still comply with PCI standards. Also, if an organization doesn’t store credit card data but cardholder data does pass through its server, that organization must also comply with PCI requirements.

The PCI Council offers information to financial institutions and other organizations about how to prevent and detect fraud and data loss, and how they should react in the event of data breaches.

Is PCI DSS a Legal Requirement for Banks?

No, PCI DSS is not required by law. Rather, PCI DSS compliance is required by the contracts that govern participation with the major payment card brands. Financial institutions, including issuing banks and acquiring banks, as well as merchants and service providers that process transactions, enter into contracts with the five card brands that enable those financial firms to process credit card information.

Issuing banks are banks that offer credit cards to consumers. Acquiring banks are the financial institutions that hold merchants’ bank accounts, facilitate payment processing through the card processors, and deposit funds on behalf of the merchants. If your organization falls under either of these categories, then PCI DSS compliance will be legally required of your company.

How to Become PCI-Compliant

The PCI DSS has 12 primary requirements for those wishing to prove compliance:

1. Protect all cardholder data with a system of well-maintained firewalls.
2. Change all passwords from any defaults to unique and secure options.
3. Any stored cardholder data should be protected.
4. Encrypt any cardholder data that is transmitted via open networks.
5. Use antivirus software and make sure it is up-to-date.
6. Make sure that your systems and applications are secure.
7. Access to cardholder data should be permitted only on a need-to-know basis.
8. Any staff members with access should be assigned a unique ID.
9. Any physical access to cardholder data should be restricted.
10. All access from staff should be closely monitored.
11. All security measures should be tested regularly.
12. Your information security policies should be consistent and clear to all employees.

Within these 12 main requirements are 281 additional directives, which may or may not apply to you based on the size of your company and how many credit card transactions you process in a given year.

To become PCI DSS compliant, you first must determine which standards you need to meet. Then assess your existing program to see where your data protection is sufficient, and where you may need to make changes to meet the necessary security requirements.

Establishing and proving compliance with all of the appropriate standards can be a challenging and time-consuming process. Fortunately, the PCI SSC provides the tools that organizations need to implement the PCI data security standards, including PCI self-assessment questionnaires (PCI SAQs), training and education, assessment and scanning qualifications, and product certification programs.

Should Banks Complete a PCI Assessment?

Yes. PCI assessments result in either a Report on Compliance (RoC), an Attestation of Compliance (AoC), or both. The merchant provides its RoC and/or AoC to its credit card acquirer annually to prove compliance with PCI requirements.

As with the assessment methods, the proof of compliance method is determined by the merchant level and the requirements of the specific card brand. Higher-level merchants may also need to provide quarterly network vulnerability scans performed by an Approved Scanning Vendor (ASV).

A PCI Self-Assessment Questionnaire (SAQ) is used by lower-level businesses (with fewer transactions) to perform a self-assessment of their compliance. There are multiple SAQs available, and the specific SAQ to use is determined by how customers perform credit card transactions (for example, card not present versus card present, or fully outsourced authorizations versus partially outsourced authorizations).

If you work for a financial institution, it’s possible that you’ve already met some or all of the PCI DSS requirements based on previous compliance requirements or government audits. This head start is convenient, but you need to make sure that all PCI DSS standards are accounted for to prove compliance.

The bottom line is that if your bank issues credit cards on behalf of the major credit card companies, it must assure PCI DSS compliance. Non-compliance could result in the loss of your privileges for both issuing and processing credit cards, as well as potential fines. Moreover, loss of your customers’ data due to a breach can result in loss of consumer confidence and lawsuits.

ZenGRC Helps Organizations Manage Their Compliance

If you need to prove PCI DSS compliance, you’ll need the right tools. Spreadsheets and other outdated risk management methods can lead to confusion, redundancies, and dangerous gaps in your data security controls.

Whether you’re performing a self-assessment or preparing for an audit, ZenGRC is a software platform designed to make compliance easier than ever before. By centralizing your information and automating assignments and requests, ZenGRC can streamline your compliance process and ensure that no detail is left to chance.

Schedule a demo today and learn how ZenGRC can help you enhance your vulnerability management program and keep your customers’ data secure.