PCI DSS Compliance Strategies for Smaller Financial Institutions

Data security is a challenge for financial institutions big and small.

Take the case of Arkansas-based Centennial Bank. A cyberattack compromised the Social Security numbers, credit/debit card information, and other personal information of its 60,000 customers. The bank is now facing fines, class action lawsuits, and increased security costs. It’s also possible the bank may face additional fines and requirements related to the Payment Card Industry Data Security Standard (PCI DSS).

Security incidents like this highlight the importance of PCI DSS compliance for banks and credit unions regardless of asset size. The rippling effects following a breach could severely debilitate a bank or credit union’s viability.

For many smaller financial institutions, PCI DSS compliance is a big challenge — but it shouldn’t be viewed as insurmountable. Learn strategies smaller banks and credit unions can implement to take significant steps toward PCI DSS compliance.

Where is primary account number data stored?

As a bank or credit union, if you are processing, storing, or transmitting cardholder data (CHD), including primary account number (PAN) data, cardholder name, expiration date, and card verification value, you are subject to PCI DSS compliance.

It’s likely you have PAN data in your core system, in a data warehouse or network file storage location, with third-party service providers like cloud providers, or in spreadsheets attached to internal emails between employees.

All these locations can be targets of cybercriminals who want to compromise systems and exfiltrate CHD for financial fraud, identity theft, and other nefarious purposes. Knowing where you have CHD is the first step in identifying where you need to have controls to protect and secure the data.

Considerations for not retaining PAN data

PAN data may not be needed by the bank or credit union after authorization during a cardholder transaction, yet still may be retained and stored in spreadsheet files, core system, or databases.

If there is no valid business reason for retaining PAN data, securely dispose of it. Doing so will help to reduce the costs and level of effort involved in annual validation efforts, as well as reduce risk and impact of data breaches.

Many banks and credit unions use third-party services for payment card issuance and/or ATM system management. As such, removing PAN data completely may be impractical. But financial institutions still have the responsibility of verifying third-party service providers reduce or remove PAN data from their systems.

Financial institutions should require third-party service providers to undergo regular auditing of their internal controls via a system and organizational controls (SOC) audit or other independent attestation. By auditing third-party providers, the bank or credit union can have some assurance controls are in place for removing or reducing PAN data among business partners in their supply chain.

The benefits of PCI DSS readiness assessment

Small banks and credit unions lacking internal resources for PCI DSS compliance should consider hiring an outside firm to perform a PCI DSS readiness assessment. PCI DSS compliance can be complex, considering the 12 primary requirements, sub-requirements, and what is needed to align cybersecurity controls with each.

The readiness assessment can help establish an initial baseline of missing or misaligned controls for policies, procedures, technologies, and personnel for securing CHD. Once deficiencies are identified, consultants can recommend practices to put in place, technologies to implement, and documentation to better align with the PCI DSS.

Consultants can also suggest other cybersecurity controls to further enhance data security.

Use strong encryption to protect data

Cardholder data is of no use to cybercriminals if it’s unreadable. This is why using strong encryption for CHD can help reduce a data breach impact. Whole disk encryption solutions, such as BitLocker — which is included in most versions of the Windows operating system — should be implemented if employees store CHD on their local hard drives.

While it’s a good first step, using whole disk encryption alone will not satisfy sub-requirements under Requirement 3: Protect Stored Account Data since the decryption key is usually tied to a user account and the authentication of that user account. The decryption key shouldn’t be associated with a user account or stored on the same system as the encrypted CHD.

Also use encryption when transmitting transaction data to third-party service providers, in outgoing email, and through other online transmissions if there’s a possibility it contains CHD. Encryption protects CHD during transmission and helps meet Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.

Although leveraging encryption to protect PAN data and CHD while it’s stored and transmitted helps, it doesn’t absolve financial institutions from complying with PCI DSS. Other requirements still apply.

Require employees to undergo cybersecurity training

Employees are the greatest risk to an organization’s cybersecurity. Many cyberattacks start because an employee falls victim to a phishing email, vishing phone call, or smishing text. These attempts sometimes include directing employees to fictitious login pages to capture usernames and passwords, which can then be used to access databases containing CHD.

This scenario emphasizes the need for employee cybersecurity training at least annually. Trained employees serve as vigilant defenses for protecting CHD.

Regular cybersecurity training is one of the most cost-effective ways to help secure CHD and meet many PCI DSS requirements, including sub-requirements found in Requirement 5: Protect All Systems and Networks from Malicious Software, Requirement 9: Restrict Physical Access to Cardholder Data, and Requirement 12: Support Information Security with Organizational Policies and Programs.

Management investment in PCI DSS compliance

Executive management plays a vital role in leading banks and credit unions in PCI DSS compliance. Without management championing, PCI DSS compliance will not be the priority it should be and will continue to feel unachievable.

While your IT team can lead PCI DSS compliance efforts, it cannot do it in a vacuum. Management must become educated about PCI DSS (and management involvement helps to meet requirement 12.1.4).

Review PCI DSS v4.0.1 (the most recent version as of this writing) and the 12 overarching requirements. Read articles and case studies about how other organizations comply and ask peers at other banks and credit unions how they instituted PCI DSS practices and controls.