|
Thought leadership - Payment Card Industry Data Security Standard
Introduction
Payment cards, whether they are debit or credit cards are an essential component of modern commerce.
The branded card has moved on from acting as a passport for financial transactions and become a lifestyle statement of the individual holding the card.
The potential use of payment card information is broadening. For example; a company’s Marketing department may have an interest in understanding branded card use for targeting campaigns to achieve positive responses.
The Finance department might outsource repeatable tasks (such as payment collect) thereby freeing internal capacity for added value activities.
A successful business is a dynamic business delivering services and products that customers need for an appropriate financial reward.
Sensitive and confidential data
One thing that does not change is the need to securely process, transmit and store sensitive and confidential data.
The Payment Card Schemes (e.g. VISA, Mastercard, JCB, Amex, Discover) recognise the threat to payment card data caused by breaches in the security of organisations that store, transmit or process sensitive and cardholder data. Uniquely, the schemes have agreed common data security standards to protect cardholder data and therefore mitigate the risk of data disclosure that could lead to financial loss and reputation/brand damage.
There are three distinct PCI standards. The Payment Application Data Security Standard (PA DSS) is applicable for organisations that write and sell software applications for use with payment cards. The PIN Entry Device data security standard (PED-DSS) is applicable to organisations that manufacturer payment entry devices. The Payment Card Industry Data Security Standard (PCI DSS) is applicable to all entities that store, process or transmit card holder data. This thought piece is focuses on the PCI DSS.
Organisations and compliance
Any entity that stores, processes or transmits payment cardholder data must be compliant with the PCI DSS. This includes merchants (online/bricks and mortar); service providers, who host e-commerce applications or act as payment gateways; telephony companies, who provide hosted services that include conversations where card details are recorded and lastly Payment Service Providers.
The Payment Card Schemes have retained powers to remove payment facilities, via the Acquirers (Barclaycard Business, RBS, HSBC, Lloyds etc.), from organisations that are found to have been subject to their security breaches. Increasingly significant fines are made to the acquirers for breaches and for slow progress or non-compliance of their customers, most, if not all, of which is liability shifted to their Merchants and/or Service Providers.
The PCI DSS
The PCI DSS is a robust set of standards spanning across 6 main themes (Build and Maintain a Secure Network, Protect Cardholder Data, Maintain a Vulnerability Management Programme; Implement Strong Access Controls, Regularly Monitor and Test Networks and Maintain an Information Security Policy). The PCI DSS enables organisations by requiring the implementation of specific controls, testing and audit logging.
When implemented and maintained the PCI DSS reduces the risk of a security breach. Compliance also provides the potential for a ‘safe haven’ from fines and fraud should your security be compromised.
The PCI DSS categorises organisations into a number of levels based upon transaction volumes. A level 1 organisation processes the highest number of transactions (i.e. between 2.5million – 6milllion transactions depending on the card brand) and a level 4 organisation is the lowest volume (e.g. under 20,000 e-commerce transaction and up to 999,999 other transactions depending on brand).
Regardless of allocated level the requirements for compliance remain the same. The difference is the requirement on how an organisation validates compliance. For organisations in levels 2 - 4 there is the option of validating your compliance via self assessment questionnaire or via a third party. Third party validation should be done via an approved QSA Company and signed off by an approved QSA (Qualified Security Assessor/Qualified Security Assessor Company).
For all level 1’s, your validation of compliance must be undertaken by an accredited QSAC, with an accredited QSA. Should an organisation be subject to a security breach within the company cardholder date environment the allocated level is automatically elevated to a level 1 for a period of 12 months and subject to the requirements of a full QSA audit and attestation of compliance.
Payment card details are found where payment card details are stored. E-commerce databases, backups and other areas where payment card details are stored or regularly transmitted are vulnerable to successful acquisition. Acquirers will transfer fines; as a result of a Merchants choice to use a third party that is then compromised, to the Merchant. It is therefore critical that you know you are only using compliant third party’s to support you in your payment card processes. The merchant commissioning the service is ultimately responsible for ensuring that contracts with service providers include the requirement to be compliant with the PCI DSS.
A key truth behind breaches in data security is that organisations operate using legacy computer systems, low levels of basic IT security and inadequate business processes. This may be as a result of the increasing pressure to reduce company spend and as a result of having taken a ‘risk’ based approach to security that the criminal fraternity are now taking full advantage.
PCI DSS is rarely factored into business plans PCI DSS compliance is considered as either part of an existing operational budget or as a nasty unbudgeted post breach remediation shock. Senior Sponsor’s can mistakenly align budget for PCI DSS with a request for IT spend rather than a business wide mandated requirement.
Successful PCI DSS compliance programmes are built on the principle that compliance is a business requirement that requires active contributions from all sectors of the business.
Summary
In what is a global evolution of a cashless society, few entities will be able to survive without the ability to accept card payments. The impact on those entities that do not reach compliance or take the compliance requirement seriously could be devastating.
If you don’t yet know how to evaluate your business and IT controls, conduct internal self assessments or measure your position against the published PCI DSS – get help. As the markets level of compliance increases those entities that are not compliant will grow increasingly at risk – the criminal fraternity will go for the weakest link. There is a concerted drive for quarter 3 2009 for the remaining entities to validate their compliance, so time is of the essence, especially for level 1 entities that are mandated to engage an accredited QSA.
Further impartial information regarding the Payment Card Industry is at https://www.pcisecuritystandards.org/
Michael Christodoulides, QSA, CISA, Registered PRINCE2 Practitioner.
Information Security Consultant, 7Safe.
Telephone: 0870 600 1667
http://www.7safe.com/
Michael Christodoulides, QSA, CISA, Registered PRINCE2 Practitioner.
|
