Article from Professional Security Magazine on 11th September 2009
PCI compliance
Alan Calder, Chief Executive of information security firm IT Governance Limited, looks at how the October 1 deadline to become fully PCI DSS (Payment Card Industry Data Security Standard) proves how serious the banks are to combat hacking and avoid the risk of any data breach. He advises that PCI DSS has to be addressed – and soon, and the best away to avoid possible risks around moving to that compliance is to take steps now in a holistic way, as part of an overall risk strategy.
The payment card industry is seeing significant increases in the hacking of merchant security systems to fraudulently obtain card data, particularly with merchants who accept cardholder information over the Internet, and so has stepped up the pressure to get PCI DSS implemented as widely as possible.
Companies processing credit cards that fail to meet the October 1, 2009 deadline to become fully PCI DSS (Payment Card Industry Data Security Standard) compliant face mounting pressure from banks – with smaller UK companies in particular likely to be slipping behind. Levels 2 to 4 card processing merchants are particularly vulnerable, risking fines as well as merchant facilities being removed by UK acquiring banks.
In fact, any organisation that comes into contact with credit card information must be compliant with the PCI Data Security Standard – whatever its size. The problem is that meeting that requirement is far from straightforward. Requirements differ between merchants and service providers and on the number of transactions processed annually. The standard basically requires all merchants and member service providers who store, process or transmit cardholder data to build and maintain a secure IT network, protect cardholder data, maintain a vulnerability management programme, implement strong access control measures, regularly monitor and test networks and maintain a coherent, overall information security policy.
Ensuring compliance is important because if your organisation stores or handles credit card data then you fall under the contractual requirements set by acquiring banks. So despite not being law, it is enforceable by the credit card brands through contractual penalties and sanctions, including the company’s right to accept or process credit card transactions.
And while PCI is a common standard, each payment brand has its own compliance programme. Note that there may be regional variations for VISA (e.g. between the US and Canada in North America) while MasterCard has a single global standard, and that acquiring banks – not the payment brands – are usually responsible for enforcement.
Note that the security requirements typically apply to all system components included or connected to ‘the cardholder data environment’. PCI applies to any type of media on which card data may be held ‐ this includes hard disk drives, magnetic tape and back up media, but also embraces printed or hand‐written credit and debit card receipts where the full card number is printed. In fact, storage of payment card data is one of the key concerns of PCI DSS. Receipts are often held by merchants as a paper record of the transaction and may be used for product return purposes, or as evidence of the transaction if the acquirer issues a request for information (RFI).
Clearly, if the card number must be held, the physical receipts must be stored securely. Retailers must also vet all other areas where card details may be stored, processed or transmitted. For example, many EPoS systems (electronic point of sale) take a copy of the card details (either swiped separately, or extracted from EFT receipt data) and store them unencrypted within their own databases for reconciliation and reporting purposes. This is usually prohibited by PCI DSS.
The consequences can be very grave for such security breaches. Damage to reputation results in diminished consumer trust and therefore can severely affect the bottom line. The negative publicity that accompanies any breach can be very damaging on share value, the last thing any CEO would want in the current climate. But mere weakness in meeting the PCI standard, let alone actual identified frauds, can also impact on you negatively. An organisation that suffers a breach immediately acquires an elevated risk status, becomes subject to more checks, and can ultimately lose the ability to process credit cards altogether.
So how to meet that PCI DSS deadline and get a clean bill of PCI 'health'?
Meeting PCI is best done as part of an integrated approach to compliance itself, as the organisation will also of course need to consider other compliance requirements that may affect operations. The benefit of an integrated approach is that organisations will be able to demonstrate that they have good internal controls over financial processes, which is highly desirable as an end in itself. But more importantly it will help mitigate information security risks before they become a disaster.
About Alan Calder
Chief Executive of IT Governance Limited (www.itgovernance.co.uk), an organisation offering a range of information security resources to organisations, including a special set of dedicated resources to help the SME meet that PCI DSS deadline. IT Governance publish: ‘PCI DSS: A Practical Guide to Implementation,' available at http://www.itgovernance.co.uk/products/1633