Michael Christodoulides, QSA, CISA, Registered PRINCE2 Practitioner, Information Security Consultant, 7Safe: Thought leadership - Payment Card Industry Data Security Standard
April 2009 by
Payment cards, whether they are debit or credit cards, are without question an essential component of modern commerce. The branded card has moved on from simply acting as a passport for financial transactions and become a lifestyle statement of the individual holding the card. This means that the potential use of payment card information is broadening. For example; a company’s Marketing department may have an interest in understanding branded card use for greater targeting of their key messages and campaigns to better leverage positive responses.
Equally, the Finance department might be disaggregating its repeatable tasks (such as payment collect) by outsourcing repeatable tasks – thereby freeing capacity to provide added value services. Clearly a successful business is a dynamic business, able to respond to the ever changing market place delivering services and products that customers need for an appropriate financial reward.
Sensitive and confidential data
One thing that does not change is the ever increasing need to securely process, transmit and store sensitive and confidential data. In the UK the need to protect personal data is entwined within both mandates and legislation. The Data Protection Act is the most commonly quoted Act of Parliament in respect of safeguarding personal data. In recent times, the Information Commissioner has been granted increased powers to instigate investigations and pursue breaches of personal data.
The Payment Card Schemes (e.g. VISA, Mastercard, JCB, Amex, Discover) recognise the ever increasing threat to sensitive payment card data caused by breaches in the security of organisations that store, transmit or process cardholder data. Uniquely the schemes have agreed a common data security standard to protect cardholder data and therefore mitigate the risk of personal data disclosure that could lead to financial loss and reputation/brand damage.
There are in fact three distinct standards. These are, firstly, the Payment Application Data Security Standard (PA DSS) for use by commercial organisations that write and sell software applications for use with payment cards. Secondly there is the PIN Entry Device data security standard (PED-DSS) for those organisations that manufacturer payment entry devices (e.g. PDQ terminals) and finally there is the Payment Card Industry Data Security Standard (PCI DSS) which is applicable to all entities that store, process or transmit card holder data. The remainder of this thought piece is focused upon the PCI DSS.
Organisations and compliance
Examples of organisations that fall into the catchment of PCI DSS include merchants (online/bricks and mortar) who accept payment cards, service providers, who host e-commerce applications or act as payment gateways, telephony companies, who provide hosted services that include conversations where card details are recorded and lastly Payment Service Providers. In fact any entity that stores, processes or transmits payment cardholder data must be compliant with the PCI DSS. It will not be a surprise to read that the Payment Card Schemes have retained powers to remove payment facilities, via the Acquirers (Barclaycard Business, RBS, HSBC, Lloyds etc.), from organisations that are found to have been subject to breaches in their security, leading to unauthorised disclosure of payment card information. Increasingly significant fines are made to the acquirers for breaches and for slow progress or non-compliance of their customers, most, if not all, of which is liability shifted to their Merchants and/or Service Providers. So, on the one hand UK legislation is in place to ensure that organisations that handle personal information are appropriately secure and managed, whilst at the same time the payment card schemes have agreed a common ‘data security standard’ that organisations are mandated to be compliant to as part of their commercial agreement with their Acquirers (or sometimes, such as in the case of Amex, directly with a Scheme).
With the above factors in mind the question must be asked as to why there are so many instances of unauthorised data disclosure regularly reported? After all most commercial and public sector organisations accept payment cards and will therefore fall within the remit of the PCI DSS and UK legislation.
The PCI DSS
The PCI DSS is a robust set of standards spanning across 6 main themes (Build and Maintain a Secure Network, Protect Cardholder Data, Maintain a Vulnerability Management Programme; Implement Strong Access Controls, Regularly Monitor and Test Networks and Maintain an Information Security Policy). These are not above and beyond commonly accepted information security practices. The PCI DSS enables organisations by requiring specific controls and audit logging to be in place. When implemented and maintained the PCI DSS will reduce the risk of unauthorised disclosure and provide audit evidence to assist any investigations should a disclosure take place. It also provides a ‘safe haven’ from fines and fraud should you be compromised and identified as compliant to them during a data breach.
The PCI DSS also works towards reducing the burden of bureaucracy for organisations by categorising them into a number of levels based upon their transaction volumes (levels 1 to 4). A level 1 organisation processes the highest number of transactions (i.e. between 2.5million – 6milllion transactions depending on the card brand) and a level 4 organisation is the lowest volume (e.g. under 20,000 e-commerce transaction and up to 999,999 other transactions depending on brand). Whilst the requirements of the audit remain the same (i.e. the standards mandated in each of the six areas), the requirement on how you evidence (validate) your compliance is optional for those in categories 2-4. You have the option of validating your compliance via self assessment questionnaire or via a third party. Third party validation should be done via an approved QSA Company and signed off by an approved QSA (Qualified Security Assessor/Qualified Security Assessor Company – this accreditation can only be achieved via the Payment Card Industry Security Standard Council – https://www.pcisecuritystandards.org/).
For all level 1’s, your validation of compliance must be undertaken by an accredited QSAC, with an accredited QSA. Should you be subject to a data breach your company, irrelevant of previous classification, will be automatically elevated to a level 1 status for a period of 12 months and subject to the requirements of a full audit validation.
It is fair to say that payment card details are found where payment card details are stored. Therefore e-commerce databases, backups and other areas where payment card details are stored or regularly transmitted are vulnerable to successful acquisition. Although e-Commerce and e-Payment service providers are particularly vulnerable in this respect, the merchant commissioning the service is ultimately responsible for ensuring that contracts with service providers include the requirement to be compliant with the PCI DSS. Acquirers will transfer fines, as a result of a Merchants choice to use a third party that is then compromised, to the Merchant. It is therefore critical that you know you are only using compliant third party’s to support you in you card payment processes.
A key truth behind breaches in cardholder data security is that all to often organisations still operate using legacy computer systems, poor levels of basic IT security and poor business processes. This is not always as a result of poor appetite, but as a result of the increasing pressure to reduce company spend and as a result of having taken a ‘risk’ based approach to security that the criminal fraternity are now taking full advantage of. The effects of not managing an organisations level of risk is all too clear for us to see today.
In terms of budgets, being compliant with PCI DSS was rarely factored into business plans and many Programme Managers are still fighting almost daily to retain the budget they need to be successful. In many cases the budget required is often confused by Senior Sponsor’s with a request for IT spend rather than a business wide mandated requirement of any entity wishing to store, process or transmit card payments. In what is a global evolution of a cashless society, few entities will be able to survive without the ability to accept card payments (even if their ability to do this is via a PCI DSS compliance third party).
Ultimately compliance with the PCI DSS is a business wide issue not purely an IT issue and the effects on those entities that do not reach compliance or take the compliance requirement seriously by the deadlines could be devastating.
Successful compliance programmes are built on the principle that compliance is a business requirement that requires active contributions from all sectors of the business (e.g. HR, Business Operations, Premises, IT, Contracted Services). Summary
For all organisations the PCI DSS is a mandated call to action. If you don’t yet know how to evaluate your business and IT controls, conduct internal self assessments, risk assessments or measure your position against the published PCI DSS – get help. As the markets level of compliance increases those entities that are not compliant will grow increasingly at risk – the criminal fraternity will go for the weakest link, i.e. those that are not yet compliant. There is a concerted drive for quarter 3 2009 for the remaining entities to validate their compliance, so time is of the essence, especially for level 1 entities that are mandated to engage an accredited QSA.
The Payment Card Council approves PCI Qualified Security Assessors (QSA) and their companies. Visit the PCI Council website for details about how to contact your QSA. They are specialist in their field and are there to help you achieve and maintain compliance with the PCI DSS.