PCI DSS: do you conform?

08 Oct 09

Although the Payment Card Industry Data Security Standard was introduced in 2004, there remains much uncertainty in terms of what organisations must do to comply with it and who they should look towards for assessment and advice. Mike Gillespie offers some clarity on the matter.

By Mike Gillespie

Organisations that transmit, store or process payment card details and that fail to comply with the Payment Card Industry Data Security Standard (PCI DSS) face serious penalties, including potential fines of £50,000-plus, damage to brand reputation, loss of business and the risk of closure. It's an issue of great concern to many businesses, and a topic much debated on business forums.

Although this standard was introduced in 2004, there still remains uncertainty as to whom it applies, what organisations must do to comply with it and who they should look to for assessment and advice to ensure that they have met the requirements of the standard.

In 2007, High Street chain TK Maxx was fined for failing to adequately protect customer data and, more specifically, cardholder data. This was the UK’s first high profile incident where the relevance of PCI DSS and the implications for merchants failing to comply with the standard was witnessed.

Despite this incident, very little has happened in the UK with regard to businesses addressing the standard and complying with its Terms and Conditions. However, with letters from banks being issued throughout the summer requesting evidence of compliance, that situation is about to change.

Conducting assessments and auditing compliance

Whether it's a standard transaction, storing card details for donation purposes or holding details on behalf of another body, each organisation that processes payments for customers is given a merchant level dependent on the number of transactions it processes. This level is important when addressing PCI DSS, in that it determines the action that must be taken with regard to conducting assessments and auditing compliance.

From the contact we have had with various organisations to date, knowledge and understanding of the standard - even among retail outfits - is not as commonplace as it should be. Even when the issue is addressed, information tends to sit centrally within the organisation, often failing to filter down throughout the various departments and branches where most data breaches occur.

In cases where a business is considering ways to address PCI DSS compliance, the person handling the project rarely comes from an information security background, and attentions are generally focused on the IT elements of the standard rather the people, places and processes.

PCI DSS promotes information security Best Practice. It's designed to protect the customer and it's supported by five major credit card companies: Visa, MasterCard, American Express, Diners Club and JCB. The standard, which covers internal and external networks and all applications both fixed and online, also encompasses all active and unattended POS terminals.

Visa has made visible efforts to push the standard by urging businesses to comply with it prior to 1 October this year (which has driven HSBC, for example, to encourage all customers to become PCI DSS-compliant). Acquirers working on behalf of (and in tandem with) organisations like HSBC have been proactively contacting the bank’s customers, encouraging them to make every effort to comply with the standard. Consequently, they have encouraged companies to employ a Quality Security Advisor (QSA) to complete the process of assessment, recommendation and auditing of the revised procedures.

However, for those merchants at levels 2, 3 or 4, this is an unnecessary expense.

Mixed messages, lack of concistency

Although it's heartening to see steps taken towards Best Practice, the messages remain mixed and there is a lack of consistency in approach. Neither the banks nor the PCI Security Standards Council (the open global forum responsible for the standard) seem to truly comprehend eactly how many businesses the PCI DSS affects. Similarly, the Council does not appear to be monitoring who has submitted their certificate of compliance. Only when a breach hits will it take note. For unfortunate and short-sighted businesses, it will be too late.

Although various people throughout the organisation may be responsible for the secure storage of credit card details, it's ultimately the CEO or equivalent that's accountable for this information. A recent study by the Ponemon Institute and Imperva found that 71% of companies don't treat the PCI DSS as a strategic initiative, yet 79% have experienced a data breach.

In addition, the survey found that only 28% of smaller companies (501-1,000 employees) comply with the PCI DSS, as opposed to 70% of larger companies (defined by dint of having 75,000 or more employees). It's therefore imperative that procedures are implemented to ensure Best Practice and to save others from the same humiliation experienced by TK Maxx in 2007.

For all businesses unsure about the security surrounding the storage of data on cardholder transactions, it's recommended that they look to external consultancies to independently assess the organisation’s processes for storing and transmitting details and to conduct the necessary ‘penetration tests’ to gauge their compliance. The key here, as with all standards, is independence.

However, there still remains uncertainty as to whether all organisations in question require a QSA to guarantee the authorised assessment and to deem them compliant. QSAs are only really deemed an absolute ‘must’ 'for merchants with over six million credit card transactions per year. Companies should be vigilant as to whom they employ.

The other factor that companies may find with retaining a QSA is that the review they conduct may only leave the business with a list of issues that fail to meet the standard; but will not provide solutions or advice as to how to rectify these problems.

Mentoring clients through the PCI DSS

We've worked successfully with a number of public and private sector organisations, mentoring them through PCI DSS, to assist with process flow identification and provide holistic security advice across the 12 standard requirements, including physical security. This physical element is often overlooked as, in many cases; responsibility for the PCI DSS is passed over to the financial or IT departments to manage.

However, the complete standard involves much more than processes – staffing and the working environment also need to be reviewed.

When addressing any kind of security anomaly, it's commonplace to simply throw technology at the problem in a bid to resolve the issue. Similarly, with the PCI DSS, technology on its own will only offer a quick-fix and will not tick all the boxes for compliance. For example, many companies will install a CCTV camera in the belief that it will satisfy the physical security element, but an ineffective or unnecessary camera is useless in the event of a breach.

The PCI DSS requires an holistic approach with independent experts that assess the people, places and procedures inherent to a company. By undertaking a review of all three, businesses can be assured that all other factors affecting PCI DSS will also be considered.

It's important to recognise the overlap between the PCI DSS and ISO 27001. As strong advocates of this industry standard, we would encourage more businesses to refer back to this risk-based framework as a first ‘reference point’. In doing so, companies will find that it stands them in good stead for tackling the PCI DSS, as many factors relate to both.

As well as maintaining an inter-department dialogue to ensure that workers are not doubling up on efforts, this communication should ensure that all procedures are integrated and complementary throughout the business to guarantee the security of the company’s assets and its customers’ sensitive data.

Responsibility for locking down data

A high quality security policy, awareness tuition and training are paramount for a secure, efficient workforce and ethos. It's important to remember that these standards have been put in place to assist, not be a burden. In some cases, where expertise or knowledge is lacking, it pays dividends to bring in an external consultancy to train up key staff within the organisation that will ultimately be responsible for locking down data.

We would encourage a three-pronged approach to PCI DSS: enforce policies, educate staff and maintain the procedures you have put in place.

Risks are ever-evolving and therefore it's compulsory that a company continually reviews its risks and updates any methods used to address them regularly. In the future, we hope to witness a growing awareness of PCI DSS compliance, but this requires key partners in the industry to collaborate in educating all merchants about the PCI DSS such that businesses recognise its value.

Until this happens, companies need to question their policy, procedures and actions to guarantee that they are not tomorrow’s headline for the wrong reasons.