By Simeon Tassev, Managing Director and Qualified Security Assessor (QSA) at Galix,
The Payment Card Industry Data Security Standard (PCI DSS) is a standard put in place by major card issuers – American Express, Visa, MasterCard, Discover and JBC – to govern the use and security of sensitive credit card information. PCI DSS certification is complex. For companies handling high volumes of transactions, it is a non-negotiable annual requirement. For others – those doing a limited number of transactions or who have outsourced payments to a third party provider – there are less taxing alternatives, such as the PCI DSS self-assessment. However, the stakes are high.
In a digital world where security is constantly being undermined and cybercrime continues to flourish, breaches occur. When they do, there is likely to be financial damage to the organisation and its customers. Loss of sensitive credit card data make customers vulnerable and will, without doubt, negatively impact the reputation of the company. Putting best practices in place – which is what PCI DSS does – is a very important first step in creating a strong layer of security around this critical data to protect a company’s most critical asset: its clients.
It must be noted that PCI DSS certification will not make the organisation completely invulnerable. However, if the organisation is breached and is not PCI DSS certified, it will be compelled to do an audit and achieve certification. This is a huge undertaking, requiring considerable commitment in time, effort, and funds. The smart decision? Get to grips with what PCI DSS encompasses and begin to gear your systems, processes, and infrastructure to meet the requirements.
What will it take to become PCI DSS certified?
PCI DSS encompasses 12 specified requirements and just over 240 sub requirements. The 12 requirements are categorised into six control objectives, namely:
· Build and maintain a secure network,
· Protect cardholder data,
· Maintain a vulnerability management programme,
· Implement strong access control measures,
· Regularly monitor and test networks, and
· Maintain an information security policy.
To achieve certification, the organisation needs to be 100 percent compliant. Yearly validation, which comprises a full audit of all sub requirements, is done by a Qualified Security Assessor (QSA) who must be registered with the PCI Security Standards Council. A QSA may audit only the security aspects of the requirements. If you are heading in this direction, be aware that this process takes commitment, ongoing effort, and dedication. The majority of banks, due to many of their systems being interdependent, have been attempting to achieve PCI DSS certification for years, at great cost.
Who needs to be PCI DSS certified?
The major credit card companies have their own tiering system, categorising companies (merchants, acquirers, banks) according to the number of transactions they handle annually. Level 1 and Level 2 companies are compelled to be PCI DSS certified with a full audit completed every year. Level 3 and Level 4 companies may complete a self-assessment, although they are encouraged to achieve full certification.
The cost of a PCI DSS annual audit starts at $10,000. It is very technical and the more systems you have, the more expensive it becomes. However, consider that Level 1 comprises companies typically handling 2.5 million American Express, or six million Visa/Mastercard/Discover transactions a month. Level 2 companies are handling up to 50,000 American Express and between 1 and 6 million Visa/Mastercard/Discover transactions a month. That’s a lot of data to protect.
The key is to find a balance. How secure is secure enough for your business?
How to gear for PCI DSS
The easiest way to avoid PCI DSS certification is to outsource the requirement to service providers who already have all these elements of protection in place – i.e., online payment gateways or card payment transaction processors. However, if keeping credit card data is unavoidable there are some steps you can take to make PCI DSS less onerous. These are:
· Understand dataflow – know how the data is acquired and flows through business systems and processes.
· Keep anything to do with credit card information as separate from the rest of the business as possible.
· Standardise processes.
· Put security and governance policies in place early and enforce them 100%.
Here is why these steps are so important: The PCI DSS standard covers every system within the business that has anything to do with credit card information – how the data enters and exits an organisation, who has access to it or handles it, how it is used, transported and stored. Little is left to chance. The standards also cover every aspect of systems – the people, processes and technology (software, hardware, network security), and physical facility – as well as every other system that intersects with these systems. Therefore, for example, if the workstation that processes credit card information is part of the office network, the whole network is audited. If part of the transaction is handled by a third party; that service provider must have the necessary certification in place.
There are two vital inter-related issues to pay attention to: dataflow and managing scope. Dataflow is driven by processes, and it is important to protect credit card data within business processes, regardless of the means used to acquire the data – e.g., online or through swiping a card at a physical till point. It is critical to understand where this data ‘touches’ on other systems and minimise it. This will limit the scope of the PCI DSS certification – which saves effort and cost. Standardisation will also help limit scope. If you have multiple branches and can show processes and policies are standardised, it may only be necessary to test one iteration of the system.
PCI DSS – engaging with the process
A PCI DSS engagement generally takes a multiphase approach. In Phase I, a self-assessment is simulated. This assists to define what is in scope and identify any specific challenges. The certifier will then present recommendations to assist in scope reduction. Challenges are addressed and Phase II – the full certification – will begin.
A number of documents must be completed and multiple scans, tests and assessments are done on systems. These are best practice processes. While there is a cost associated with them, it is in reality not less than the business should already be doing to protect itself and its customers.
PCI DSS may be complex and difficult to achieve, however, the standards are not there to make business more difficult or costly to conduct – businesses that deal with credit card data have a responsibility to protect that data. The question they need to be asking themselves is not “do I have to make the effort to comply” but “what do I need to do to secure my business”. The PCI DSS standards are just a first step.