Although the PCI DSS standard was introduced in 2004, there still remains uncertainty as to whom it applies, what organisations must do to comply with it and who they should look to for assessment and advice to ensure that they have met the requirements of the standard.
In 2007, UK high street chain TK Maxx was fined for failing to adequately protect customer data and more specifically, cardholder data. This was the UK’s first high profile incident where the relevance of PCI DSS and the implications for merchants failing to comply with the standard was witnessed.
Despite this incident, very little has happened in the UK with regard to businesses addressing the standard and complying. With letters from banks being issued throughout the summer requesting evidence of compliance, this is set to change.
Whether it is a standard transaction, storing card details for donation purposes or holding details on behalf of another body, each organisation that processes payments for customers is given a merchant level dependent on the number of transactions it processes. This level is important when addressing PCI DSS, in that it determines the action that must be taken with regard to conducting assessments and auditing compliance.
From the contact Advent IM has had with various organisations to date, knowledge and understanding of the PCI DSS standard, even amongst retail outfits is not as commonplace as it should be. Even when it is addressed, information tends to sit centrally within the organisation, often failing to filter down throughout the various departments and branches, which is where most data breaches occur. In cases where a business is considering ways to address PCI DSS compliance, the person handling the project rarely comes from an information security background, and focus is generally put on the IT elements of the standard not the people, places and processes.
PCI DSS promotes information security best practice. It is designed to protect the customer and it is supported by five major credit card companies: Visa, MasterCard, American Express, Diners Club and JCB.
The PCI DSS standard, which covers internal and external networks and all applications both fixed and online, also encompasses all active and unattended POS terminals. Visa has made visible efforts to push the standard by urging businesses to comply with the standard by 1st October 2009, which has driven HSBC, for example, to encourage all customers to become PCI DSS compliant.
Acquirers working on behalf of and in tandem with organisations like HSBC have been proactively contacting the bank’s customers encouraging them to make every effort to comply with the PCI DSS standard. Consequently, they have encouraged companies to employ a Quality Security Adviser (QSA) to complete the process of assessment, recommendation and auditing of the revised procedures. However, for those merchants at levels 2, 3 or 4, this is an unnecessary expense.
Although it is heartening to see steps towards this best practice being taken, the messages remain mixed and there is a lack of consistency in approach. Neither the banks nor the PCI Security Standards Council (the open global forum responsible for the PCI DSS standard), seem to truly comprehend to how many businesses PCI DSS directly applies. Similarly, the Council does not appear to be monitoring who has submitted their certificate of compliance. Only when a breach hits will it take note and, for unfortunate, short-sighted businesses, it will be too late.
Although various people throughout the organisation may be responsible for the secure storage of credit card details, it is ultimately the CEO or equivalent that is accountable for that information.
A recent study by the Ponemon Institute and Imperva found that 71% of companies do not treat PCI DSS as a strategic initiative, yet 79% have experienced a data breach. In addition, the survey found that only 28% of smaller companies (501-1000 employees) comply with PCI DSS, as opposed to 70% of larger companies (75 000 or more employees). It is therefore imperative that procedures are implemented to ensure best practice and to save others from the same humiliation experienced by TK Maxx in 2007.
For all businesses unsure about the security surrounding the storage of data on cardholder transaction, it is recommended that they look to external consultancies to independently assess the organisation’s processes for storing and transmitting details and to conduct the necessary ‘penetration tests’ to gauge their compliance. The key here, as with all standards, is independence.
However, there still remains uncertainty as to whether all organisations in question require a Qualified Security Assessor (QSA) to guarantee the authorised assessment and to deem them compliant. QSAs are only really deemed an absolute ‘must’ 'for merchants with over six million credit card transactions per year and companies should be vigilant as to whom they employ. The other factor that companies may find with retaining a QSA is that the review they conduct may only leave the business with a list of issues that fail to meet the standard; but will not provide solutions or advice as to how to rectify these problems.
Advent IM has worked with a number of public and private sector organisations, mentoring them through PCI DSS, to assist with process flow identification and provide holistic security advice across the 12 standard requirements, including physical security. This physical element is often overlooked, as in many cases; PCI DSS is passed over to the financial or IT departments to manage.
However, the complete standard involves much more than processes – staffing and the working environment also need to be reviewed too. When addressing any kind of security anomaly, it is commonplace to simply throw technology at the problem to resolve the issue. Similarly, with PCI DSS, technology on its own will only offer a quick-fix and will not tick all the boxes for compliance.
PCI DSS requires a holistic approach with independent experts that assess the people, places and procedures inherent to a company. By undertaking a review of all three, businesses can be assured that all other factors affecting PCI DSS will also be considered.
Advent IM also recognises the overlap between PCI DSS and ISO27001 and, as strong advocates of this industry standard, is encouraging more businesses to refer back to this risk-based framework as a first ‘reference point’. In doing so, companies will find that it stands them in good stead for tackling PCI DSS, as many factors relate to both.
As well as maintaining an inter-department dialogue to ensure that workers are not doubling up on efforts, this communication should ensure that all procedures are integrated and complementary throughout the business to guarantee the security of the company’s assets and its customers’ sensitive data. A high quality security policy, awareness and training are paramount.
We must remember that these standards have been put in place to assist, not be a burden. In some cases, where expertise or knowledge is lacking, it pays dividends to bring in an external consultancy to train up key staff within the organisation that will ultimately be responsible for locking down data.
Advent IM encourages a three-pronged approach to PCI DSS: enforce policies, educate staff and maintain the procedures you have put in place. Risks are ever-evolving and therefore it is compulsory that a company continually reviews its risks and updates any methods used to address them regularly.
In the future, Advent IM is hoping to witness a growing awareness of PCI DSS compliance, but this requires all partners in the industry to collaborate together to educate all merchants about the Standard so that businesses recognise its value. Until this happens, companies need to question their policy, procedures and actions to guarantee that they are not tomorrow’s headline for the wrong reasons.