IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image

Is credit card data protection a business issue?

Wed, 1st Apr 2009
FYI, this story is more than a year old

If you deal with credit cards, you will need to comply with new PCI standards.

Millions of consumers and businesses are being affected by rampant credit card and identity theft across the world. Regulatory authorities are becoming concerned, as stories on credit card information breaches are rife. The payment card industry has highlighted a need to lift industry standards and provide better controls for the prevention of fraudulent card use. The development of a Payment Card Industry Data Security Standard (PCI DSS) is a critical step forward in this direction.

Does your business process credit card transactions? Or store credit card information?

Do you take online credit card payments?

Or do you handle credit card information on paper, online, over the phone or by mail? If you answered yes to these questions, you will need to comply with the PCI DSS standards.

The big five

The PCI DSS is a set of requirements to enhance security around the storage and handling of customer credit card information and data.

The PCI DSS was developed by MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB to help facilitate the global adoption of consistent data security measures. The five founding members jointly formed an independent regulatory organisation called the PCI Security Standards Council (PCI SSC) to raise awareness about the standard. The PCI DSS reflects the members’ position on credit card security standards.

At first glance, the PCI DSS could appear to be a standard focused on technical measures to address the requirements for credit card data protection. But the standard has implications that could potentially be significant across your business, which could affect your business processes and commercial relationships.

Who needs to comply?

* Merchants and their IT vendors and bureaus

* Card acquirer bank and the merchant’s bank

* Card issuer bank and the card holder’s bank

Service providers who process, store or transmit credit or debit card data, and any party connected to them.

How to achieving compliance

The PCI DSS standard requires organisations to conform to specific systems, policies and procedures in relation to the processing and storage of credit card data. The standard is built around six major areas:

* Building and maintaining a secure network

* Protecting cardholder data

* Maintaining a vulnerability management programme

* Implementation of strong access control measures

* Regularly monitoring and testing of networks

* Maintaining an information security policy.

Why should businesses comply?

By complying with PCI DSS your organisation could benefit from the following:

* Showing your customers and partners the organisation takes security seriously

* Being able to manage risk around identity theft and credit card fraud more efficiently

* Having to increase protection of your customer and client’s customer data

* Avoiding punitive measures imposed by the acquirer banks or the card brands

* Staying competitive in a marketplace where non-compliance is no longer tolerated.

How do I prove I comply?

Proving or validation of compliance involves an assessment and formal documentation. For smaller or less complex organisations this would involve undertaking a self-assessment questionnaire and submitting the completed form to your acquirer bank. For larger or more complex organisations, this may be in terms of transactions, storage or volume, and requires an independent assessment to be undertaken by an approved PCI SSC security assessor. All organisations are also required to undergo an external vulnerability assessment by a similarly approved scanning vendor.

Staggered compliance dates ranging from October 2007 to September 2010 have been set to give businesses a deadline within which to be compliant, with earlier dates for larger merchants and service providers.

The absolute vitals

For your business to determine a pragmatic and optimal response to the PCI DSS, you should consider some vital aspects:

1. PCI DSS is different from other standards or industry regulatory regimes because it is enforced through contract law. It forms part of your contract with your bank, third parties reliant on your business activities and potential customers, and could be a service provider for other PCI DSS-affected entities. Each contractual relationship enforces the standard downstream to its related entities and a state of non-compliance in any of these could see an organisation breach its contractual obligations. As such, it’s vital for organisations affected by PCI DSS to understand the extent and exact nature of every contractual relationship you have that could be impacted. These relationships form a part of the scope of PCI DSS for your organisation.

2. Outsourcing operations pertaining to the transacting, storing, processing or handling of your credit card activities does not transfer the responsibility, risk or liability away, and does not negate the need to comply. As a first step, understand your obligations to your immediate upstream contractual entity. For example, many organisations in a transacting space have a relationship with at least one acquirer bank.

Find and examine your contract and any associated letters of amendment for any explicit stipulations pertaining to PCI DSS. Consult legal counsel on the exact nature of your obligations from a contractual perspective. Establish clarity on what you have signed up to and determine if you have any timeframes binding you to achieve full compliance.

3. PCI DSS is not meant to be a tick-the-box exercise. Organisations that take such an approach do at their own risk. While it is tempting to reduce your compliance burden, this poses risk to your business when you go through the motions without attending to the intent of the standard – data protection. Raising the bar on risk management for credit card transactions and the handling of cardholder data is the primary objective for the requirements of the standard. It sets out good practices. However, because of the structure and the potentially complicated numeric of the requirements, some may get lost in understanding the requirements to the letter of the law.

4. PCI DSS can be a complex issue for your business. Understanding the scope is important because this determines the extent of complexity and effort associated with moving your organisation towards compliance. Focus on the basics and consider the following:

a. Your data: What data do you have? Where does it come from? Where does it go? Who do you share it with? Why do you have it? If you do not need it, do not capture it and destroy what you already have. Do you have numerous replications of this data in different environments or formats? Ensure no card magnetic stripe data (track2, PVV, CVV, PIN)is stored. This data is prohibited from being retained after the authorisation stage of any transaction.

b. Customer or client data: What aspect of your customers’ or clients’ data or data-related operations do you have a bearing on? What services or activities do you undertake that affect your customers’ or clients’ data, or data environments?

c. What are your business processes that handle or interact with this data in some way? Look for possible measures to either change processes or minimise the interaction with cardholder data. Use explicit and justified interaction where necessary, rather than defaulting to ‘all processes’ or ‘as many as possible’ handling.

d. Is your cardholder data environment separate from the rest of your business network infrastructure? If not, find a way to do so, and keep it separate, enforced and tidy.

e. Go for the opportunities where your organisation can have some quick wins in moving toward compliance. These are items which could be achieved without significant cost and effort. It could have a big impact from a risk mitigation perspective or be able to reduce the scope of your organisation’s PCI DSS footprint and complexity, for example: ensuring that PCI DSS becomes a key input for all new business initiatives or development activity. This enables your organisation to move towards compliance, and also future-proof the business from re-introducing non-compliance into the business down the line.

f. Keep in mind PCI DSS is not a one-stop destination. It is an ongoing requirement to maintain your organisation’s compliance. Your business will change, evolve, and new developments will take place. Any of these could be done in a way that makes you no longer compliant with some or all of the requirements in PCI DSS. Being aware of this, and building in the right consideration, feedback loop and self-checking mechanisms to monitor the organisation’s PCI DSS status for compliance, will keep you on track.

5. Your ability to comply with PCI DSS has some interdependencies:

a. PCI DSS status of your relevant third parties. If your third party is not compliant, your use of them will mean your organisation can’t be deemed compliant either. This applies equally to situations where your acquirer or any other bank is in a service provider or joint venture capacity to your organisation. If they are not compliant with PCI DSS, you can’t be deemed compliant either.

b. Your use of purchased applications for your POS, Online Shopping Cart, ATM needs. If you do have a transacting facility as part of your business, whether that be physical (POS) or virtual any application that is involved in the authorisation, processing or settlement of a credit card transaction must be certified Payment Application Data Security Standard compliant. If it is not, again you can’t be deemed PCI DSS compliant.

6. Be wary of any self-proclaimed technology products or tools that claim to be compliant. PCI DSS doesn’t lend itself to being used for the certification of hardware or as a tool. Instead it takes an organisation or service view and therefore only organisations or services can be deemed or certified as PCI DSS compliant. Purchasing and deploying a self-proclaimed PCI DSS compliant product is not going to bring you any closer to compliance.

7. For merchants who only have a standalone POS environment, you too need to be PCI compliant. Having a PA DSS certified EFTPOS solution in place is an essential step, but so is your ability to ensure that all relevant physical security requirements at your store location meet PCI DSS, for example: over the storage of transactions’ paper receipts, and that your EFTPOS provider is a compliant entity. Request proof of this compliance and do not just trust that they are.

All of this can be complex and potentially overwhelming to have to navigate. Seek assistance and advice from external parties if necessary. Putting in the effort to understand it and get it right at the outset will save you a world of pain and costs in the long-term.

In summary, PCI DSS is a business issue with strategic and information technology implications on your business and should be handled as a business problem.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X