Some organisations are struggling to comply with the payment card industry’s new set of standards on data security. Nathan Skinner explains
Organisations that handle people’s personal information have a responsibility to make sure it does not fall into the wrong hands. Payment card details are one of the most important and vulnerable types of data. Consumers use them to pay for goods and services around the world in a myriad of environments.
Unfortunately daily headlines testify to the fact that consumer’s card details often go missing. A series of public and private sector blunders have recently left the personal information of millions of people at risk.
In the UK, the Information Commissioner’s Office recorded over 100 breaches of data security by private and public organisations in less than a year. The Commissioner, Richard Thomas, has implored corporations to take action: ‘The evidence shows that more must be done to eradicate inexcusable security breaches.’
In an effort to address the situation, the payment card industry (PCI) has come up with a set of standards. The data security standard (DSS) is an effort by the major card companies to increase confidence in the card payment system by making sure it is properly protected. Any company that processes card payments is encouraged to follow the standard.
Acting as enforcers, the card companies have said they will levy fines against companies that do not comply. Businesses could also lose revenue if they have their licence to accept payment cards revoked. Nor are governments averse to imposing penalties on companies that lose personal information. But the real cost is reputational. If a company is found to be leaking data its image could be ruined – and the cost of repairing it would be far greater than any fine or penalty.
‘It is infinitely less expensive to comply than to recover if you have a breach,’ says Bob Russo, general manager, of the PCI Security Standards Council.
Slow to comply
Despite the threat, many companies have failed to make the deadline for compliance. Either they were unaware of the introduction of the measures or felt unsure or unable to comply with them.
America has moved the furthest. ‘In the UK, organisations are closer to the US in terms of compliance,’ says Russo, ‘while most of Europe is further behind’. That could be because companies that spent a lot on ‘chip and pin’ are reluctant to invest in yet more security.
The big retail and banking sectors are probably the most advanced, and the payment card industry has focused attention on this area. But many public sector organisations, seen as low volume and low risk, have not been pushed as much.
Compliance is not the sexiest of topics in the current financial climate. It is a costly exercise and when credit is tight the investment may be hard to come by. Nevertheless, it is something that organisations need to address. Fortunately there is a lot of advice and help out there.
Paul Baker, vice president of payment system integrity for Mastercard, is keen to demystify the problem. ‘There are twelve broad areas to compliance and these can be summed up as common sense,’ he says.
“If you donâ€™t absolutely have to store data, then donâ€™t
The broad concept is that companies need to protect payment card data at rest. That means information that is stored within the organisation physically (card receipts) or virtually (in the internet memory, or cache) should be appropriately protected.
Going through the organisation and finding all the places where payment information is stored can be a major project, particularly in a large complex operation that deals in multiple channels of payment.
Alexander Grant, responsible for global fraud risk management with British Airways (BA) was responsible for the airline’s compliance project. Having been through the rigours of Sarbanes Oxley, BA felt prepared for the challenge. A partner with the PCI security standards council, Grant has held online workshops to share his experience. ‘PCI is critically about understanding where the credit card data enters the organisation and how it is used,’ he says.
Grant partnered with a third party quality security assessor (QSA), and it took about a year to understand what BA needed to do to achieve compliance. Getting into the detail he found that, in a business employing 45,000 people spread across the world, there were around 70 systems and 80 business processes that needed attention.
With that level of complexity, scoping the project is obviously important. One of the founding principals of the standard is that if you do not absolutely have to store data, then don’t. ‘The easiest way for us to become compliant was to remove the card data from anywhere where it wasn’t absolutely needed,’ says Grant.
Start by mapping your business processes, he suggests. Once the important data that needs protecting has been identified and reduced to a minimum, the ring-fencing to secure it can begin. That can be expensive. ‘One thing we recommend to reduce the cost is segmentation,’ says Baker. ‘If you can put all the card data in one central place rather than multiple locations it could be cost effective.’
Once you have re-engineered your business processes and taken parts of the organisation out of the scope it is important to do documenting. That will help you do an audit afterwards.
Finding an independent business partner to help you is a good idea, says Grant. ‘Don’t do this on your own; this isn’t a competitive issue. This is about securing the card data supply chain. You may find that someone has already faced the challenge and come up with an answer.’
A good culture and awareness of security issues also helps. ‘PCI is as much about the people and processes as it is about the systems,’ says Grant. If people in the organisation understand the need to operate safely and securely that’s half the battle.
The project cannot just be shoved into the hands of the IT department. ‘It’s as much about training staff, understanding process flows and challenging your business practices,’ says Baker. Buy-in across the organisation is essential. Most companies report success when the project was driven forward with engagement from senior management. ‘Getting friends in high places is very important,’ says Grant.
The level of investment that the project requires will vary depending on the complexity of the organisation and what has been done in the past. Replacing legacy systems can be very expensive.
“A good culture and awareness of security issues helps
Some of the longer established retailers have found the problems particularly burdensome. Sometimes their entire communications architecture has to be overhauled and extended to meet the PCI requirements. New online retailers may be more up for the challenge, having invested in newer security features.
‘A large, traditional merchant that has been in business for a number of years may have systems dating back 15 or 20 years. Back then security was different. To bring those applications up to today’s security standards could take a couple of years. There’s no way to do it faster. You don’t want to break the business,’ says Russo.
‘Having said that, I’ve seen large companies do PCI in 45 days,’ he adds.
Businesses that have undertaken the sometimes painful process have realised many benefits. Costs can be reduced by freeing up space on servers previously occupied by card data, or eliminating data processing that is not needed. Examining business processes can give organisations a better understanding of them, leading to other efficiencies.
‘A lot of companies are using PCI as a springboard to improve security across the enterprise,’ says Russo. The principals are generally accepted as a very good guideline and can be applied to protect any type of data.
Many organisations transact a big part of their business online. Around 50% of BA’s sales are over the web. ‘If your security structure is not good enough you are going to be attacked sooner or later,’ predicts Ivan Ristic, a web application security specialist with Breach Security.
To address this trend, the standard says all organisations must submit their web applications to a security analysis. ‘Eight out of ten web applications are vulnerable to attack,’ says Dave Whitelegg, IT security manager at Capita. He says attacks have evolved from the network level to the application. ‘This is the next low hanging fruit.’
‘Our recommendation is to do a code review and deploy a web security application,’ says Gaynor Rich, head of local government and payment services for Capita. However, just deploying web application security will not ensure you pass the test. The standard talks about monitoring counter measures. Management of the tools being deployed is very important. Companies need to constantly scrutinise their security. The payment card industry use auditors to scan companies to make sure they are assessing their own vulnerabilities.
But one of the problems organisations might run into when trying to assess their security is access to a QSA. In the UK there are currently only about 25. ‘No doubt that number will double in the next year or so,’ says Ash Patel, country manager for network security provider Stonesoft.
So far compliance has more or less been limited to the big payment transacting companies. In order for it to be fully embraced across multiple sectors a new kind of incentive may be needed. It might not be too long before consumers are only confident in using a service that has a PCI-approved stamp attached. That could provide a much stronger
12 requirements of compliance
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management programme
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security
Source: PCI Security Standards Council