The challenges of PCI DSS compliance

We were already steadily moving towards a cashless society, even before the COVID-19 pandemic hit; banks made it easier for us to use our cards while we are out and about, with contactless payments, and we are certainly spending more time and money doing our shopping online.

But these conveniences come with a downside: the potential availability of our personal—sometimes sensitive—information to cyber criminals.

Of course, it’s not just card payments, our general reliance on technology and the internet means the data available about individuals and organisations is increasing exponentially and so are the opportunities for cyber criminals. This means that digital security (or cyber security if you prefer) has had to become a strong focus. But what does that mean?

It means that organisations are investing in information security measures to protect their own data and that of their customers. They are embedding frameworks like ISO 27001 and adhering to regulations like GDPR to ensure that information assets are as secure as they can be and in the event of a breach, the damage will be minimal.

In the specific case of card data, increasingly in the UK and EU, organisations that store, process or transmit card payments must adhere to the Payment Card Industry Data Security Standard—or PCI DSS. The aim of PCI DSS, as defined by the Payment Card Industry Security Standards Council, is to encourage consistent security practices, protect “payment systems from breaches and the theft of cardholder data”, and avoid damaging instances of fraud.

The challenges of PCI DSS compliance

But what’s happening?

Data from Verizon shows that that fewer organisations are complying with PCI DSS despite the steadily increasing number of data breaches, a 35% increase in credit card fraud since the start of the COVID-19 pandemic and research highlighting that non-compliance is more expensive than compliance.

Why? The Verizon study showed that many organisations are overwhelmed with compliance requirements and, equally, struggle to maintain the compliance controls over time. There is also an element of weighing up the risk. Many companies are taking the stance of “we haven’t been breached before and the cost of making our company compliant is probably less than the fine and remediation costs”.

This is very much a guesswork approach. Organisations could be looking at fines of up to £500,000 plus remediation costs of up to £300 per record, if lost data comes under the jurisdiction of the EU General Data Protection Regulation (GDPR). Payment brands are also likely to fine an acquiring bank between $5,000 and $100,000 (USD) per month for violations (with those fines passed on to the merchant) and the bank can ultimately terminate relationships or increase their transaction fees. You could also reasonably expect affected customers to take legal action. And finally, like all types of breaches, there is also a high possibility of reputational damage, which has other far-reaching consequences for your business.

Instead of regarding PCI DSS as an administrative burden, however, organisations should regard it as a valuable tool with which to build brand reputation, customer confidence and, above all, an organisational culture that values good practices and accountability/transparency. It can be challenging. Making a security control or process work consistently well means it must become part of your organisation’s way of operating. Education and involvement, as well as visible leadership investment in/commitment to these processes, is critical. But the potential payoffs are significant.

“Our data shows that we have never investigated a payment card security data breach for a PCI DSS-compliant organisation. Compliance works.”

Rodolphe Simonetti, global Managing Director at Verizon

The basics of PCI DSS

PCI DSS compliance is built on a continuous process of ‘assess’, ‘remediate’ and ‘report’:

• Assess – The process of doing “an inventory of your IT assets and business processes for payment card processing and analysing them for vulnerabilities that could expose cardholder data”. For example, ensuring that all in-scope versions of operating systems and applications are included in vulnerability intelligence bulletins (see PCI DSS requirement 6.1); or part of your quarterly vulnerability scanning routines (requirement 11.2).
• Remediate – The process of fixing those vulnerabilities. For example, by installing vendor-supplied security patches on a timely basis (see PCI DSS requirement 6.2).
• Report – The compilation of records required by PCI DSS to validate remediation, and submission of compliance reports to the acquiring bank and card payment brands you do business with.

There are 12 mandatory security requirements:

• Install and maintain a firewall configuration to protect data (the ‘network security’ one).
• Do not use vendor-supplied defaults for system passwords and other security parameters (the ‘system configuration’ one).
• Protect stored data (the ‘data at rest’ one).
• Encrypt transmission of cardholder data and sensitive information across public networks (the ‘data movement’ one).
• Use and regularly update anti-virus software (the ‘malware’ one).
• Develop and maintain secure systems and applications (the ‘sys dev, plus’ one).
• Restrict access to data by business need-to-know (the ‘access control part 1’, one).
• Assign a unique ID to each person with computer access (the ‘other access control part’, one).
• Restrict physical access to cardholder data (the ‘physical security’ one).
• Track and monitor all access to network resources and cardholder data (the ‘security monitoring’ one).
• Regularly test security systems and processes (the ‘vulnerability scanning and pen testing’ one).
• Maintain a policy that addresses information security (the ‘governance bucket’ one).

Your organisation will be required to submit a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC) depending on how many transactions are processed annually. These submissions provide evidence of your current compliance status to regulators, or other potential stakeholders such as customers and business partners.

How PGI helps organisations become PCI DSS compliant in the most cost-effective way

We help organisations: understand current compliance levels via gap analysis; implement appropriate controls with the help of a Qualified Security Assessor; and maintain compliance with regular auditing. Most importantly, we know that there are overlaps across many of the information security regulations and frameworks, such as ISO 27001, PCI DSS and GDPR, so we focus on existing controls and how they can be adapted – to save money, time and effort.

Contact us to discuss how we can help you achieve PCI DSS compliance efficiently and affordably.