Our thinking

PCI DSS – More than an IT Upgrade

The Payment Card Industry Data Security Standard (PCI DSS) is possibly one of the most critical, but also least publicised and least understood, industry standards currently in existence today. PCI DSS is sometimes described as an IT standard, but it covers far more than network security.

The purpose of this article is to give you a brief overview of PCI DSS and how it may affect your organisation.

 

What is PCI DSS?
The major card companies (Visa, Mastercard, AMEX, Discover and JCB) have always had security policies which they expected their merchants to adhere to. In 2004, the five companies decided to combine their standards to form a single, international standard administered by the Security Standards Council(SSC) which would apply to all organisations that accepted card payments.[1]

The purpose of PCI DSS is to protect cardholders’ financial information by setting a minimum security standard that all merchants must meet or exceed. The standard is set by experts, and is designed to minimise the risk of data theft in most scenarios.

To comply with PCI DSS, organisations which accept card payments must complete a Self-Assessment Questionnaire (SAQ) every year and submit the results to their card services provider.

 

The scope of PCI DSS
The SAQs consist of requirements which cover IT infrastructure and business processes. The most complex PCI DSS standard (Self-Assessment Questionnaire D) has 12 requirements (with approximately 63 sub-requirements). The other SAQs are subsets of this “master list” of requirements.

The SAQ D requirements are reproduced below, with the IT infrastructure elements highlighted with a *

 

PCI DSS Requirements
1. Install and maintain a firewall configuration to protect cardholder data. *
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks. *
5. Protect all systems against malware and regularly update antivirus software or programs. *
6. Develop and maintain secure systems and applications. *
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components. *
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data. *
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel[2]

 

As you can see, the requirements are evenly divided between requirements which focus on infrastructure and requirements which focus on business policies and processes. This reflects the fact that employees are often the greatest security threat to a business.[3]

The six IT infrastructure requirements also have a procedural element: e.g. configuring a security tool to report on access to network resources and cardholder data has little value if the logs are not checked regularly for unauthorised access.

 

What does that mean for my business?
The good news is, compliance with PCI DSS doesn’t necessarily mean installing a lot of expensive software and equipment. Many of the PCI DSS requirements can be fully or partly met with simple, inexpensive procedural changes.

For example, “Protect stored cardholder data” may be as simple as writing a procedure telling staff to put hard copy payment forms into a secure shredding bin as soon as they have been processed and quality checked.

The bad news is, compliance with PCI DSS can’t be met simply by installing new security software. Achieving compliance may require significant changes to how your business handles card information, and these changes will need to be documented and continually reinforced.

Terra Firma recommends that organisations begin the PCI DSS compliance journey by reviewing their processes to see how many requirements can be fully or partly met with procedural changes. This may help to reduce the cost of achieving and maintaining compliance.

 

 

 

 

 

 

 

[1] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard accessed 29/7/2016
[2] Taken from SAQ D Merchant (https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-D_Merchant-rev1_1.pdf?agreement=true&time=1487303288427) and confirmed against SAQ D Service Provider, accessed 17/2/17
[3] For examples, see http://www.cio.com/article/2872517/data-breach/6-biggest-business-security-risks-and-how-you-can-fight-back.html or http://www.csoonline.com/article/2908475/security-awareness/surveys-employees-at-fault-in-majority-of-breaches.html; http://www.experian.com/data-breach/2016-ponemon-insider-risk.html?WT.srch=2016_insider_risk_pr which report the results of surveys showing that employee error is the main root cause of IT security breaches.