Payment Card Industry Data Security Standard (PCI DSS) is not considered to be a law on its own, rather it’s a regulated set of controls that are mainly focused on cardholder data protection. Why there is there such a buzz surrounding this standard then? The answer resides on peoples’ mindset. This includes a resistance to change, costs involved, knowledge, ability to implement and maintain compliance, and effort. Arguments often heard are along the lines of “we are a small company therefore nothing will ever happen to us”, “this is something for the techies and not for business” and queries on its “importance”. The arguments are derived from the rigidity of security controls and the fact that the auditing requirements are open to interpretation: they have to be to cater for the variety of factors involved. The truth, however, is that even small businesses are valid targets for criminals, the controls are as much business process-related as they are technical, and its importance is widely recognised.
Some companies seek to certify their compliance on information security management by achieving the ISO 27001 standard. This, whilst a valuable and laudable standard, it is not a replacement or substitute for PCI DSS. Both frameworks have the same goal of ensuring information security but they differ in many aspects. Though since there is some harmony between the two standards, adhering to both is very beneficial.
Keeping pace with a changing landscape
I was fortunate enough to meet David Lacey in one of his speeches in 2012, and again recently at the InfoSec exhibition in London a month ago. He’s an innovator and futurist who was involved in the creation of BS7799 which later became ISO 27001/2. Through a speech he gave two years ago he addressed the necessity of creativity and the importance of pioneering new techniques, due to the fact that no currently-existing standard is perfect. The business environment of tomorrow is likely to be very different from that of today. The ISO framework was designed in the 90s for a world that was not fast-changing. Since then, in an environment of APTs and large scale data breaches, the landscape in 2014 is almost unrecognisable.
This year the PCI DSS framework celebrates its 10th birthday. It is one of the few standards that evolves as time passes and is not stuck following out-moded practices as some other standards do. It’s not perfect, but it is a very capable and useful set of minimum standards and adapts to the changing landscape. I have spoken with merchants that process and store credit card data who were told by their Acquiring banks that they must achieve their PCI compliance to maintain their merchant accounts. Most of them did not leverage the PCI compliance as an opportunity to improve their processes, infrastructure, suppliers’ relationships and clarification of roles and responsibilities. Instead they used it as a box-ticking exercise to scrape through their compliance. This shows a lack of awareness of the bigger picture and the very real improvements PCI DSS compliance can make – especially among merchants that have less than 6 million transactions per year.
What if you take the risk?
If PCI compliance is not achieved and maintained, these merchants are at risk of losing their merchant accounts and they will not be able to accept card payments at all, with a high possibility of being placed in the VISA/MasterCard Terminated Merchant File – a blacklist that makes companies unqualified to obtain another merchant account for a few years. In case that a website or a company gets compromised, the Information Commissioner’s Office (ICO) has the power to fine companies up to £500,000 each for serious security beach. The chain reaction does not stop here: a PCI forensic investigator is required to establish the source of breach (an expensive and time-consuming process), legal fines from customers are inevitable, of course, there will be severe reputational damage.
A rewarded effort
Despite its merits, or perhaps because of them, achieving PCI compliance is not an easy task and is often underestimated. The reasons are the overwhelming 289+ controls to be set in place and the determination required of those people responsible for getting it implemented and maintained. It requires proper gap analysis and a carefully crafted implementation plan – often running to tens of mini projects – to achieve all controls. Once the standard is in-place, a firm hand is required to ensure on-going compliance.
Most of the time it takes between 4 and 6 months to implement all these controls and can be costly in regards to licences for log/file integrity monitoring, ASV scans, penetration testing and so on. However, the effort and expense spent here can save much more – potentially your whole company – by preventing a breach. PCI DSS offers a business fundamental security practices, better management, protection of sensitive data, continuity of their operations, and most importantly the education of the weakest link: its people. This includes encryption, access control, vulnerability assessment/penetration testing, system hardening, network segregation, log monitoring and an effective information security policy with a lot of emphasis on incident response.
The proof? According to the Verizon report of 2014, organisations that are breached are less compliant with PCI DSS than the average organisations.
What will you do?