Avoiding the PCI Pitfalls
Data loss and theft has been headline news for a number of months now. Whether it is a major retailer, a UK government department, or a local e-commerce website, the national media is unforgiving to any organisation which is believed to have lost personal data.
Several senior executives have woken to some very uncomfortable reading in the daily broadsheets and tabloid press. Not only are press stories a concern; if the loss of data includes cardholder data, as defined within the scope of the Payment Card Industry Data Security Standard (PCI DSS), then there is the risk of substantial financial costs. The expenditure required to deal with a breach and its wider fall-out is substantial and incorporates considerable legal fees, forensic fees, card replacement costs and fines.
When the number of cardholders affected by a breach reaches into the millions, as was reportedly the case with TJX’s well-documented breach in 2007, then merchants can expect to pay tens of millions of pounds to meet the costs to issuers for the re-issuance of cards. Additional cash will also go towards civil lawsuits and hiring security experts to overhaul systems, train staff in best practice and instigate secure procedures. In fact, TJX stated they hold a reserve of US$107m to cover all costs associated with the breach.
If these costs are not enough to give the beleaguered retailer nightmares, the loss of customer confidence and subsequent reduction in sales and profits can only exacerbate them. Customer confidence can be fragile and many customers will vote with their feet if they believe that a merchant does not provide security for their payment details. A report by Ipsos MORI bears this out, and found that merchants could expect to see customers abandoning firms that suffer security breaches (53% of the respondents), opting to cancel their credit cards (48% of the respondents) and lastly reporting them to the police (20% of the respondents) or national consumer bodies (17% of the respondents). Moreover, 58% of the respondents wanted financial institutions and governments to take greater responsibility for the data they gather about customers.
So there are good reasons for merchants to take care of personal data, beyond the threat of fines for non-compliance, which is not only increasing but has also become a reality for many companies. And once the fines start to occur, they don’t stop until compliance is successfully achieved.
PCI DSS provides 12 main requirements for a secure environment that breaks down to over 230 individual controls. These controls can be viewed as very prescriptive; initially they appear to provide very little flexibility in how they can be interpreted or implemented. The benefit of this approach, however, is that they provide a common framework which all merchants, payment providers and acquirers must work to. The standard itself was developed from security best practice and can be seen as being related to standards such as BS7799 and Sarbanes-Oxley.
Many merchants, when first confronted with PCI DSS, wonder where to start. It can appear daunting and the standard can use terms and references that may not be familiar to all IT staff. Much as it may be surprising to some, terms such as AES, DES, PKI, NAT and IDS don’t commonly surface during many dinner party conversations and trying to decipher it all while wondering if your organisation’s security standard is sufficient to gain accreditation is enough to set alarm bells ringing for the calmest of IT security teams.
So where should the merchant start? I would always advise a client to begin by following the cardholder data. By following the cardholder data through the environment from point of entry and identifying all the uses of the data, it is possible to begin the process of building a picture of the cardholder data flow and its static locations. Identifying cardholder locations and flows will allow a merchant to identify which areas of his infrastructure will be in scope for the standard and which will fall outside of the audit. Of course, if the network isn’t segmented, then the bad news is that the entire network and all of the devices will be within scope.
Not all points of storage are obvious and will need tracking down. One of the most contentious areas, for example, has been voice recording. Many merchants have voice recordings that are retained for a period of time. Voice recordings may contain both cardholder data and the sensitive authentication data and, as such, are within scope of the audit. Similarly, paper that contains cardholder data will also fall within the remit of the audit. Merchant till receipts, mail order forms and chargeback letters will all contain the full 16-digit primary account number (PAN).
Then there are the groups for whom cardholder data is deemed necessary for the business. These groups are normally found in finance, fraud, profit protection, marketing and even loyalty. In several recent consultancy cases, I have seen the PAN being used as a primary key to databases concerned with personal activity rather than payment activity.
Once you have found all the cardholder data and its flow through the network – what are the next steps? Let me add a caveat at this time. In most large scale projects, new locations will appear during the whole process, so an iterative approach will often be best. However, at this point, you should now be able to identify all the servers, network devices and systems that will be within the scope of a compliance audit.
The next item on your PCI to-do list should be a gap analysis. A gap analysis will measure where a merchant’s infrastructure, policies and procedures are against the PCI DSS and highlight all those areas where controls are not being met. This can be a huge task, depending on the size of the merchant and the complexity of the infrastructure. Once this analysis is complete, a report should be created, identifying the failures and assessing the associated risks. Again, the advice for merchants is to develop a remediation programme that addresses the high-level risk items first. The card schemes have indicated that they prefer a risk-reduction-based model for the remediation plan, rather than just a control count of failures and passes.
Once the plan has been created, costs, timescales and manpower can be estimated and approval sought for budget to begin the path to compliance. The path is likely to be long and there will be delays, but once the journey has commenced at least there should be some light at the end of the tunnel and the merchant’s senior executives can start to sleep more easily and pick up their morning paper without trepidation.
Decide who owns the relationship with the acquiring bank, where responsibility should lie; with the finance or IT departments or an internal audit. Stay in regular contact with your acquirer.
Ensure the board understand the risks, the liability model, and the potential costs.
PCI is related to all payment cards issued by the five card schemes. Cardholder details are in scope whatever their usage. Personal data, loyalty data are not in scope of PCI – however a corporate security architecture may lead to savings. Pre-authorisation is not precluded, but may be treated differently.
Very few corporates are able to identify all cardholder flows and business processes in the first iterations. Constantly review and educate staff on the requirements.
Does tokenisation, re-directing to third party websites, e-commerce websites to a third party supplier, or network segmentation remove a network from scope?
What is valid encryption – does it remove the other requirements from scope?
Obfuscation is not encryption.
If you understand the why getting to grips with the how is much easier.
Protecting one million cards in a SQL Server database is a higher priority than 10 card details in a scanned file archive.
Understanding authorisation, settlement, refunds, chargebacks, pre-authorisation, AUS, transaction fees, etc. is key to ensuring the business process continues to operate. Simply changing business processes may avoid lengthy technical solutions.