Practical IT Research that Drives Measurable Results Develop a PCI DSS Compliance Strategy
Introduction All organizations that deal with processing payment card data must be aware of PCI DSS standards and how they apply to their scenario in order to mitigate risk of litigation and fraud. While most Small and Midsize Businesses (SMBs) will not come under pressure to adopt full compliance in the coming year, everyone should begin adopting processes that are in line with PCI DSS standards. These will include: Re-evaluating how cards are processed. Weighing the value of using/storing card data versus the cost of protecting it. Developing a strategy that focuses on security first, compliance as needed.
Executive Summary The Payment Card Industry Data Security Standard (PCI DSS) is designed to validate security measures by defining a standard for the way sensitive payment card data is handled. However, compliance does not guarantee security and the end goal of an organizational effort should be to protect sensitive data. Enterprises can save a lot of money by NOT blindly adopting PCI standards. Instead: 1.Simplify. Move away from POS systems that store payment card data. 2.Outsource. Use third party portals and bank operated POS systems that connect to compliant processors. 3.Leverage the PCI-DSS Prioritized Approach. The reality is that small and midsized enterprises will not be fully compliant overnight. The prioritized approach recommends focusing on certain key processes and controls ahead of others.
Understand PCI DSS Assess Pressures and Risks Develop a Data Security Strategy
PCI DSS is built on twelve domains designed to protect sensitive data There are 225 controls covered in the PCI DSS. Adherence to the standards is enforced by members (Visa, MC, Amex, Discover and JCB) or their designated banks acting as proxies. Enforcement has not been consistent across various financial institutions. For an audio-visual rundown of the twelve domains visit the PCI institute here.here
Compliance with PCI DSS doesn’t necessarily make you secure Waiting for the light to turn green before crossing the street puts you in compliance with traffic laws, but it doesn’t necessarily keep you safe. Just because the light is green, doesn’t mean you cross with your eyes closed. Enterprises who focus on having documentation in place only for the sake of passing audit are putting themselves and their customers at risk. PCI DSS is a set of standards designed specifically to protect payment card data ” PCI DSS is not Government enforced law. Equally enforced across the retail industry. A holistic security standard. PCI DSS does not Guarantee against hackers! Limit litigation against the enterprise! PCI DSS doesn’t prevent you from getting hacked. It just gives you a warm, fuzzy, sense. It feels good, but I don’t know how much good it does. Head of IS, Public Sector “
Appeasing auditors is not as challenging as truly securing client data More PCI DSS compliers succeeded with compliance than data security IT leaders interviewed by Info-Tech agreed that leveraging a compliance mandate helped gain buy-in from executives for security investments that they would not have previously received. However, data shows that project efforts for many clients seemed focused on passing audits and not necessarily improving enterprise security. 300% more enterprises succeeded with compliance than with security!
In 2009, HPS announces a massive network-wide data breach by malicious software. The data breach was not well understood. HPS could not answer: o How long it had been breached. o How it had been breached. o How much damage had been done. 130 million credit and debit cards compromised. Cost of breach has already exceeded $140 million. HPS stock drops 40% on news of breach, loses $1 billion in market capitalization. HPS was PCI compliant at one point, though not at time of breach. End-to-end data encryption was not in place. Qualified Security Assessors (QSA) audits were in place but failed to detect common attack pattern of malicious software. Compliance for the sake of passing audit failed to save Heartland Payment Systems from the largest data breach ever Heartland Payment Systems (HPS) is the sixth largest credit card payment processor in the US, processing transactions for 250,000 businesses, with 100 million transactions per month We certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. -Robert Carr, CEO of Heartland Payment Systems Situation & Impact “ ”
Enterprises that don’t protect sensitive data are subject to prosecution under federal privacy laws PCI DSS compliance is not the law; it is in the hands of member payment cards such as Visa and associated banks to enforce the standard. Enterprises that fall under health, finance and government sectors may actually be compelled to adopt PCI standards due to the correlation between card data and identify theft. While PCI DSS is not heavily enforced by the payment card industry, the controls it represents can mitigate risk of federal prosecution and private law suites. Right to Financial Privacy Act of 1978 (RFPA) Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) Family Education Rights and Privacy Act of 1974 Fair and Accurate Credit Transactions Act (FACTA) of 2003 Electronic Communications Privacy Act of 1986 (ECPA) FERPA; (also know as the Buckley Amendment) Electronic Freedom of Information Act of 1996 (E-FOIA) With credit card data on hand, hackers are only a step away from full identity theft. Concerned about legal obligations? Click links below for more details about these Federal privacy laws “ ” IT Security Expert
In 2007 TJX, America’s largest off-price apparel chain, discovers that its systems were compromised for 18 months undetected. 80GB of credit card data was stolen from over 90 million customer cards. Costs from the breach reached $250 million within one year, ($202 million in litigation alone). Lawsuits, fines, and claims have plagued the chain since. Enterprises, not their banks, must assess the risks and consequence of a breach All organization processing payment cards should have some understanding of PCI DSS because: Banks will go after merchants when the merchant’s potential losses becomes a risk to the bank – enterprises must assess their own risk to protect their reputation and to avoid losses due to fraud and litigation. Though only tier one merchants are currently being held accountable to the standard (by banks), the industry may extend it’s reach to smaller vendors over time, with audits to merchants who fall into the self-assessment category. TJ Maxx From a compliance standpoint, this is taken very seriously because it’s brand reputation and damage to the overall brand. A theme that’s turning internally is, ‘We don't want to be another T.J. Maxx. Director Information Protection and Risk Mitigation, Retail industry “ ”
Info-Tech Helps Professionals To: Sign up for free trial membership to get practical Solutions for your IT challenges “Info-Tech helps me to be proactive instead of reactive - a cardinal rule in stable and leading edge IT environment.” - ARCS Commercial Mortgage Co., LP