The PCI (Payment Card Industry) DSS (Data Security Standard) mandates are growing larger, encompassing more and more organizations – small and large alike. While adhering to the requirements ensures the prevention of card security breach, non-compliance invites hefty fines from authorities in addition to damaging the business reputation. Despite PCI DSS providing guidance to become secure by raising awareness about payment card security breaches, organizations fail to meet PCI’s mandates, exposing themselves to cybercriminal attacks.
The Verizon 2014 PCI Compliance Report found that the average compliance level for companies subject to the controls and sub controls in PCI DSS rose by more than 32% from 52.9% in 2011 to 85.2% in 2013. However, the report also reveals that only three out of every five companies cleared 6 of the PCI’s 12 requirements, while only 11.1% of companies fulfilled all the requirements of PCI DSS 2.0 in 2013. Further, according to The Nilson Report for the year 2012 losses resulting from global card fraud stood at more than 11 billion, comprising 63% and 37% from card issuers, and merchants and payment processors respectively. As if this is not enough, recent incidents involving Target, Neiman Marcus and Michaels Arts & Crafts reveal a card security scenario worse than the world is made to believe.
All these (mis!)developments highlight that the assessment of PCI compliance is of vital significance for any business that stores, processes or transmits cardholder data. By meticulous identifying and eliminating deficiencies in security practices, organizations can create increased payment card security environment. Preparation for a PCI DSS assessment involves some vital steps as detailed below:
Companies that handle cardholder data are at a heightened risk of a security breach which necessitates a risk assessment on the overall IT infrastructure. This will facilitate vulnerability assessment through threat detection, ultimately enabling prevention of data theft. As a critical component of the risk assessment the company should identify the vital components of the environment. There upon an independent analysis of each of the components should be performed for critical insights leading to prioritization of countermeasure efforts. In this regard, companies may contract with a QSA (Qualified Security Assessor) firm for an objective assessment.
It is essential that a vigilant workforce remains central to the risk assessment and management processes. Inefficient workforce will imperil the achievements of technology. To gain the human advantage, people entrusted with key responsibilities should be afforded periodic skills enhancement program while the security habits of the general workforce should be raised via training. In this regard, PCI Security Standards Council (SSC) general manager Bob Russo said, “PCI security is a strong combination of people, process and technology.”
Following completion of a successful risk assessment, businesses will have intriguing insights into the safety measures. The process of risk management itself and the subsequent findings should be recorded. They provide evidence for authorities that audit has been performed, while the outcomes empower senior executives to address any potential threats. Maintaining procedural records also help to customize business processes as per prescribed norms.
A clear picture of the company’s security environment – achieved by following the previous step – against a backdrop of the prescribed requirements, helps to identify any existing regulatory weak link. This should be followed by measurers aimed at addressing the issues. Hereafter, for reassurance it is wise to contract with a QSA firm to conduct a gap analysis which could lead to identification of any additional regulatory issues. It should be followed by an Approved Scanning Vendor (ASV) performing quarterly external scans, and the annual penetration testing.
Apart from following the aforementioned steps, companies would do well to: Incorporate PCI Compliance from the planning stages, form a team of stakeholders to review and prevent, not store redundant data, and perform mock assessment.
After successfully executing the steps with true intent, a company is ready for a complete PCI DSS assessment. Now is the time for periodic internal audits. Intermittent meetings should review the security scenario and devise means to counter any new threat. PCI DSS, which turns 10 years in 2014, must be integrated into the overall risk management framework of an organization as it will offer an understanding what components may grow vulnerable to card data security breach and where to direct remediation.
PCI compliance process has its own challenges, and uncertainties are being raised as to how businesses will successfully transition to the new 3.0 version. But according to Russo, “Ongoing deployment and maintenance of PCI standards as business as usual is the best way to protect payment card data.”