Accepting credit card payments and managing customer cardholder information carries great responsibility. Payment card data breaches are becoming increasingly common. The Payment Card Industry’s (PCI’s) mission is to ensure that companies take better care of consumer payment card data. Just as an oil spill affects millions of people, so does a ‘data spill’.
In the last few months there has been a spate of high profile data breaches involving prominent organisations, leading to a growing focus on payment security. These incidents pose serious repercussions for anyone handling customer cardholder data, compelling them to look for ways to minimise their risk of exposure to fraud, better manage customer information and ensure that transactions are processed in a secure online environment.
All organisations that accept, acquire, transmit, process and store cardholder data are obligated to continuously protect that information to the minimum requirements set forth in the Payment Card Industry Data Security Standard (PCI DSS), proving compliance and reporting their compliance status annually. However, the recent Verizon Payment Card Industry Compliance Report shows that too many businesses are struggling to comply with payment card security standards, putting consumers’ confidential data at risk. As a result, these businesses face a greater chance of losing confidential customer information and falling victim to credit card fraud.
PCI DSS was first introduced on the Australian market in 2004. It is a comprehensive set of multifaceted requirements developed to facilitate the broad adoption of consistent data security measures on a global basis. It is a standard for all merchants and service providers that store, process or transmit payment card data from participating payment card brands, including American Express, MasterCard Worldwide and Visa. Validation of compliance can be performed internally or externally, depending on the volume of card transactions. However, compliance must be assessed annually.
Many security breaches can be traced back to weaknesses in security decision making, which results from poorly implemented risk management frameworks and inadequately written security policies and procedures. Policies that are lengthy and painfully detailed are often never read, and therefore never followed. Alternatively, while policies are meant to be high-level documents, some are unfocused or written in vague terms that obscure the intent.
Despite the benefits it can bring, many companies still believe that PCI DSS compliance is a daunting and time consuming box-ticking exercise, rather than a strategic business initiative. The PCI DSS does indeed outline a procedural approach to compliance by itemising the 12 “digital dozen” requirements as a checklist. However, in order to move beyond a mere audit mentality, organisations should seek to really understand how key components of the Standard can apply to – and benefit – their individual business.
Key recommendations to help organisations meet their PCI compliance obligations include:
1. Treat compliance as an everyday, ongoing process. Compliance requires continuous adherence to the standard. This means a daily log review, weekly fileintegrity monitoring, quarterly vulnerability scanning and annual penetration testing. To achieve this, businesses should nominate an internal PCI “champion” to ensure that compliance becomes part of daily business activities.
2. Self-validate very carefully – or get someone else to do it for you. Level 1 and 2 merchants who process the highest volumes of cardholder transactions are allowed to assess themselves against the standard. Due to the numerous issues and conflicts of interest this can cause, organisations should seek an objective third party to validate the scope of the assessment or perform the testing.
3. Prepare to have the bar raised. In October 2010, the PCI Security Standards Council announced PCI DSS version 2.0. This version requires a more stringent executive summary and validation of methodology for scope definition. Organisations, many of which are having severe issues complying with the existing standards, need to quickly get ready for the new version.
4. Start early! One of the common misconceptions about PCI DSS compliance is when to begin compliance project planning. For the best chance of success, organisations should really look to beginning the compliance journey as soon as they decide to accept payment cards or explore a new acceptance channel – for example, connected with an e-commerce venture, or a new point of sale (POS) system. Organisations then need to adopt a prioritised approach to PCI DSS – not least as this helps to simplify the process. The approach required will probably vary from one organisation to another, so putting in the time upfront to identify key risk areas will help achieve real benefit…
To read the full story, make sure you subscribe now! Go to http://www.australiansecuritymagazine.com.au/subscribe/ and purchase either a 1 year or 3 year subscription today!