AN INTRODUCTION TO
PCI-DSS COMPLIANCE

Author: Nicholas Henry

April 2016

Table of Contents

1. Abstract

2. History

3. PCI-DSS Overview

4. Understanding PCI-DSS Compliance

5. Achieving PCI-DSS Compliance

6. PCI-DSS in the IT Department

7. Negatives of PCI-DSS

8. Positives of PCI-DSS

Abstract

Around the world, consumer migration from traditional cash and check payments to electronic payment methods such as credit, debit or bank transfers continue to grow. In 2009 a survey discovered that less than 37% of all payments are now made using cash or check. While there are many benefits to this, there are also significant new issues introduced as a result. As customers use electronic payment methods, there is an expectation of security for the cardholder’s identity and payment information. With all the recent data theft and security breaches, this is becoming a significant issue. To ensure the protection of consumer information, the Payment Card Industry, or PCI, developed a set of data security standards (DSS) that merchants and financial service providers must maintain to be able to process debit and credit cards. While PCI does not manage compliance or impose consequences for non-compliance, individual card associations may initiate financial/operational penalties to businesses that are non-compliant. The framework for compliance is based on merit, and it prevents security incidents from happening. PCI encourages the detection and resolution of any incidents as swiftly as possible.

History

Credit card companies initially developed and managed their own data security policies independently, which included VISA’s Accounting Information Security, and MasterCard’s Site Data Protection, American Express’s Data Security Standards, Discover Card’s Information and Compliance, and the JCB Data Security Program. These programs were aimed to bring a minimum level of standards for merchants who transmitted and processed cardholder data. Due to the similarities amongst these standards, PCI-DSS was established on December 16, 2004 in order to bring a set of security standards for companies that were involved with credit card transactions. Visa and MasterCard became the enforcers of the standard. For instance, MasterCard is responsible for the certification of products for companies who are can fulfill the scanning requirements, and Visa is responsible for training, certifying companies, as well as individuals who are capable of fulfilling the on-site audit requirements. Other PCI organizations are also contributors to the standards, but each card brand still has its own programs that go more in depth than PCI-DSS. However, PCI-DSS provides a solid foundation for cardholder data security as the PCI Council continuously adapts to new discoveries and changes in technology.

PCI-DSS Overview

PCI-DSS is known today as a set of information security standards that provide supporting materials for organizations that operate with debit, credit, prepaid, e-purse, ATM, and POS cards to improve credit card security. This standard operates on an international level for merchants that transmit card data. Also, it provides software developers and device manufacturers with guidance under the specific requirements. Before discussing PCI-DSS, a few terms need to be defined first.

- Visa and MasterCard are made up of Member organizations that can be either Acquirers or Issuers, or both.

- Acquirers are the Members of the Visa or MasterCard organizations which handle Merchants.

- Issuers are the Members of the Visa or MasterCard organizations that issue the cards to cardholders

- Merchants are businesses who accept card transactions.

- Service Providers are the entities that provide any service requiring the processing, storing or transport of card information.

In addition to developing security prevention and detection processes, PCI is also responsible for validating each organization’s compliance. For merchants that do not require an on-site data security assessment as per PCI DSS Security Assessment Procedures, Self Assessment Questionnaires, or SAQs need to be conducted to become PCI DSS compliant.

Understanding PCI Compliance

PCI compliance can be divided into three steps. When accepting payment cards we must:

Assess: Identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and look for vulnerabilities that could expose cardholder data.

Remediate: Fix vulnerabilities and do not store cardholder data unless necessary.

Report: Compile and submit remediation validation records, and submit compliance reports to the bank and card brands. Merchants can validate compliance with the PCI DSS internally or externally depending on the credit card data volume.

Achieving PCI Compliance

PCI DSS requires 12 points of compliance across six major areas. All merchants who use credit card data in their transactions must comply with PCI DSS. As PCI is recognized by all five global payment brands, compliance is important for every merchant worldwide. Penalties issued for non-compliance can range from fines to suspension, or limiting the ability to accept card payments.

There are six basic goals adhering to PCI DSS and each goal is comprised of specific requirements. Each goal is composed of additional procedures and requirements to be fulfilled outlined as follows:

Goal 1: Build and maintain a secure network

o Requirement 1: Install and maintain a firewall configuration to protect cardholder data

o Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Goal 2: Protect cardholder data

o Requirement 3: Protect stored data

o Requirement 4: Encrypt transmission of cardholder data across open, public networks

Goal 3: Maintain a vulnerability management program

o Requirement 5: Use and regularly update anti-virus software or programs

o Requirement 6: Develop and maintain secure systems and applications

Goal 4: Implement strong access control measures

o Requirement 7: Restrict access to cardholder data by business need-to-know

o Requirement 8: Assign a unique ID to each person with computer access

o Requirement 9: Restrict physical access to cardholder data

Goal 5: Regularly monitor and test networks

o Requirement 10: Track and monitor all access to network resources and cardholder data o Requirement 11: Regularly test security systems and processes

Goal 6: Maintain an information security policy

o Requirement 12: Maintain a policy that addresses information security for all personnel

Overall, there are 6 principles, 12 requirements, 45 sub requirements, 75 detailed requirements and other relevant testing procedures contained within PCI DSS 2.0 version which was released in October 2010. Significant changes in v2.0 include the application of PCI DSS to virtualization, and that each vulnerability must be evaluated against a risk assessment.

Companies that handle large volumes of transactions, such as service providers that transmit cardholder data of card company customers, merchants, or other service providers, require an annual validation procedure done by an external Qualified Security Assessor, or QSA. All major credit card companies divide each service provider into levels based on transaction volume. Each level then guides the service providers to their respective validation requirements.

PCI-DSS in the IT Department

To efficiently design a compliant IT environment, six steps should be followed to avoid extra costs:

1. Identify business processes with card data.

2. Focus on reducing the scope.

3. Identify where the data is stored.

4. Determine what to do with the data.

5. Determine who needs access to the data.

6. Develop and document policies.

Becoming compliant to PCI-DSS requires constant monitoring and maintenance involving more than just the IT department. It should be initiated from the upper management team, and established as an overall strategic goal. In general, the goal of PCI DSS is to prevent major security issues and to reduce the risks of payment card transactions by raising security amongst the merchants and service providers. PCI removes the burden of data security from business owners and limits credit card data storage where possible. The PCI standard operates internationally, and oversees any companies that deal with credit cards. Not adhering to the PCI requirements will result in penalties issued by the PCI Security Standards Council.

Negatives of PCI-DSS

According to a survey done by the Ponemon Institute, 71% of companies interviewed do not consider PCI-DSS as a strategic goal, and more than 50% believed that their CEO does not embrace PCI-DSS compliance. But despite the negative attitude, the survey also indicated that 75% of organizations achieved some level of compliance, while 22% achieved full compliance.

In addition, the institute discovered that companies are often not sure as to who should be responsible for their PCI-DSS compliance. 23% of organizations surveyed believed that the Certified Information Security Officer, or CISO should be responsible, and 21% believed that no one person should be responsible for PCI compliance. So achieving PCI compliance will be inefficient and more time consuming as a result. They also discovered that hiring employees for the purpose of PCI compliance will be very expensive.

Ever since PCI-DSS was introduced, many have doubted if it protects sensitive cardholder data. Compliance with PCI-DSS requirements requires several changes to a business’s existing systems. In the past, many of these changes were too expensive and involved changes to a business’ infrastructure. For smaller business, the implementation of business infrastructure changes, including access controls, secured network, and information security policies, can lead to lower profits, and prove to be disadvantageous.

As another example of PCI-DSS’ failure, in the year 2008, Hannaford Brothers, a PCI-DSS compliant grocery chain, lost 4.2 million credit card numbers. The Ponemon Institute conducted a study that collected information from 517 IT security employees, who were in charge of PCI compliance, and it showed that:

- Cost of PCI DSS compliance, is on average 1/3 of the overall IT security budget.

- 79% of companies have had a data breach.

- 55% of companies focus on protecting credit card data but not other sensitive information.

- There is uncertainty on which personnel are the most responsible for PCI-DSS compliance.

- Smaller companies are less compliant than large corporations.

PCI favors large corporations, and the cost of compliance prevents smaller companies from being PCI-DSS compliant. Smaller companies have fewer resources and often have difficulty in interpreting the standards and drafting a plan for compliance. Merchants are aware of the fact that they may have reduced profits and incur fines for being non-compliant. Level 1 merchants that deal with more than 6 million transactions/year, spent $3.38 million to become PCI compliant in 2008. The average cost of initial PCI compliance was approximately $700,000, and the average annual cost of maintaining PCI compliance was over $1,390,000.

The PCI standards also appear to be an incomplete security measure. Businesses comply with PCI DSS to be operational, functional, and legal, and PCI DSS is just a checklist of rules. This means that most businesses achieve the minimum standard, but are not really thinking about security. Also 55% of the companies surveyed showed interest only in protecting credit card data and neglected social security numbers and addresses. So in other words, PCI DSS did not enforce security, and protect systems against threats. It is not a complete solution to credit card data breaches. Therefore, being PCI compliant does not imply security.

QSAs discovered that more than 50% of companies do not take a proactive approach when looking at data security, and 54% of companies find PCI DSS compliance too expensive. Another issue shown was the division between the department that handles IT budgeting, and the one that handles IT functions. Most businesses allocate a budget for PCI compliance while the IT security group is responsible for the compliance procedures. This creates a mismatch of investment and expectation of outcome.

Positives of PCI-DSS

The primary goal of PCI is to reduce the risk of transactions and raise awareness of key aspects of data security. PCI fulfills its objectives as businesses are spending more on system security and are forced to be compliant with PCI DSS. It still does not guarantee absolute security, but the risks faced by card brands and cardholders have been significantly reduced.

Surveys indicate that PCI was important in persuading organizations to encrypt their data, and there has been a decline in theft of card data as a result. In addition, complying with PCI DSS enables a company to build brand trust, limit risk exposure, and therefore increase revenue.

Another advantage of becoming PCI DSS compliant is that it grants the business the safe harbor status. This means that in the event of a security breach, PCI DSS compliant business will not be fined, and courts will also be more lenient with PCI compliant businesses if they are sued by customers. Non-compliant businesses that handle credit cards are open to audits, fines, lawsuits, and losing the right to process credit cards.

A true security system requires personalization that addresses the specific needs of each individual company. PCI DSS should be the baseline for the overall security program and additional steps should be taken after assessing the business’ overall controls and risks

According to VeriSgn Global Security Consulting Services who conducted many PCI assessments over the past several years, 78 percent of businesses failed the audit due to lack of data protection, the lack of IT policies, controls, and governance. Proper governance should be ensure the success of PCI compliance. Risk assessments should be done outside of PCI as a supplement to PCI standards.

PCI in Canada

Canadian businesses have a particular interest in these developments since Canadians are among the world's most frequent users of payment cards. However, Canada has lagged behind Europe in adopting Chip & PIN technology on credit cards, making itself an alluring target for international data thefts. According to the Canadian Bankers Association, the total value of reported payment card fraud exceeded half a billion dollars in 2008. Due to the lack of privacy laws and a large base of small and medium-sized enterprises (SME), Canada is a primary target for identity and data theft. These SMEs lack the awareness and resources to adequately secure their confidential data and their computers are often left unsecured. In addition, even government bodies such as the Royal Canadian Mounted Police (RCMP) and Passport Canada do not have sufficient control and governance over their data protection policies. IT security experts have surveyed and discovered that Canadian consumers did not exhibit confidence over the security of their personal data held by institutions and banks, but fortunately, Canadian legislators quickly grasped this concept and recognized the need to improve Canadian laws over the protection of consumers’ data. Consequently, the PCI DSS adopted by the United States became a favourite model to meet Canadian needs. Due to the frequency and magnitude of US-Canadian business involvement, the implementation of PCI DSS in the US reduced the number of cases of Canadian data theft. Thus, PCI DSS became a suitable candidate to protect Canadian consumers. However, during the early stage, there has been much debate in Canada regarding the introduction of PCI DSS. Although Canada was looking for a way to protect cardholder data, many have opposed the act of legislating PCI DSS. Arguments have been made that the existence of Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates and protects personal data and other sensitive information, was a sufficient system to guarantee security in Canada and that PCI DSS can be used merely as a framework to enhance data security. Canada was evidently distant behind the U.S. in the implementation of IT security. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act only imposed insubstantial penalties to violators such as a notice of offence. The U.S. privacy laws, on the other hand, enforced strict policies that encouraged organizations to have strong IT security. The weak governing body was coupled with consumer concerns where only 0.5% of the consumers surveyed were confident that retailers could protect their online personal information, 9% were confident that major 9 financial institutions could safeguard their online information and only 36% of Canadian IT security executives surveyed believed that their company could exercise sufficient control to safeguard customer data.11 However, the forthcoming of PCI DSS also brought Canadian businesses trouble. Because of the delay in PCI implementation in Canada, many Canadian businesses became disoriented during the initial implementation stage due to lack of guidance and inconsistency in deadlines with their U.S. counterparts. The initial tight deadlines were dreadful for Canadian businesses, especially for SME, as they had a difficult time in interpreting the standard and little time to become compliant. In addition, SME in Canada complained that the cost of implementing PCI DSS greatly outweighed the potential penalty for being non-compliant. Consequently, many have resisted the implementation of PCI DSS. Technologies Involved There are a few technologies that enable cost effective compliance of PCI DSS. Among them, firewalls, anti-virus, anti-malware solutions, and encryption for data at rest and in motion ranked the highest. The survey also indicated that perimeter, location surveillance systems, website sniffer and crawlers appeared to be the least used out of the 18 technologies. QSAs believe that encryption is the most effective technology for data in motion and firewalls and encryption are amongst the most effective technologies for data at rest. Another interesting observation noticed was that only 2 percent of organizations assessed by QSAs fail, but 41 percent of organizations that pass the audit do not rely on mechanisms prescribed by the PCI DSS. Rather, compensating controls are used because the organizations deem the technology prescribed by PCI DSS to be infeasible. However, compensating controls can only serve as a temporary solution. As the reduction in future cost in technology, organizations need to adapt PCI DSS’ prescription. PCI DSS - Accounting Firms & Job Creation Since the inception of PCI DSS, accounting firms have been actively seeking ways to extend the breadth of their services and expand their services in the IT control and security industry. Major accounting firms such as Grant Thornton International Ltd earned their certification to become a Qualified Security Assessor (QSA)12 . Accounting firms are trying to establish the highest integrity and exhibit the highest level of competency in delivering PCI assessments. Increasingly, accounting firms are also 11 Arnfield, Robin. "Infosecurity (UK) - US Standards Drive Canadian Information Security."Infosecurity (UK) - the Online Magazine Dedicated to the Strategy and Technique of Information Security. 01 Mar. 2009. Web. 12 June 2011. //www.infosecurity-magazine.com/view/846/us-standards-drive-canadian-information-security/>. 12 Accounting Firms | Grant Thornton Becomes One Of The Largest Public Accounting Firms In The US To Be Named Qualified Security Assessor (QSA) Company by the Payment Card Industry Security Standards Council." Accounting Concepts and Finance. 2008. Web. 12 June 2011. //reviewitemssite.com/accounting/accounting-firms-grant-thornton-becomes-one-of-the-largest-publicaccounting-firms-in-the-us-to/>. 10 delivering IT consulting services incorporating PCI DSS compliance combined with process, controls, and other advisory services. The public has generally recognized that accounting firms’ auditing experience is of a great asset to assist them with PCI DSS assessment related works. Additionally, services offered by accounting firms such as internal controls audit and information security correspond to the skills necessary to assess card transaction security. An assessor should have an assurance background and experience to confirm compliance. Accounting firms will experience an increase in revenue due to the extended service line because they have a great reach to businesses and a solid client base. Compliance to PCI DSS is required by every business that handles credit card information, and thus, accounting firms can offer a more complete and one-stop-for-all services. Combined with their knowledge for existing clients and various industries, accounting firms will be able to add value to their service packages. The complexity of PCI DSS also triggers an additional line of service for savvy solution providers that help businesses to implement the system, reduce costs, and educate their clients. As the new 2.0 version emerges, businesses are rushing to update their systems while still struggling to grasp the existing mandate. The win-win opportunity arrives as savvy solution providers can handle PCI compliance projects and keep businesses focused on their main line of services. These solution providers also specialize in ensuring project efficiency and avoid redundancies in process and technology, which greatly enhances cost-savings for many businesses. A recent study done by the Aberdeen Group claimed that half of the cost can be saved by hiring solution providers.

Conclusion

It is critical for businesses that are not yet PCI compliant to take the appropriate measures to ensure the security of their customer’s sensitive cardholder data and achieve PCI compliance. Becoming PCI compliant will ensure the best customer experience, eliminate the risk of fines and protect their brand and customer confidence. For businesses who have already achieved compliance through an in-house solution, outsourcing should be considered as a means to free up the costs associated with this resource-intensive endeavor.

Although PCI DSS has apparent weaknesses and does not guarantee absolute security and safeguarding of cardholder data, it has enhanced the security over cardholders’ data to a great extent. PCI DSS should be kept in place and possibly implement minor changes to improve its efficiency and effectiveness. It has helped raise awareness of data security in the business world and encouraged many organizations to implement IT security systems. Additionally, PCI DSS has improved consumer confidence over the security of personal information to a great magnitude. Fraudsters are also forced to exploit more sophisticated data breach methods and overthrow traditional methods. This means that PCI DSS needs to remain alert to face emerging threats. Despite all the positive aspects of PCI DSS, it is by no means the end of IT security development. Each organization should assess its needs for security and develop a more company-specific solution, using PCI DSS as the foundation. Companies should feel responsible for consumer data they possess, and should continually enhance their IT policy, governance and system. No standard can ever guarantee absolute security, and it is dependent on each company’s effort to develop a complete and secure data storage system.

Recommendations

The following recommendations can help address some of the issues and concerns involving PCI DSS compliance.

- Tailor the compliance requirements to the specific needs and business environment of each organization. Smaller companies do not need the same security measure as larger firms. Smaller companies also lack resources to comply with complex policies and requirements.

- Develop a more cost-effective framework to benefit small to medium sized companies. If the cost to comply with PCI DSS is greater than the penalty it imposes for non-compliance, businesses are discouraged to adopt PCI DSS. The above recommendation is a possible method to reduce costs where smaller companies should have less complex requirements and procedures. • PCI Council should provide additional support and educate company executives on the role and importance of PCI DSS as part of a company’s overall strategy. Company executives often only fulfill the minimum regulatory requirements and fail to realize the potential role that PCI DSS can take on as part of a firm’s overall IT governance. This is especially true for small businesses where the owner lacks IT security knowledge and often do not use PCI DSS to its fullest extent. • PCI Council should improve its overall brand image and raise awareness of its brand value amongst the general public. It should subsequently create a compliance logo for each compliance business to display in-store or online. The purpose of this recommendation is to inform consumers that companies have taken additional security measures and have the capability to safeguard consumer confidential data. This can in turn encourage more companies to invest in security or improve the existing security system in order to gain a competitive advantage. PCI DSS can thus become a value-added requirement and businesses will be more willing to pay for its fees. • Designate the responsibility of PCI compliance to a defined personnel or a team within an organization to implement a company-wide security program. This team should initiate the implementation of PCI DSS and provide subsequent support upon implementation. Additionally, the team should be held accountable for the degree of utilization of PCI and integrate PCI as the foundation of the company’s overall security governance. This recommendation is more practical for larger firms with bigger IT security budgets, resources, and personnel.

References

Official PCI Security Standards Council Site -

www.pcisecuritystandards.org/security_standards/.

Payment Card Industry Data Security Standard Explained.

www.security-assessment.com