Unknown PCI DSS risks and the importance of compliance
INSIGHT ARTICLE |
The Payment Card Industry (PCI) Data Security Standard (DSS) was introduced by the major credit card brands to implement controls for storing, processing and transmitting cardholder data. To discourage fraud and increase security for users, these card brands developed a control framework that has proven effective since its inception in 2007. While the compliance deadline for all organizations was in 2009, many state and local government entities still have difficulty maintaining PCI controls.
PCI DSS background
The PCI DSS has very specific controls that can be implemented to reduce risk of data compromise. The standard is based on 12 requirements, with roughly 235 subrequirements, which are specific controls to protect data. These protections are designed with current breach methods in mind, and focus on integrating controls to prevent data loss. The way the card brands see it, the numbers are theirs, and they are entrusting merchants to process payments safely.
Any transaction using a card with a VISA, MasterCard, American Express, Discover or JCB logo counts toward your transaction amount. In a state and local government setting, federal government prepaid VISA cards are also counted, as well as credit transactions relating to child support, unemployment, worker’s compensation and benefit payments. Automatic payments linked to a card must also be considered, such as toll collections, taxes and various payment plans. The quantity of transactions is then used to determine your merchant level, which is used to indicate the obligations of each merchant to validate their compliance with their card processor or acquirer.
What are my PCI DSS obligations?
Many state and local government organizations do not know that they must be compliant with PCI DSS standards, simply because no one has ever asked them to prove it. However, the card issuers have dictated that any entity that stores, process or transmits (handles in anyway) credit, debit or prepaid card numbers must adhere to the guidelines. Due to the various merchant sizes, there are a range of risk levels that any particular merchant could present to a card company for potential lost card numbers.
To ensure the validation burden is appropriate for the merchant size, the card companies have established different merchant validation levels, based on the number of transactions that organizations process. The process of proving your PCI compliance varies, depending on the number of transactions that you process, with organizations that process a large volume of transactions required to do more to validate compliance than organizations with smaller transaction volumes.
For example, if you process more than 1 million transactions annually, you must perform a full assessment, via a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA), to certify you have met PCI standards. If your volume is less than 1 million transactions per year, you can do a self-assessment questionnaire (SAQ), signed off on by an executive. However, note that while the validation effort changes with the merchant level, all merchants are required to be 100 percent compliant, regardless of level.
Additionally, keep in mind that the certification process only validates your compliance at the time. If you were to suffer a breach, the validation does not protect you in any way. The idea is that if you were truly compliant, credit card data should not be lost.
As a merchant, your card processor or acquirer is responsible for your compliance, and can inform you of what your merchant level is. Remember to always ask your acquirer to specify your obligations, as each is different. In many cases, acquirers have different risk management processes, and different reporting thresholds. For example, some card processors or acquirers do nothing for organizations with less than 10,000 transactions, while others require an SAQ.
Key concerns for government organizations
Based on the depth of the PCI DSS guidelines, most organizations typically need a full year to become compliant, depending on the internal priority placed on compliance, the number of gaps and use of outside assistance. Unfortunately, most organizations only get a 90-day notice from their acquirer to validate their compliance program.
For most organizations, that means going from little to no knowledge of PCI to being 100 percent compliant with all 235 subrequirements in 90 days. Ninety days is unreasonable to actually accomplish this, but since the compliance deadline passed four years ago, most acquirers will assume your organization has been compliant all along, and only needs to assemble the paperwork.
Public sector organizations typically struggle with remediation efforts. An initial PCI assessment will always identify issues, no matter how many transactions your organization processes. Many of those issues will require funding to correct, such as file integrity monitoring (FIM) systems, logging and policies and procedures. Building in a budget for remediation as part of an initial assessment can be critical to successful compliance on a reasonable time frame.
The guidelines are designed to minimize the risk of a breach that results in the loss of card numbers. To account for the constantly changing threats, the PCI DSS standard is updated every three years. The draft of version 3.0 has been released, and is scheduled for implementation in 2014. However, news of data breaches occurs frequently, often due to insufficient controls. A breach can cause significant financial and reputational damage to your organization; a proactive assessment can determine your compliance standing, any gaps and how to effectively remediate them.