Industry Insight: PCI DSS

Industry Insight UK

PCI DSS? You should know this…

PCI DSS – What is it? Does it affect you? How do you comply? Allow us to explain…

PCI DSS – that’s the Payment Card Industries Data Security Standard – started life as a number of separate schemes – operated by VISA, MasterCard, Amex etc. independently of one another. In 2004 the Payment Card Industry formed the Security Standards Council (PCI SSC) who then aligned the disparate policies into one standard – and the PCI DSS version 1.0 came to be. Coming right up to date version 3.1 was released in April 2015. Although the standard started life in the US it is now accepted as a global benchmark – so there’s no way to avoid its impact if you are a merchant. Gaining compliance can be time consuming and expensive – but as you will see there is a smarter way to become compliant.

And another warning – this area of the industry is saturated with acronyms which we’ll try and explain as we go in this article.

So what’s it all about?
Essentially, the PCI Data Security Standard specifies 12 key requirements for compliance – categorised into 6 logical sections known as ‘Control Objectives’. We’ll analyse those below. Once you are PCI DSS compliant – according to the Tiers of Merchants (and there’s 4 of those, also see below) – you are effectively in a ‘safe harbour’ – a bit like an insurance policy and it shows you have taken the fair and reasonable steps to protect the card holder data in your care.

PCI Data Security Standard – the 12 key requirements for compliance

Control Objective: Build and maintain a secure network
1. Install & maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords & other security parameters.


Control Objective: Protect cardholder data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.


Control Objective: Maintain a vulnerability programme
5. Use & regularly update anti-virus software or programs.
6. Develop & maintain secure systems and applications.


Control Objective: Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a uniqueID to each person with computer access.
9. Restrict physical access to cardholder data.


Control Objective: Regularly monitor & test networks
10. Track & monitor ALL access to network resources and cardholder data.
11. Regularly test security systems and processes.


Control Objective: Maintain an Information Security policy
12. Maintain a policy that addresses information security for all personnel.

Myth: PCI will make us secure. In fact – it won’t. PCI compliance efforts must be a continuous process of assessment and remediation to ensure the safety of the cardholder.

The PCI Levels, as prescribed by the Card Schemes, are as follows: Effective 30.6.2011

All Level 1 and 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA). This is a key change to the existing requirement for level 2 merchants. MasterCard strongly encourages that all impacted merchants engage a QSA as soon as possible.

Level 1
Criteria
– Any merchant processing in excess of 6 Million MasterCard OR Visa transactions a year, regardless of acceptance channel.
– Any merchant that has lost data due to a security breech or hacking with the last 12 months.
Validation Requirement
– Annual Report on Compliance (ROC) (by either a Qualified Security Assessor (QSA), or qualified internal security resource)
– Compliant quarterly network scan by Approved Scan Vendor (ASV)
– Attestation of Compliance Form


Level 2
Criteria
– Any merchant processing between 1 and 6 Million MasterCard OR Visa transactions a year, regardless of acceptance channel
Validation Requirement
– Annual Report on Compliance (ROC) (by either a QSA or qualified internal security resource)
– Compliant quarterly network scan by ASV
– Attestation of Compliance Form


Level 3
Criteria
– Any e-commerce merchant processing between 20,000 and 1 Million MasterCard OR Visa transactions a year
Validation Requirement
– Annual Self-Assessment Questionnaire (SAQ)
– Compliant quarterly network scan by ASV
– Attestation of Compliance Form


Level 4
Criteria
– Merchants processing fewer than 20,000 Visa or MasterCard eCommerce transactions annually and all other merchants processing up to one million Visa or MasterCard transactions annually.
– Merchants currently in scope of deadlines are those who process fewer than 1 million Visa eCommerce transactions per year
Validation Requirement
– Level 4 merchants register compliance through our merchant portal

Myth: One vendor and product will make us compliant. No it won’t. You need a holistic security strategy that focuses on the “big picture” related to the intent of PCI DSS requirements.

What you the merchant MUST know is – currently both VISA and MasterCard require merchants (and acquirer processors, like us here at JetPay) to be PCI DSS validated. Card Issuing Banks don’t need to be, interestingly – but they must secure sensitive data in a similar compliant manner.

Here’s the catch though – if you are subject to or fall foul of a security breach and you are NOT PCI DSS compliant at the time of the breach VISA & MasterCard will hit you with heavy, expensive penalties. These penalties generally fall into two categories: Non-compliance and Account Data Compromise (ADC).

Non-compliance
Fines may be applied because of lack of progression towards PCI DSS compliance or for storing Sensitive Authentication Data (SAD); the fines can be levied every month and the value escalates if associated deadlines are missed. Typically non-compliance fines range from €4,500.00 to €9,000.00 per month plus anything up to €100.00 per compromised card – sometimes considerably more.

“…Back in 2008, Lisa White, a PCI DSS expert at Deloittes estimated that if your customers credit card details fell into the wrong hands you could expect some serious fines. She suggest that a merchant with 10,000 customer cards would have to pay fess of around 5 Euros per card (€ 50,000.00) with investigation costs of anything from €30,000.00 upwards PLUS an average fraud of €1,000.00 per card. Add the cost of card replacement and obligatory chargeback fees – and that breach of a modest 10,000 customer details carries a fine of 11 MILLION Euros!! That is frightening!..”

Account Data Compromise (ADC)
An ADC is when a person or group gain unauthorised access to the cardholder data that is held within your business environment in either electronic or physical form. It can be identified in a number of ways but it is usually detected as a common point of purchase before cards are used fraudulently elsewhere. Once a potential ADC has been reported a PCI forensic investigator must come onsite to determine the source of the compromise and quantify the amount of cardholder data that has been stolen.

If you become the subject of an ADC you risk stiff financial penalties, the suspension or termination of your merchant facility, damage to your brand and reputation and having to undertake additional ongoing audit tasks. There have been, and continue to be, many examples of ADC events worldwide and they have been experienced by all types of business small and large. It is important to recognise that criminals do not target any particular type of business, if there is an identified weakness and they can exploit it, they will.

“..a US based 2009 Ponemon Institute study concluded during its review of 45 data breach events in the previous year that the least expensive total cost to resolve a U.S.- based data breach event was $750,000 and the most expensive was $31 million. For issuers, acquirers, and their customers, efforts to blunt or at least mitigate and quickly remedy a breach event have an obvious impact on the bottom-line.”

So what’s the smart thing to do?

If you don’t need to hold on to the customer data – then don’t store it. Let your card processor take the strain. The most secure approach to processing e-commerce transactions is to outsource your card data to a Payment Service Provider. In simple terms the card data is captured, processed, stored and transmitted on computers completely removed from your environment. Sometimes this is referred to as a fully hosted solution. There are a number of technically secure ways of doing this. Talk to us – we can explain.

You MUST make sure that the supplier you use – like JetPay – is fully PCI DSS compliant.

At JetPay, we have our own Secure Tokenisation program that handles the sensitive data through our hardened PCI-compliant algorithms and encryption through to storage under maximum security. And because the data is tokenised (encrypted) its useless and un-readable to anything other than JetPay’s processors.

Is that it? Is that all I have to do?

Well, yes – but that’s subject to the stringent checks we have to do for legal, anti-money laundering and fraud detection reasons before we can accept you onboard. There’s other benefits too…
• More sales, less hassle, greater reliability, more profit:
• More customers trusting you with their details means higher sales.
• Recurring payments, repeat purchases and refunds are easier and more secure.
• By working with our AccountUpdater, security is further boosted on automatic card updates.
• With the card data now secure, you could move more processes and systems to the cloud, with all the efficiency, flexibility and cost savings that brings.
• Fewer problems with your card issuer over reimbursement and legal action.
• No more PCI audits.
• No more third party Token Service Providers. We do it all in-house, giving you one less layer of expense and one less point of failure.

And theres many more services we offer to combat chargebacks and fraudulent activity. Just start here to found out more or email us.

Look out for our next Industry Insight later this month.

 

 

By | 2017-01-25T11:17:55+00:00 January 18th, 2016|Industry Insights|0 Comments

About the Author: