PCI - DSS Compliance – What is it and who must comply?

Thursday, 11 November 2010

In an environment with an increasing amount of personal and private data, people are becoming very security aware and end users are more and more cautious about giving out any form of ‘sensitive information’. This is a major concern for any consumer when passing over payment card details, and no more so than in any cardholder not present environment (call centre, IVR, e-commerce, recurring) where the end user feels a loss of control of his / her details.

The Payment Card Industry Data Security Standard (PCI – DSS) evolved because VISA, MasterCard, Amex, Diners and JCB had their own individual standards. Five standards caused confusion not clarity, so a harmonised standard (PCI – DSS) was created by the card schemes mentioned, which is regulated by the PCI Council. The Data Security Standard is a minimum set of requirements put in place in order to protect the cardholder’s information, which must be adhered to by all organisations that transmit, process or store payment card data. It is important to note that PCI – DSS is not law but an obligation enforced by the payment schemes, through the acquiring banks, by means of fines or other restrictions.

The Data Security Standard is made up of a group of principles and requirements around these which are as follows:

▪ Build and Maintain a Secure Network

▪ Protect Cardholder Data

▪ Maintain a Vulnerability Management Program

▪ Implement Strong Access Control Measures

▪ Regularly Monitor and Test Networks

▪ Maintain an Information Security Policy.

All merchants and service providers who store, process or transmit cardholder data are required to comply with these areas and the sections around them as a minimum standard.

Today, non compliance with this standard can put a business taking card payments out of business. Following a number of serious security breaches over the last few years, the schemes and particularly the acquiring banks, have begun to make compliance to PCI – DSS a condition of doing business. For debt collection agencies this can be a big undertaking in terms of the cost of implementing a compliant solution, the impacts operationally and the ongoing management of compliance to the standard.

 

Third parties involved in PCI Compliance – QSAs, ASVs & Acquiring Banks

QSAs:

QSA is an acronym for “Qualified Security Assessor”, a company which has been approved by the PCI Council to conduct PCI – DSS on-site assessments.

In simple terms, the QSA will come onsite once per year and audit the companies people, processes and technology against every requirement in the PCI – DSS standard (approximately 230 standards). They will also create and submit a Report on Compliance (ROC) to the PCI Council once the audit has taken place. The report will be reviewed and a decision made regarding the business’s suitability for compliance. A certificate will be issued where successful and the process must be repeated annually to include any new additions to the standards.

ASVs:

ASV is an acronym for “Approved Scanning Vendor”, a company approved by the PCI Council to conduct external vulnerability scanning services.

In simple terms, the ASV will assess the vulnerability of your systems, procedures and policies by carrying out a ‘vulnerability scan’. This needs to be carried out at least once per quarter.

Acquiring Banks:

The acquiring banks have the responsibility of ensuring that any business taking card payments is adhering to the PCI security standards. Should ‘The Council’ be made aware that any business is operating in a non-compliant manner they have the ability to impose fines on the acquirer responsible. By the same token the acquiring bank is able to impose fines on the merchant in question and remove their merchant services agreement therefore preventing the merchant from taking payments.

Is my business compliant?

The PCI Self-Assessment Questionnaire (SAQ) will assist a business in understanding the level of compliance that they must adhere to. There are different levels of compliance and these are based on certain criteria which include the annual number of credit/debit card transactions, validation requirement level as determined by the merchant’s acquiring bank, and channels through which a merchant processes payments (call centre, IVR, e-commerce, recurring, card present) and the security around these.

For each level there are criteria, and validation requirements. Criteria are the standards which must be met and validation requirements are what must be done in order to meet these standards. These are as follows:

Level 1 Criteria: Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
Level 1 Validation Requirements: Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and quarterly network security scan

Level 2 Criteria: Merchants with 1 million to 6 million transactions per year
Level 2 Validation Requirements: Annual Self Assessment Questionnaire
Quarterly Scan by an ASV

Level 3 Criteria: Merchants with 20 thousand to 1 million transactions per year
Level 3 Validation Requirements: Quarterly Scan by an ASV Annual Self Assessment Questionnaire

Level 4 Criteria: Merchants with less than 20 thousand transactions per year
Level 4 Validation Requirements: Annual SAQ

A quarterly scan by an ASV may be recommended or required, depending on acquirer compliance criteria.

It is important to understand that if any business has a breach of cardholder data, regardless of business size or transactional volume, the business will be required to comply the PCI Level 1 requirements!

Outsourcing as a viable option.

Any business accepting card payments must be PCI Compliant to the required level. If this side of the business is outsourced to a payment service provider this can alleviate the vast majority of PCI Compliance requirements from the business. There can be a number of advantages to outsourcing to a leading payment service provider. As well as giving a merchant the ability to view transactions in real-time and deliver consolidated reporting tools they can also prevent a merchant from having to touch any cardholder details, and securely store credit and debit card numbers on behalf of the merchant, for use for future payments.

Many collection agencies store large volumes of historical card records, adding a further layer of complexity. Outsourced hosted solutions such as tokenisation can alleviate this problem. Tokenisation provides a means of passing ownership of both the capture and storage of card numbers, to a PCI-DSS compliant third party. The token and not the card number is stored by the operator. This token is then used to initiate a payment, with the card number and token reference being stored securely by the third party.

Making a decision to outsource card storage solutions to achieve compliance is difficult and it is important that the partner chosen has security at the heart of its business. Ideally this partner will have strict security policies and procedures that supersede that of PCI-DSS.

The cost of becoming compliant and maintaining ongoing compliance is high, requires expert staff, systems and processes (People, Process and Technology). The ‘mandated’ external services required by the PCI standard need to be carried out by specialists. Vulnerability scanning, QSA auditing and penetration testing come with a big price tag attached. In short, if you don’t have to be PCI compliant then try to avoid it.

Certain definitions within this article have been extracted from the PCI Security Standards Council documentation in order to ensure accuracy. https://www.pcisecuritystandards.org)