The Payment Card Industry Data Security Standard (PCI-DSS) has now been around for over six years, giving anyone who handles card data ample time to have achieved an acceptable level of compliance, but every day we speak to organisations that have yet to implement any PCI measures.
So what's the real deal with PCI compliance and why should any company spend money on it while others are getting away with it?
We are asked this kind of question regularly by organisations of all sizes and industry-sectors. Sometimes the pushback is from board level, asking for clear-cut justification for PCI investment. Other times it comes from within the IT department, seeking to avoid the cost and disruption PCI measures will incur.
Regardless of where the resistance comes from, the general consensus does appear to be that adopting the standard is a sensible thing to do from a security perspective but like so many things in life, the common sense view is outweighed by the perceived pain of achieving it. We will call this ‘The Jimmy Saville Paradox', more of which later.
Coupled with the anecdotal feedback that whilst the acquiring banks (payment card transaction processors) promote the need for PCI measures, they seldom have the focus and continual drive to monitor the status of compliance, making it all too easy for merchants (anyone taking card payments) to place their focus elsewhere.
With 12 headline requirements covering 230 sub-requirements and around 650 detail points encompassing technology, procedure and process, there is no denying that the PCI-DSS is complex and is likely to cause disruption. But the benefits ultimately outweigh the pitfalls, particularly when there are shortcuts to compliance, which follow the ‘How do you eat a whale?' philosophy (one piece at a time, in case you were wondering).
This ‘prioritised approach', advocated by the PCI Security Council, focuses attention on the most important ‘biggest bang for buck' measures first, with the others broken into five levels of priority.
We would also always advise that in order to control costs and minimise disruption, that you understand the context and impact of each aspect to see which other requirements can be taken care of by implementing the same measure. For instance, file integrity monitoring is only specifically mentioned in requirement 11.5, however, good file integrity monitoring software solutions will underpin all of the other main requirements.
As evidence of the value of this approach, implementing firewall and anti-virus measures properly, with checks and balances provided via automated event log processing and file-integrity monitoring gets you around 30-35 per cent compliant before you do anything else.
The PCI Security Standards Council insists that PCI is more about security than compliance, and it really does work . When implemented correctly, the PCI-DSS will keep card holder data protected under any circumstances.
In future, neglecting PCI compliance measures could mean you are gambling with even higher stakes. With PCI being such a comprehensive framework, big-thinkers are arguing that PCI compliance should be leveraged to provide security for all company information as a whole and protect against the mainstream issue of identity theft
Losing card holder data is one thing, but risking your customers' personal information is potentially far more damaging and your customers won't thank you if you have been irresponsible.
The Information Commissioners Office (ICO) certainly believes the PCI-DSS could be used to deliver data protection measures. At the recent European PCI Community meeting in London, the ICO re-enforced the importance and scope of the PCI-DSS by recommending that organisations should look to implement PCI for general data protection.
This is echoed across Europe where ISO 27001 is taken much more seriously, especially in Germany where their snappily entitled ‘Bundesdatenschutzgeset' (or BDSG - Federal Data Protection Act) has real teeth.
If a German organisation loses the personal information of its customers then it is required by law to 'fess up' by placing at least two, full-page advertisements in the national press informing the public of the potential identity theft they have been exposed to. Even if you don't believe in the power of advertising, you wouldn't want to test what this kind of publicity does for your brand and your sales.
Similar rules currently apply to Telco's and service providers here in the UK, and the word from the ICO is that this will soon roll out to all organisations. If this is the case, the penalty for ignoring data protection standards laid out within the PCI-DSS will lead to fines and other penalties.
Which brings us back to the late Sir Jimmy Saville. Everyone knows he ran marathons and liked a shell-suit and a cigar, but they also remember his ‘Clunk, Click Every Trip' campaign, promoting the irrefutable wisdom of using car seatbelts? It was only in 1983 when it became law did common-sense become standard practice. Maybe data protection needs the same treatment?
Mark Kedgley is CTO at New Net Technologies
Download the whitepaper on examples of how a bad QSA can derail your PCI DSS programme.