News, Publications and Events » Nexia Pulse » Nexia Pulse - Quarter 1 2016 issue » Payment Card Industry: Data Security Standards (PCI-DSS): Does your business have to comply?

Nexia Pulse

Payment Card Industry Data Security Standards (PCI-DSS): Does your business have to comply?


Credit card is one of the most popular payment option nowadays, as it offers the convenience of not having to bring cash everywhere. Not to mention that your money does not have to leave your bank account at the point of transaction. Despite of the benefits that it offers, credit card is also one of the most popular target for fraudsters, mainly because of the lack of controls by merchants to verify the identity of the credit card user.
Target breach¹, for example, is one of the most notable payment card information breach that ever happened due to compromised point of sale (POS) systems. Other big names such as Home Depot², Hyatt Hotels³, and Mandarin Oriental Hotel Group⁴ also sufferred from similar breaches involving their customers’ payment card information. Motivated by profit, fraudsters are now turning into compromised POS devices as a primary source for unencrypted payment card data. And no, it does not only affect big corporations, but also those small shops in your neighbourhood that accept payments using credit card. Hence, it is getting more obvious that compliance with PCI-DSS has never been this critical before.

History of PCI-DSS


Since the start of the internet era in the 1990s, an increasing number of merchants rolled out e-commerce websites and connected their payment processing systems to the internet to acquire new customers and to boost revenue by offering the convenience of online purchasing. At the same time, fraudsters began compromising poorly protected systems to steal payment data, making payment card frauds faster and easier than ever before.


Between 1988 and 1998, Visa and MasterCard reported credit card fraud losses totaling US$750 million. In order to prevent future frauds, in October 1999, Visa developed Cardholder Information Security Program (CISP), a security standard for merchants conducting online transactions, which was then followed by other payment brands. However, the enforcement was rather unsuccessful largely due to the lack of a single, unified standard among the payment brands. Only on 15 December 2004, the first unified security standard was released and supported by all five major payment card brands: American Express, JCB, Discover, MasterCard and Visa. The standard was known as Payment Card Industry Data Security Standard (PCI-DSS), and compliance is mandatory for all entities involved in payment card processing, including merchants, processors, acquirers, issuers and agents, as well as all other entities that store, process or transmit cardholder data. On 6 September 2006, the five major payment card brands announced the creation of the PCI Security Standard Council (PCI SSC), an independent group that will manage the standard going forward.

What are the requirements?


PCI-DSS was developed to enhance the security of cardholder data and to ensure consistent data security throughout payment card processing lifecycle. PCI-DSS consists of a basic set of technical and operational requirements for protecting cardholder data that mirror best security practices. The following will provide an overview of the 12 key requirements of PCI-DSS:

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

How to comply with PCI-DSS


While the PCI SSC is responsible for setting the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for validation of compliance and reporting, such as provisions for self-assessment versus using a Qualified Security Assessor (QSA). Your business’s risk level will be measured by the transaction volume using a particular payment card brand, and it will determine the specific validation requirements that must be met. The processes for validating compliance and reporting to acquiring financial institutions typically come in the following sequence⁵:


• PCI-DSS Scoping
Determine what system components are governed by PCI-DSS

• Sampling

Examine the compliance of a subset of system components in scope

• Compensating Controls

QSA validates alternative control technologies/processes

• Reporting

Merchant/organisation submits required documentation

• Clarifications

Merchant/organisation clarifies/updates report statements (if applicable) upon bank request


Only the acquiring financial institution can assign a validation level to merchants. Please refer to the following URLs for each payment card brand’s compliance programs:
• American Express www.americanexpress.com/datasecurity

• Discover Financial Services www.discovernetwork.com/resources/data/data_security.html

• JCB International www.jcb-global.com/english/pci/index.html

• MasterCard Worldwide www.mastercard.com/sdp

• Visa Inc www.visa.com/cisp

How Nexia TS can help


Nexia TS has a team of data security experts who understand the specific PCI-DSS compliance requirements for business of all sizes. Our unique proposition, which combines years of experience in IT security and computer forensic investigation, allows us to perceive data security from many angles, assisting your business to effectively prevent, detect, respond and investigate data breaches in a timely manner.

Our full suite of PCI-DSS Compliance Services includes:


• Pre-compliance Gap Analysis Onsite review and gap analysis to establish a baseline level of compliance and to address areas of non-compliance. This essential service forms the basis of a successful compliance program.
• Network Vulnerability Scans Identify network vulnerabilities to ensure ongoing protection from cyber threats and to meet annual PCI-DSS compliance requirements.
• Penetration Testing Provide a comprehensive and thorough analysis of networks and applications security, while ensuring cardholder data protection against potential exploitation by internal or external hackers.
• Remediation Services Ensure that all deviations from PCI-DSS requirements are properly remediated and/or compensating controls are designed to mitigate the risk.

 


¹ http://www.nbcnews.com/tech/security/target-reaches-settlement-visa-over-2013-data-breach-n412071
² http://www.forbes.com/sites/maggiemcgrath/2014/09/08/home-depot-confirms-data-breach-investigating-transactions-from-april-onward/#74e3b4b77c7b
³ http://www.channelnewsasia.com/news/technology/hyatt-hotels-attacked-wit/2373974.html
⁴ http://www.cnbc.com/2015/03/04/report-of-credit-card-breach-at-mandarin-oriental.html
⁵ Extracted from PCI SSC Quick Reference Guide in https://www.pcisecuritystandards.org/

 


CONTACTS
For more information, please contact:

Mr Tan Kah Leong
Director
Technology Advisory
tankahleong@nexiats.com.sg