Credit card is one of the most popular payment option nowadays, as it offers the convenience of not having to bring cash everywhere. Not to mention that your money does not have to leave your bank account at the point of transaction. Despite of the benefits that it offers, credit card is also one of the most popular target for fraudsters, mainly because of the lack of controls by merchants to verify the identity of the credit card user.
Target breach¹, for example, is one of the most notable payment card information breach that ever happened due to compromised point of sale (POS) systems. Other big names such as Home Depot², Hyatt Hotels³, and Mandarin Oriental Hotel Group⁴ also sufferred from similar breaches involving their customers’ payment card information. Motivated by profit, fraudsters are now turning into compromised POS devices as a primary source for unencrypted payment card data. And no, it does not only affect big corporations, but also those small shops in your neighbourhood that accept payments using credit card.
Since the start of the internet era in the 1990s, an increasing number of merchants rolled out e-commerce websites and connected their payment processing systems to the internet to acquire new customers and to boost revenue by offering the convenience of online purchasing. At the same time, fraudsters began compromising poorly protected systems to steal payment data, making payment card frauds faster and easier than ever before.
Between 1988 and 1998, Visa and MasterCard reported credit card fraud losses totaling US$750 million. In order to prevent future frauds, in October 1999, Visa developed Cardholder Information Security Program (CISP), a security standard for merchants conducting online transactions, which was then followed by other payment brands. However, the enforcement was rather unsuccessful largely due to the lack of a single, unified standard among the payment brands. Only on 15 December 2004, the first unified security standard was released and supported by all five major payment card brands: American Express, JCB, Discover, MasterCard and Visa. The standard was known as Payment Card Industry Data Security Standard (PCI-DSS), and compliance is mandatory for all entities involved in payment card processing, including merchants, processors, acquirers, issuers and agents, as well as all other entities that store, process or transmit cardholder data. On 6 September 2006, the five major payment card brands announced the creation of the PCI Security Standard Council (PCI SSC), an independent group that will manage the standard going forward.
PCI-DSS was developed to enhance the security of cardholder data and to ensure consistent data security throughout payment card processing lifecycle. PCI-DSS consists of a basic set of technical and operational requirements for protecting cardholder data that mirror best security practices. The following will provide an overview of the 12 key requirements of PCI-DSS:
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
While the PCI SSC is responsible for setting the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for validation of compliance and reporting, such as provisions for self-assessment versus using a Qualified Security Assessor (QSA). Your business’s risk level will be measured by the transaction volume using a particular payment card brand, and it will determine the specific validation requirements that must be met. The processes for validating compliance and reporting to acquiring financial institutions typically come in the following sequence⁵:
• PCI-DSS Scoping
Determine what system components are governed by PCI-DSS
Examine the compliance of a subset of system components in scope
• Compensating Controls
QSA validates alternative control technologies/processes
Merchant/organisation submits required documentation
Merchant/organisation clarifies/updates report statements (if applicable) upon bank request
Only the acquiring financial institution can assign a validation level to merchants. Please refer to the following URLs for each payment card brand’s compliance programs:
• American Express www.americanexpress.com/datasecurity
• Discover Financial Services www.discovernetwork.com/resources/data/data_security.html
• JCB International www.jcb-global.com/english/pci/index.html
• MasterCard Worldwide www.mastercard.com/sdp
• Visa Inc www.visa.com/cisp
Nexia TS has a team of data security experts who understand the specific PCI-DSS compliance requirements for business of all sizes. Our unique proposition, which combines years of experience in IT security and computer forensic investigation, allows us to perceive data security from many angles, assisting your business to effectively prevent, detect, respond and investigate data breaches in a timely manner.
• Pre-compliance Gap Analysis Onsite review and gap analysis to establish a baseline level of compliance and to address areas of non-compliance. This essential service forms the basis of a successful compliance program.
• Network Vulnerability Scans Identify network vulnerabilities to ensure ongoing protection from cyber threats and to meet annual PCI-DSS compliance requirements.
• Penetration Testing Provide a comprehensive and thorough analysis of networks and applications security, while ensuring cardholder data protection against potential exploitation by internal or external hackers.
• Remediation Services Ensure that all deviations from PCI-DSS requirements are properly remediated and/or compensating controls are designed to mitigate the risk.
⁵ Extracted from PCI SSC Quick Reference Guide in https://www.pcisecuritystandards.org/