The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standards applicable to all companies responsible for the acceptance, processing, storing and/or transmission of credit card information. The PCI DSS is administered by an independent body, the Payment Card Industry Security Standards Council (PCI SSC) which was formed by five predominant card issuers (Mastercard, Visa, AMEX, Discover and JCB) to cater to the development and adoption of payment card technology as a ubiquitous transactional method.
All companies subject to PCI DSS standards must be PCI compliant. The amount of card transactions a company performs on an annual basis determines its PCI compliance level, with each level comprised of both different requirements, and fines for non-compliance.
The PCI DSS “control objectives” are six overarching categories, 12 key requirements, 78 base requirements and over 400 test procedures that serve as a blueprint for organisations when creating compliant technical and operational standards. Organizations must consider:
- Building and maintaining a secure network comprised of properly installed and maintained firewalls and vendor equipment sans default passwords.
- Implementing the protection of cardholder data at rest and in transit with encryption.
- A vulnerability management program encompassing the installation and maintenance of anti-virus software, and the appropriate patching, vulnerability awareness and security of systems/applications.
- Strong access controls implemented with cardholder data access restrictions applied, i.e., access on a need-to-know basis, access forms, access tracking; unique IDs assigned per individual (password requirements, 2FA, password encryption, etc.) and physical restrictions on data center and managed server access.
- Networks regularly monitored and tested with effective logging and monitoring of access to network resources and cardholder data and the regular testing of the associated security systems and processes.
- An information security policy covering up to date incident response plans, employee and contractor policies, and role/responsibility guidelines and usage requirements.
PCI DSS compliance violations occur when organizations do not effectively implement and keep pace with the guidelines agreed upon in their card processing agreements. PCI compliance is the industry standard and businesses that do not align with the standards can face significant fines for agreement violations and/or negligence. Of course, the standards are in place for a reason - not just to issue fines for non-achievement - companies without PCI compliant security frameworks are highly vulnerable to theft, data breaches and fraud.
There are two potentially devastating outcomes to PCI compliance violation: the payment brands punitive measures and/or financial loss from criminal activity due to substandard security measures in place. Both of these outcomes, whether emerging separately or in concert, can engender additional collateral effects such as the reputational damage and associated revenue loss.
It is important to note that PCI DSS in itself is not a collection of laws, but a contractual set of standards. The payment brands can, however, take punitive action against acquiring banks for compliance violation and, by extension, merchants, for PCI compliance violations.
- Fines ranging from $5,000 to $100,000 per month, card replacement costs, obligated forensic audits are all at the disposal of the payment card brand.
- Lawsuits as a possible outcome if information has been exposed in a data breach: in this example from well over a decade ago, the company TJX settled with banks to the tune of USD$40.9M as a result of 45.7 million customer records being compromised. In the aftermath, TJX reaffirmed its commitment to achieving the PCI DSS goals.
- Following a massive 2013 breach of retail giant Target, its profits dropped an estimated USD $440M, a hefty price to pay after already having to fork out millions in fines and legal settlements.
Although the PCI DSS framework is very comprehensive, there are, as always, creative exploits that have been engineered by malicious actors to take advantage of the gaps in the framework.
RAM Scraping attacks were first flagged publicly by Visa in 2008 after the card provider discovered that malicious actors had infiltrated point-of-sale (POS) machines and gained access to volatile random access memory (RAM) systems within the terminals that contained unencrypted cardholder data. The attack method itself was largely in response to a 2007 upgrade within the PCI DSS that prohibited the practice of storing card data on POS machines for extended periods of time. By targeting the RAM, malicious actors circumvented this standard evolution.
PCI DSS compliance violations can be greatly mitigated by designing an operational and technical architecture in line with the latest iteration of PCI DSS best practices. The size of the business does, to a certain extent, impact the complexity of implementing and maintaining the below points, however, they are effective for all sizes if correctly applied.
- Organizations must ensure wireless routers are password-protected, with no default vendor passwords in sight, e.g., any kit received with
adminfor login and password must have this default changed!
- Firewalls must be implemented, appropriate (diverse if necessary) for their positions throughout the network and correctly configured.
- Only approved PIN entry devices should be used at the POS.
- Only validated payment software should be used at the POS or website shopping cart.
- Absolutely no sensitive cardholder data should be stored in computers or on paper without proper encryption or tokenization.
- PIN entry devices and PCs must be checked for malware and/or “skimming” devices on a regular basis.
- Effective security education programs should be delivered to all employees in the organization.
To maintain an effective PCI DSS compliant architecture, particularly in a large-scale, complex environment, it is advised to:
- Implement effective tokenization to sequester the use and storage of plain-text sensitive data to as few places within the environment as possible.
- Identify and secure all sensitive data and classify in accordance with internal policy.
- Identify users, determine access/user rights and permissions.
- Closely manage access controls.
- Implement effective monitoring tools with the capacity to identify anomalous file, event and/or user behavior.
The PCI DSS control objectives include 12 key requirements, 78 base requirements and over 400 test procedures that serve as a blueprint for organisations when creating compliant technical and operational standards.