Are You Really in PCI Compliance?
|Scott Laliberte||Jeff Sanchez|
WARNING: Your business may not be in compliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage, costly fines and even loss of the ability to accept and process credit cards.
Despite merchants' increased focus on meeting PCI DSS requirements, credit card security breaches continue to occur with alarming regularity. According to the Identity Theft Resource Center, there were 662 disclosed data breaches in 2010. Worse, although it has been nearly 10 years since the original Visa CISP program was published and multiple deadlines for different types of merchants have passed, many businesses don't even realize they're not compliant -- until it's too late.
One root cause: Most validations are self-assessments performed by IT personnel who haven't been trained to test PCI DSS compliance. Without a proper assessment by either trained internal personnel or third-party assessors, many merchants will continue to believe, erroneously, that they're in compliance with the PCI standard.
Given the potentially astronomical costs of a data breach -- Ponemon Institute's 2010 Annual Study: U.S. Cost of a Data Breach found the average cost of a breach to be $7.2 million -- convenience store executives should take care to confirm their businesses are not among the many that are misinterpreting PCI DSS requirements and failing to protect their systems appropriately from security breaches.
Compliance and Validation Requirements
The PCI standards apply to all merchants and service providers -- regardless of industry or size -- that store, process or transmit cardholder data. Compliance with the standard is mandatory, and it is critical to understand that only validation procedures vary because of card volumes.
Other than not validating processes at all, the most common reason for PCI DSS noncompliance is performing the self-assessment questionnaire using too narrow of a scope. Additionally, many IT organizations assume certain controls are in place when they're not, or they misinterpret the requirements of the standard.
Getting the scope right is critical to an accurate compliance validation. Companies must keep in mind that PCI DSS applies to all of their systems, including all external connections into the merchant network; all connections to and from the authorization and settlement environment (e.g., routers, switches, firewalls, web servers and wireless connections); any cardholder data repositories, including those outside of the authorization and settlement environment (such as document images and voice recordings); and all systems connected to any of the above.
Effectively, merchants and service providers must either "segment" their PCI-affiliated devices from the rest of their network or validate their entire network. This is an area that merchants frequently misunderstand.
To clarify how the audit scope, self-assessment questionnaire and scans should be interpreted, merchants should heed the following guidelines:
• In a nonsegmented or "flat" network, all devices are in scope for audits and scans. Therefore, the entire network needs to comply with PCI DSS requirements.
• Even in a segmented network, those systems that connect through the firewall to the cardholder systems remain in scope.
Steps to Compliance and Proper Validation
The following steps provide a brief overview of what companies can do to assess their PCI DSS compliance and remediate potential risks.
Step 1: Obtain expertise on the PCI standard. PCI DSS is not simple, and assessing your compliance without the benefit of the PCI Council's training is unlikely to yield the correct conclusions. The PCI Council publishes the Internal Security Assessor training schedule on its website, www.pcisecuritystandards.org. A Qualified Security Assessor (QSA) firm also can assist with your assessment if you lack internal personnel with the right skills.
Step 2: Perform a scope and gap analysis. After you have a trained assessor to work with, the next step is to perform a scope and gap analysis of your systems and networks. This will determine if your configuration properly segments PCI data from externally accessible systems and the rest of the internal network. The gap assessment should then cover all PCI requirements within the appropriate scope.
Although self-assessment questionnaires have been vastly improved to address all PCI controls, organizations should still refer to the PCI Requirements and Security Assessment Procedures (www.pcisecuritystandards.org/documents/pci_dss_v2.pdf) when carrying out the gap analysis to ensure requirements are properly interpreted. Determining your scope and gaps also will assist in determining what might need to be remedied and how best to approach the process.
Step 3: Segment your PCI network. One of the best ways to reduce risk -- and the PCI scope -- is to separate the PCI systems from other internal systems with a proper segmentation, including a firewall.
Step 4: Implement other ways to limit the scope. Other methods can be used to reduce the scope. For instance, if a card number is encrypted inside a secured personal identification number (PIN) pad device, and it remains encrypted until it reaches the processor, this "end-to-end encryption" can remove card-present transactions -- and potentially the entire point-of-sale environment -- from scope. Many PIN pad vendors now offer this capability.
Too many companies have looked for the easy way to validate compliance with PCI DSS without really "digging under the covers." As a result, too many criminals are compromising merchants' data security -- and consumers are unnecessarily at risk.
Compliance with PCI DSS is an absolute requirement for all merchants and service providers, so it must be taken seriously. If there's any chance your company has validated compliance based on incorrect interpretations or assumptions, take action immediately to address your severe risk of exposure to a data security breach.
Scott Laliberte and Jeff Sanchez are managing directors at Protiviti Inc., a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit.
Editor's Note: The opinions expressed in this column are the author's, and do not necessarily reflect the views of Convenience Store News.