Preface – PCI DSS: A Practical Guide to implementing and maintaining compliance, Third Edition

PREFACE

Looking towards the future, on average, 77% of entities are anticipating an increase in online revenues during 2011. For 2011, nearly four out of five merchants that are forecasting growth expect to see increases in e-commerce revenue of up to 40%.

So, for many entities’ chief financial officers, chief information officers, chief technology officers, and chief security officers, this presents three challenges, it will;

1   Increase online revenues causing the logistics, call-centres, order fulfilment, etc, etc. to further ‘creak’ at the seams.

2   Increase the dependency on the already overburdened IT department. Thus creating the need to ‘change’ the IT organisation from a traditional IT department to a more IT marketing focused or e-commerce support function.

3   Increase the IT security compliance burden; therefore, increasing the need for the growth and maintenance of core compliance (or auditing) skills. The average size of IT compliance review teams has risen quite considerably from an average of six full time staff members in 2009 to ten in 2011.1

All of this comes at a time of unparalleled pressure on IT budgets, its people and, more specifically, the security people employed to protect cardholder data (ChD). Like us, we all thought the Payment Card Industry Data Security Standard (PCI DSS) was going to spell the end of the road for criminals who were ‘cashing in’ on the supposedly easy target of credit card theft – and its subsequent fraudulent use of cardholder data. The theory being, it would be harder to obtain the cardholder data in the first place; due to the more robust and standardised approach to data and IT security (under the PCI DSS regime).

Unfortunately, as we have seen, and as countless surveys conclude, many entities are still struggling to demonstrate compliance, with costs spiralling out of control. Analysts Gartner estimate that Level 1 merchants (retailers who process over 6 million credit card transactions per year) on average spent $2.7m on compliance, with Level 2 merchants (retailers who process between 1 and 6 million credit card transactions per year) are spending $1.1m on average to remain compliant. They also state that Level 1 and 2 merchants have increased their spending fivefold over the last 18 months, with 8% of retailers being fined and 22% being threatened with fines.

Yet, despite the pressure of fines being imposed, entities continue to struggle with PCI DSS compliance, and worse still, some of these entities which have achieved PCI DSS compliance, are still suffering from costly and embarrassing data losses/breaches (for example, TJ MAXX, Hannaford Brothers). Gartner go on to recommend that these entities look at the possibility of further data segregation, or outsourcing to reduce the scope of compliance, but this doesn’t take away the responsibility of PCI compliance, as this still lies at the door of the cardholder data collector and data owner

These findings are in themselves not very surprising, as anyone hoping PCI DSS was going to be the industry’s ‘silver bullet’ to a systemic and ever-demanding data security challenge was unrealistic or slightly divorced from reality. PCI DSS is a good security baseline on which compliance can be set, achieved, measured and improved, but it will not provide all the answers, and will not necessarily change the thoughts that plague every CIO’s mind – how can I provide adequate assurance that my cardholder data is appropriately protected and secured, given minimal resources and squeezed budgets?

In order to address this question, we first need to understand why there is a need for PCI DSS, and why it will become (if it is not already) a prerequisite for conducting business in the modern age of online consumers and tech savvy ‘Generation Y’ consumers2 and, in particular, if we dare hope for a consumer-led recovery.

Firstly, there is sufficient evidence that consumers are changing the way they shop and we don’t have to look far to appreciate the value of providing secure credit card transactions; for example, Cybersource 7th Annual 2011 UK Online Fraud Report3, found that some 66% of those questioned were concerned about the safety of shopping on line.

Yet, despite these concerns, millions of consumers are continuing to use credit cards every day for online purchases. VISA Europe reported that its 360 million card holders collectively purchased goods online to the value of over £1.16 trillion in 20094. To further exacerbate the problem, we are faced with an ever-evolving and more demanding consumer (driven by Generation Y), with factors such as those listed below all contributing to an overall global demand in better security of cardholder data. These factors include:

  • Banks seeing a huge growth in the demand for online services.
  • Credit card issuers and debt holders facing a difficult market/consumer, as pressures to pay down debts and charge less for services become commonplace.
  • Credit card technologies advancing with better security and contactless payment solutions.
  • Managing bank accounts via mobile devices, and wireless (or contactless) payment systems increasing demand for more applications to support demand for these services.

All of these factors play a role in the need for greater cardholder data security and, therefore, the need for PCI DSS will remain and become ever more prevalent in the competitive world of consumerism.

The consumer space is not alone; governments from around the world are taking up arms in this space. In the UK, the UK Government published its first Cyber Security Strategy. It was a calling for more moves towards greater security surrounding the use of credit card data. In another paper entitled ‘Digital Britain’, the UK Government stated ‘that by 2012 £1 in every £5 spend in the UK will be spent online and if that is going to be a reality, then significant more effort needs to be made towards gaining consumer trust’, as, with the £50 billion of consumer purchases and sales through e-commerce that takes place online5 now is the time to really start thinking about how your entity can look to further integrate PCI DSS compliance into ‘Business as Usual’.

NOTE: Some good work has previously been carried out in this area: both ISO27001 and ISO27002 (formally BS7799) are intended to provide an international information ‘security baseline’ of 133 controls, in an attempt to standardise on security best practice and a standard approach to risk assessment. ISO27001 has gone a long way to help standardise on an approach to security policy, processes and procedures to help keep the bad guys out, and the good guys (or to keep ‘sensitive’ data) within our direct control.

This is all good stuff, but is it enough? In a recent online fraud survey, figures show that the fraud challenge has not decreased since the introduction of PCI, but has, in fact, increased. The report states ‘that fraud losses now consume more than 1% of revenue for 37% of UK online merchants; 13% lose more than 5% of their revenue. In a tough economic climate, these losses could be the difference between success and failure for an online business’.

In addition, the breaches in late 2008 and early 2009 of RBS World Pay and Heartland Payment Systems, which compromised over an estimated 100 million cardholders, exemplify the irresistible attraction of major transaction processors (i.e. the banks). So, despite PCI DSS being applicable to those entities that store, transmit or process cardholder information payments, encompassing service providers, merchant acquirers, third party processors and even data storage entities, the danger of not knowing where your data is can prove fundamental to demonstrating and maintaining PCI compliance.

This all tends to paint a negative picture, but what more could be done? As it is well acknowledged that merchants and service providers are bearing the costs associated with securing our credit card or cardholder data, we need to understand (more now than ever) the true scope of where PCI DSS is applicable, and how we can assist the business in obtaining the true value delivered by PCI DSS.

In today’s environment, security has become a consideration for every type of business and, by following the standardised, industry-wide procedures of PCI DSS, entities can achieve real value, including:

  • Protection of their customers’ personal data.
  • Boost customer confidence through a higher level of data security.
  • Insulate themselves from financial losses and remediation costs.
  • Maintain customer trust, and safeguard the reputation of their brand.
  • Provide a complete ‘health check’ for any business that stores or transmits customer information.

_______________

1 UK Online Fraud Report 2011.

2 Joanna Krotz – Small business marketing and management issues publisher.

3 Seventh Annual UK Online Fraud Report, Jan 2011, CyberSource.

4 Plunkett Research Limited, Guide to the Banking Industry, March 2009.

5 UK Cyber Security Strategy June 2009.