PCI DSS: Does it apply to me?
If you're a business that receives monies into your Merchant Bank account from payments made by a Card Brand payment card (Mastercard, Visa, Amex, JCB or Discover), either directly (involving your IT systems, applications or personnel) or indirectly (using a 3rd party service provider), then PCI DSS v3.2 applies to your business.
What is PCI DSS?
PCI DSS is a series of baseline controls, designed to protect the meat of a Primary Account Number (PAN - 1st 6 & last 4 digits of the long card no.) and the more sensitive verification no. (CVC -4 digits(front) or 3 digits(rear)).
Criminals have identified the ease of committing fraud by getting unauthorised access to payment card information and the increasing consumer use of card payments to consumers has only increased the attractiveness of trying to steal this data.
PCI DSS provides a suite of layered controls (circa 360), which when successfully applied provide the 5 Ds affect making it extremely challenging and difficult for the opportunist criminals. Think of PCI DSS as being a recipe book and the Self Assessment Questionnaires (SAQs) being the different types of recipes and the controls being the ingredients list. Not all of the recipes are so difficult and need every ingredient.
There are 6 layers to PCI DSS:
Build and Maintain a Secure Network and Systems
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Each of these layers are target to provide formal protection to any IT Systems/ Software/Applications (including any which may impact these systems), People and Processes involved in the card data process life-cycle (from the point of receipt until disposal/destruction).
What are the expectations?
The increasing convenience for consumers' being able to 'pay by card', rather than using cash means that retailers (small, medium or large) would miss out on potential sales if they do not support payments by card. The greater the number retailers accepting card payments the greater opportunity for criminals to be able to exploit vulnerabilities in IT systems, Applications or Processes.
Consequently, any retailer (no matter their size) must be able to demonstrate that they are maintaining PCI DSS alligned card payment operations.
The level of detail needed to be provided is scaled based upon the potential risk caused during a compromise. The higher the risk, the greater the expectations are showing compliance, e.g. Level 1 Merchants (processing more than 6 million card transactions, per annum) are required to undergo independent validiation of their alignment to PCI DSS, from a PCI Qualified Security Assessor (QSA).
That's okay, I've fully outsourced my PCI DSS operation to a PCI DSS compliant 3rd party....
A common mistake made by Merchants is to presume that they have no PCI DSS accountability, as everything is outsourced and so all the burden lies with that their 3rd party service provide. It is true that outsourcing to a reputable, compliant service provider does simplify PCI DSS and reduce the burden, however, you are still required to manage the relationship with that 3rd party to ensure that you understand who you've outsourced to, you have contracts with data security clauses, that they can deliver as per their contract (due diligence), you understand their compliance status and that you understand all of the services they are providing to you. Dependent on the risk associated with the outsourced services, that service provider may need to be independently validated by a QSA, e.g. a service provider who processes more than 300,000 card transactions, each year, would be deemed a level 1 service provider requiring independent validation of their compliance (Higher Risk).
If you are a Merchant or Service Provider to a Merchant understanding the complexities of PCI DSS can be extremely difficult to understand - Like trying that new recipe! Therefore, IS Centurion recommend the following:
PLAN & PREPARE for PCI DSS compliance, by familiarising yourself with the wealth of reference materials provided by the PCI SSC and seek support from a knowledgeable specialist (QSA for higher risk operations). This will help you to identify the right recipe for you.
IDENTIFY the IT Systems/Software/Applications, Personnel and 3rd Parties that will be included in the PCI DSS, and consider the opportunities to ISOLATE these assets or outsource operations (e.g. Using Dual Tone Multi-Frequency (DTMF) for Mail Order Telephone Order (MOTO) operations) to help reduce the scope.
EVALUATE any existing assets against the applicable PCI DSS controls. This will enable you to get a true understanding of the amount of improvements needed and the potential costs.
Prioritise a programme of works to FIX the issues highlighted during the previous step.
Once you are happy that any issues have been sorted, start to ASSESS the status using the Report on Compliance (RoC) - Higher Risk payment operations or the appropriate SAQ - Lower Risk operations.
Formally REPORT your status to your Acquiring Bank, using the appropriate SAQ (this may need to be validated by a QSA) or through an independent QSA completed RoC. Service Providers will need to REPORT via a RoC (>300,000 card payments) or a SAQ (<300,000 or who could impact a Cardholder Data Environment (CDE), e.g. Data Centre).
MAINTAIN PCI DSS compliant operations with periodic audit and assurance.
At first, achieving PCI DSS compliance can appear to be a daunting task but maintaining compliance and incorporating into into Business As Usual (BAU) is far more difficult to achieve. However, with the right guidance and sensible decision making, and effective well-designed PCI DSS programme can yield untold benefits to a business, creating an improved security culture (benefiting other data processing areas) and protecting your consumers from payment card fraud.
A customer entrusts you with their payment card data, so as to purchase goods and services from you. Failure to invest the correct time, resources and effort into protecting your customers data could cause considerable impact to them. As a result, customers being impacted (or hearing of others being impacted) will be unlikely to entrust their payment card data with you, so will seek to use other goods or service suppliers.
If you apply PCI DSS correctly, "You can have your cake and eat it!"
Further Advice or Guidance
If you are struggling to understand the complexities of the PCI DSS recipe book:
Which recipe applies to your business?
What alternative, or easier, recipes you could choose?
How to mix together the right ingredients?
How you can better prepare for the 'Bake Off competition judging?