PCI DSS: Adding Business Value
On the 1st July 2015, the PCI SSC made the 9.9 best practice control a mandatory control. Now any retail organization that uses PIN Transaction devices for taking card payments from their customers must ensure that they make the physical checks of these devices.
Whether you think this is important, or not, it is clear that the Regulators certainly see this as a something that should be taken seriously. At the start of 2020, the Information Commissioner's Office (ICO) issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores.
It is important to note that this fine was levied based on the pre-GDPR legislation and that this represented the maximum fine under the UK Data Protection Act 1998.
Had this have occurred post-GDPR, this fine would have been significantly greater.
Another example is the WAWA breach, where an attack on the POS devices led to the compromise of 30 million customer payment card details.
In addition, criminals are known to tamper with, or substitute, on premise PIN Transaction Security (PTS) devices to help them steal the customers' credit card data, as the make a Face to Face (F2F) purchase.
Having identified this as being a risk, the PCI SSC now insist that all retailers, that use such devices for taking payments, must ensure that they maintain an inventory and carry out periodic inspections of these devices.
Now, this raises several questions for me:
Why had Retailer never thought this would have made good business sense, anyway?
How are they keep track of their unserviceable or unused devices?
Don't most retailers pay a monthly rental subscription for these devices?
Without the maintenance of inventory and an inspection regime, how will these Retailers keep a track of the unserviceable devices?
Perhaps it's just the Yorkshire part of me reflecting on this, but I can't understand why these businesses didn't appear to see the potential return on investment for having this control as a business as usual activity, already.
It seems like they would rather pay a monthly subscription for devices that they either can't use or are surplus to requirements.
Do they really enjoy paying for something that they cannot are unable to use?
Consequently, by looking at this control from a different perspective whilst meeting the security requirements, the business can also ensure that they are not needlessly wasting money on something that might be tucked away in a desk drawer, or sat at the back of a cupboard, gathering dust.
Just by added some additional columns to your hardware asset inventory, you can also keep a track of your devices serviceability and usage states.
Imagine if your were to establish an inspection schedule that was carried out on a two-week cycle and reported back to the Finance & Information Security/Compliance departments, you'll be able to:
'Kill two birds with a single stone'.
Although this could be added to your CMDb, it can also be as simple as being managed through a local spreadsheet.
How you design and deliver this is completely upto your business but, as an example, I have drawn up a quick example in Microsoft XLS:
When looking at compliance controls, try to avoid thing about this in terns of 'Ticking A Box' to meet your companies compliance objectives and try to look beyond the security perspectives, to ascertain whether these security controls also bring your organisation any additional benefits.
With an asset inventory for example, it can help you keep a track of such things as:
Their lifecycles, so that you can prepare for the upcoming end of life dates.
For a large retail organisation, without tracking the serviceability or device status (lost stolen) can result in the company paying thousands of £s/$s for something they are either not using, or are unable to use. No doubt that your Acquirer will be......
Laughing all the way to the Bank!
All of this, and so much more, should help you to re-evaluate the potential business benefits that can be brought to your organisation.