PCI DSS Compliance: Card Interception
I was interested to see the opening article of Mastercard's latest PCI DSS newsletter, reminding Issuers & Acquirers of their mandated requirement to be PCI DSS compliant. However, anyone receiving a new credit card through the post will question to what level Issuers & Acquirers respect their obligations. Recently, I received my new, replacement, credit card and PIN reminder through me letter box, via standard class post. Unlike the PCI DSS physical security control, which states:
"9.6.2. Send the media by secured courier or other delivery method that can be accurately tracked".
It is very apparent that my envelope contained a credit card and so it is inevitable that criminals and opportunists will look to intercept such post. For example, the North Texas postman who intercepted post from the Chase Bank to rack up $374,000 of debt, from intercepted credit cards or UK Postal workers being targeted by criminal gangs to steal credit cards and PINs, through the post.
If this is one example, why are the Card Brands failing to follow up on the Issuers apparent non-compliance, or does this specific control not apply to Issuers? Any eCommerce merchant will tell you of their need to ensure that payment card data is protected, when being transmitted over public networks. Is this not another form of transmission, over public networks?
Many Issuers will be heavily reliant on 3rd party suppliers for the reproduction of the plastic cards and the printing of a PIN and sending out these sensitive items, via trackable means, will come at an additional cost. If this control is applicable, then who bears the brunt of the additional costs? The Issuers? The Supplier? Or is it a risk we just need to accept and, as the consumer, understand that the trauma of having to fund criminals and allow them to run up debt, in our names, is just the cost of having a credit card!
This scenario then begs the question, as Acquirers and Issuers have the liberty of 'self-regulation' what other corners may they be taking?
No vulnerability remediation?
No penetration testing?
How much do the senior executives of such organisations understand the level of the risks and non-compliance being applied to their card payment channels?
As a 'Self-Regulated' PCI DSS entity, what are the expectations of the Card Brands and (being personal data) the regulators?
Given this and the recent changes to the Mastercard Rules, regarding the implementation and maintenance of a written information security programme, isn't it time for such entities to consider the use of an integrated Risk Management (IRM) platform?
As a senior manager or executive or such an entity, wouldn't you be looking for regular compliance metrics for both your Information Security programme and Mandatory compliance (e.g. PCI DSS)? Such an IRM, will allow for the incorporation of roles & responsibilities into a centralised solution, rather than relying on multiple spreadsheets, emails and word documents to help demonstrate and manage compliance.
During my time as a Royal Air Force Police Counter Intelligence role, I was first introduced to the benefits of such a solution for the risk monitoring of RAF assets, using a Fujitsu built system (SAPPHIRE) and this understanding was further enhanced, during my time developing and implementing a baseline security controls project, over 7 months, whilst at the Co-operative Bank, in 2012. With lots of support and patience from the vendor (Acuity Risk Management), I managed to track a multitude of security controls, applied at a business process level.
Previously, for many months, the bank had been unsuccessful in their attempts to identify a suitable solution that could be flexible and easy to use, which could accommodate the tracking and presentation of the controls and risk status for almost 5,000 baseline security controls, with the output being able to report in 3 views, for the business:
During this later 2 months of this work, I had been tracking and monitoring the controls and risk status for the bank's ISO/IEC 27001 compliance, using a single user licence of a product called STREAM:
Unbeknown to the project, they already had a suitable tool that could easily be scaled upto meet their expectations.
Some 4 years later, I became re-acquainted with STREAM, in my role as a PCI DSS Qualified Security Assessor (QSA), for the use in support of PCI DSS engagements and to assist clients with the simplification of managing PCI DSS, as part of Business As Usual activities (mandatory with the advent of PCI DSS v3.0).
If you are still attempting to manage your compliance obligations, through multiple locally produced and managed spreadsheets and documents, do yourself a huge favour and take a look at the potential benefits an automated, and integrated, solution can provide to you.
The last thing you want to experience is the mass panic of trying to collate all your evidence of compliance together, for the regulators/card brands, in the event of a compromise/breach occurring.
Customers, Regulators and the Card Brands expect you to be doing the right thing and achieving these expectations need team work and effective management.
Do not wait for a malicious individual to reveal that you are running any additional/unwanted risks of failing to meet baseline security controls, for the protection of sensitive data!
Not only will you face non-compliance fines but, more importantly, run the gauntlet of having to face damage to your reputation and a loss of trust from your customers, and partners.