PCI DSS: Going Above & Beyond

Introduction

If you imagine your business as being an airline company, you have a responsibility for ensuring that any precious cargo is suitably protected from harm. This precious cargo comes in various forms:

• Passengers.

• Aircrew.

• Freight.

Using this analogy, your passengers are your consumers' cardholder data and your organisation has been entrusted with getting them safely from destination A to destination B.

As you can imagine, maintaining flight safety requires teamwork, formal policies & procedures, safety checks, monitoring and, most importantly, a cohesive effort.

PCI DSS provides you with a baseline of measures to help you develop effective flight safety operations. However, it must be stressed that this is a baseline and needs to be developed further to ensure that your consumers retain their trust in your business and continue to be willing to fly with you.

• Pre-Flight Checks

Before any flight, aircraft are required to undergo mandatory checks. In PCI DSS, these are your quarterly, 6 monthly and annual controls, e.g.

Quarterlies:

• 3.1 Data Discovery - A quarterly process for identifying & securely deleting stored cardholder data that exceeds defined retention.

• 6.4.6 Change Management - New systems are included in the quarterly vulnerability scanning process.

• 11.1 Wireless Device Checks - Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

• 11.2 Vulnerability Scans - Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

• 12.11 Policy & Procedural Confirmation Reviews - Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.

Failure to complete these mandatory checks is detrimental to flight safety and could impact the licensing of the airline company. The same applies in the PCI DSS environment, so if you are unable to demonstrate to your Qualified Security Assessor (QSA) or Acquirer (Self Assessments), during the annual licensing inspection, that you have carried out these mandatory flight safety checks.

Failure to do so and you run an increased risk of failing to be re-licensed to fly your PCI DSS operations.

• For airlines, annual re-licensing must be completed on the official paperwork (e.g. Civil Aviation Authority (CAA)).

• The same applies for PCI DSS, with the only recognised licence being on the PCI SSC's documentation (e.g. SAQ, RoC & AoC).

More importantly, these flight safety checks are designed to help you maintain safe flight operations and to reduce the risk of suffering a flight incident.

In addition, to the mandatory checks, you need to maintain a highly skilled team to support your flight operations, e.g.

• Pilots.

• Co. Pilots.

• Navigators.

• Flight Safety Attendants.

• Ground Engineers.

• Air Traffic Controllers.

• Passenger Handling.

• Security Processing.

Each member of the team understands the roles of their other members of the team and work in harmony with each other.

The business owners understand the importance of maintaining the aircraft and skillsets of their employees and, as a result, do not regard flight safety as a 'Tick Box' exercise and embrace these requirements as Business As Usual (BAU) operations.

• In Flight Checks

Once airborne, the safety checks continue with the Aircrew and Flight Safety Attendants integrating with the Air Traffic Control staff to ensure that any emerging threats (e.g. Lightening Storms, Turbulence, etc.) can be averted and to help ensure that the passengers have a comfortable journey.

Additionally, the onboard staff must be well trained in the incident response life-cycle:

The NIST incident response life-cycle

1.  Prepare
The work needed to get ready for incident response, including establishing the right tools and resources and training the team. This phase includes work done to prevent incidents from happening.

2.  Detect & Analyse
For many organisations, this often the most difficult part of the incident response process.

3.  Contain, Eradicate, and Recovery
Focused on keeping the incident impact as small as possible and mitigating service disruptions.

4.  Post-Event Activity
Learning and improving after an incident is a crucial part incident response.  However, this most often ignored. In this phase the incident and incident response efforts are analysed. The goals here are to limit the chances of the incident happening again and to identify ways of improving future incident response activity.

Imagine what might have happened to US Airways Flight 1549, had Captain Sullenberger and his crew not have reacted so effectively. Their incident response training allowed them to be effectively prepared for unexpected events, saving the lives of 155 people:

• Incident Response Time - 108 seconds.

• Post Flight Checks

Once the flight arrives at its destination, you have noticed that the last people to leave the aircraft is the onboard crew, the aircraft is always met by a team of ground engineers, the Air Traffic Control are in constant communications with the aircrew until the aircraft is is secured on its assigned stand and that the Flight Safety Attendants continue to be responsible for the safety of the passengers, until they are safely transferred across to the airport (where the airport becomes responsible).

Recommendations

Poorly maintained aircraft and poorly trained staff undermines the reliability and safety of an airline and, as a result, will increase the risks of suffering a serious incident. This, in turn, will discourage your customers from flying with you.

Imagine your payment card operations as being like aircraft passenger operations.

Which airline would you choose to fly with?

• The airline that does the bare minimum......?

Or;

• The airline that goes above and beyond.....?

Notwithstanding the need for good payment card (passenger) flight safety operations, your aircraft (business) could have responsibilities for other cargo types (baggage (personal data), freight (account data), which are stored in other areas of the aircraft.

• Some of the questions to ask yourself are:

How are you measuring your flight safety for your passengers (e.g.  PCI DSS compliance)?

How are you measuring the flight safety for the other cargo types (e.g. GDPR compliance)?

How effective are your policies & operating procedures?
How well do your teams integrate their roles and responsibilities in support of effective operations?

Do you understand the risks associated to your various cargo types (e.g.  Data processing operations)?

It is important to remember that being PCI DSS compliant is the minimum requirement and that businesses should not become complacent that obtaining the annual re-licence will be sufficient to avoid your organisation suffering a data breach, or systems outage.

Conclusion

Using the analogy of airline operations, you can start to appreciate the value of PCI DSS, to your business and the importance of ensuring that this is integrated into your business and how it should bee seen as being beneficial to your organisation?

Failure to respect flight safety can have a detrimental effect on your organisation and can significantly impact your reputation.

Which kind of airline do you wish to be seen as operating?