PCI Series — Part I

PCI Series — Part III

“Good” payment security is expensive. The security requirements of PCI-DSS 3.0 are intensive and constantly being updated. If done completely and thoroughly, PCI-DSS can come with a hefty price tag.

It’s no mystery that the PCI Security Council (the Council) is working to improve the compliance requirements to further prevent the ongoing rash of high profile breaches – even at those previously deemed “PCI Compliant”.

The PCI-DSS 3.0 changes (that went into effect during 2015) were developed to address the uncertainties and gaps in the standards that led to many of the recent breaches. They provide additional guidance and explanation on the requirements’ intention as well as the adherence methods to be employed. In other words, the changes have made the requirements more understandable and definitive.

While many of the PCI-DSS 3.0 regulations are simple clarifications, their impact is far reaching – meaning they have become more burdensome and expensive for merchants to implement.

According to Avivah Litan, a Vice President and Research Director at Gartner, “PCI 3.0 is about 27% bigger (more burdensome) than PCI 2.0 and has become incredibly onerous for most merchants.” Additionally, Litan went on to explain how the banks and processors are shifting the burden of credit card security and fraud risk onto the merchant … a proposition that feels slightly unfair, since they (“the merchants”) are being forced to patch a system (“the complex credit card payment network”) that’s inherently insecure.

It’s no wonder that the 2015 Verizon PCI Compliance Report revealed that out of hundreds of large businesses across the world, only 20% were fully PCI-compliant. Of those, only 28% were found to be fully compliant less than a year after full validation.

Why are the numbers so low? Could it be that the task and expense of compliance is just too great for many merchants who are ultimately expected to assume this responsibility?

It would seem so. Keep reading. Below, we highlight some PCI 3.0 standards that are proving to be particularly costly and troublesome for merchants to comply with.

PCI 3.0 Changes: A Closer Look

A primary focus of PCI DSS 3.0 is defining the cardholder data environment (CDE) – those areas that touch or could potentially touch credit card information. Your CDE discovery should include an exhaustive inventory list of the people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. Once all cardholder data locations are identified and documented, the exact scope (or breadth) of your PCI assessment will be known.

Your CDE discovery should look at:

  • Security and Network – All security services, authentication servers, segmentation systems, firewalls, network components (switches, routers, wireless access points, network appliances), and virtual machines as well as other virtual components.
  • Server Types – These include web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name system (DNS).
  • Applications – Such as commercial off-the-shelf (COTS) and custom applications, both internal and external, that are directly or indirectly connected to the CDE.
  • People and Processes – Some to consider are those who maintain the technology infrastructure listed above as well as all those who handle cardholder data including customer service and accounting personnel involved in the manual processing of POS card payments or procedures such as reconciliations, chargebacks, and settlements.

The CDE definition has always been tricky. Typically, merchants have focused solely on the networks that actually handle their credit card data. They believe that as long as their electronic transmissions are protected by a firewall and sensitive information is encrypted that they’ll be immune to attacks. The hitch with that line of thinking is that most networks are interconnected and actually share system components. In these cases, a merchant’s entire network would become part of the CDE and “in scope” for your PCI assessment.

In fact, many recent cyber attacks have been carried out through this exact type of shared network function, as was the case in the Target incident. All it took was an off-site contractor to open the door to trouble. He was given remote network access to perform efficiency updates on HVAC software, and his credentials (meaning username and password) were compromised. The criminals were then able to gain access to the payment network and install malware in order to siphon credit card data from card swipes at POS locations nationwide.

PCI-DSS 3.0 addresses this all-too-common vulnerability by introducing mandatory penetration testing (“Pen Testing”) for all merchants (Requirement 11.3). By requiring the merchant to simulate a real-world attack on their payment network, the Council hopes merchants will better understand their vulnerabilities so they can develop a strategy to protect cardholder data against attacks. Similarly, Pen Testing must be used to directly validate that an organization’s segmentation methods are operational and effective.

According to the 2014 Verizon PCI Compliance Report, this Requirement 11 is proving to be one of the most troublesome for merchants. In fact, it’s the least met requirement of PCI.

Another area addressed by PCI DSS 3.0 that’s proving difficult for merchants to comply with is its interactions with service providers. A merchant’s third-party vendors (“service providers”) including its server data centers, support services that have access to credit card data, and firewall service providers also must be onboard with these requirements for security to be thoroughly effective. To this end, it’s incumbent upon an organization to work only with those service providers who hold themselves culpable in PCI compliance. Otherwise, you could leave yourself susceptible to breaches where your service provider might be at fault but won’t take responsibility or the proper steps to help you rectify the problem.

PCI-DSS has addressed this issue in version 3.0 as well. Now, both merchants and service providers must formally document their respective PCI requirement responsibilities (12.8.5) and must acknowledge their accountability for PCI compliance in writing (12.9). Be mindful that even though these requirements are in place, it doesn’t necessarily mean your service provider will agree to them, let alone adhere to them.

The same holds true for PCI requirement 9.9, which necessitates regular inventorying and inspections of physical POS devices to detect tampering; a common problem at ATMs, gas pumps and cash registers with checkout terminal PIN pads. Hidden cameras and skimmers can be installed on them to capture sensitive information. Locking them isn’t the simple, one-off solution to this problem either, since they can just as easily be tampered with when locked.

Small and Medium Merchants Are Also Vulnerable

As we’ve seen, PCI compliance is a significant endeavor. It requires a substantial amount of time, money, and expertise to complete. Typically, larger businesses have a leg up because they may already have the data and network security technology staff in-house or have the money to hire outside consultants. However, for smaller businesses, PCI is often misunderstood, daunting or just plain ignored.

Many smaller businesses have been able to get away with this mindset in the past. However, the laissez faire approach may no longer be sustainable – flying under the radar isn’t realistic and is actually detrimental. As we mentioned in Part I, Visa reports that 95% of all breaches originate on small businesses’ systems. So they can’t take compliance lightly.

PCI-DSS requires that only the largest merchants (Level 1) conduct full onsite audits annually, using an independent Quality Security Assessor (QSA). Level 1 merchants are defined as those that process 6 million or more transactions/year. Those merchants that process less than 6 million transactions/year (Level 2, 3, and 4), are able to self assess their PCI compliance by using the appropriate Self-Assessment Questionnaire (SAQ); thereby avoiding the cost of an external QSA audit.

The Council suspects that many small and medium billers may be completing their SAQ in order to attain certification, but aren’t actually following through on the many required and critical changes – including people, processes, and technology – to truly be compliant and secure. These changes cost a lot of money. As a result, smaller businesses may be shortcutting the PCI process and skipping critical security steps. While they may be saving money, they’re inadvertently becoming more vulnerable to a network security breach.

It isn’t letting up either. PCI-DSS 3.0 has expanded the SAQ for businesses accepting online payments by an additional 59 questions, for a total of 139. Most questions are highly technical in nature, adding to the complexities and challenges facing small and medium merchants. What’s more, the SAQ requires merchants to “attest” in the SAQ as to exactly how they segment payment data from the rest of their network and prove how they define and secure their CDE. Additionally, they’re required to perform annual penetration testing. At $5,000 per test, it’s another unwanted expense. It leaves many smaller businesses wondering if accepting credit cards is even worth it.

All is not lost though. There are methods for reducing PCI compliance costs. In our final blog in this series, we explore ways that all businesses – large and small – can reduce costs and burden, while ensuring PCI compliance. Stay tuned.