For my last session of the day at TRISC 2009, I decided to attend Joseph Krull's presentation on PCI Compliance. Joe works as a consultant for Accenture and has performed 60+ PCI engagements for various companies. If your organization does any processing of credit card information, my notes from that session below should be useful:
- As many as 65% of merchants are still not PCI compliant
- Fines can be just the beginning; service charges and market share price dilution for non-compliant merchants have already had substantial repercussions in the US and may soon reach other regions·
- Many retailers still don’t have a clear view of compliance, and cannot effectively identify gaps
- The first steps to PCI compliance are a thorough internal assessment and gap analysis – many merchants skip these steps and launch multiple costly projects
- PCI provides a regulatory and compliance framework to help prevent credit card fraud for organizations that process card payments
- The framework is comprehensive and effective but adherence to the specific standards is often challenging – primarily due to the complexities involved in both program design and implementation
- Any merchant that accepts or processes credit cards must maintain compliance with the PCI DSS. Specific obligations vary based on transaction volumes.
- Focus right now is on the Level 4’s.
- TJX subject to 20 years of mandatory computer systems audits after massive breach
Challenges
- Providing adequate and clear program management for all of the entire spectrum of PCI remediation activities (60-70% give to “Compliance guy” and typically fail. Should go to senior security guy)
- Accurately scoping requirements throughout the organization, including remote sites and international operations
- Evaluating and then implementing a wide variety of complex technologies – including encryption
- Redesigning or replacing internal applications and payment systems to adequately protect cardholder data
- Developing, implementing and enforcing new or revised policies and procedures across the entire organization
- Differing opinions with auditors regarding PCI compliance requirements, especially related to the concept of “Compensating Controls”
- Verifying PCI compliance for 3rd party partners that process data on behalf of the merchant
Differences from PCI DSS 1.1 to 1.2
- Active monitoring plans for all 3rd party PCI Service Providers (Requirement 12.8)
- Visits to offsite data storage locations at least annually
- Mandatory phase out of weak encryption for wireless networks
- Additional requirements for the use of “Compensating Controls” for specific PCI security requirements
- Assessor testing procedures changed from “Observe the use of…” to “Verify the use of”
- Quality assurance program for PCI assessors
- Process restricts or eliminates assessors from performing PCI work due to poor quality assessments
- Assessors must now go beyond cursory observation of security controls and provide statistical samples
- Assessors now going much deeper to include verifying individual system settings, requesting and analyzing configuration files, studying data flows, …
The Cost of Compliance and Non-Compliance
- According to a comprehensive Forrester Research report on PCI compliance, companies spend between 2%-10% of their IT budget on PCI compliance
- Credit card companies are levying fines on non-compliant merchants
- Up to $25,000 per month for each month of non-compliance for L1’s ($5,000 for L4’s)
- $10,000-$100,000 per month for prohibited storage of magnetic stripe data
- Up to $500,000 per incident if a confirmed compromise occurs
- Continued non-compliance may result in revocation of CC processing privileges
- Banks and acquirers may increase processing fees for non-complinat merchants. In 2008, one retailer estimated an annual increase in operational costs of $18 million due to this increase in processing fees on VISA card transactions alone.
- Banks and acquirers can often pass on damages they incur to merchants
- Repeat or additional PCI assessments & internal audits
Corporate Compliance Framework
- Although PCI provides compliance requirements in most areas, it’s only a subset
- ISO 27002:2005 is what they used for PCI
- Good general requirements, but no explanation on how to do it
- PCI sets best practices
- For example, ISO 5.1.1 maps to PCI 12.1, 12.4, and 12.6.2
How to “Sell” PCI Compliance to Senior Management
- Gloom and Doom
- Fines and sanctions will sink us
- Probability of success 40-50%
- The PCI Umbrella
- We need these 15 projects and ten new security products to be PCI compliant
- Probability of success 40-50%
- Who has done the gap assessment
- The Long Term Approach
- If we achieve PCI compliance we will also be well on our way to other requirements
- PCI compliance is not a project or technology based solution – it is being able to demonstrate that an organization has the means in place to protect sensitive information
- Use as a building block to sell to senior management
