Following the PCI Council revealing in February that they would be publishing a new version of the Payment Card Industry Data Security Standards (PCI DSS) in 2016, which will feature updated deadline dates for the Secure Sockets Layer (SSL)/Early Transport Layer Security (TLS) migration, it has led to some in the industry looking at how PCI DSS compliance is currently measured and assessed.
As it currently stands, the way the PCI Council regulates the PCI DSS compliance requirements is fundamentally wrong for businesses today. In fact, the harsh reality is that for many organisations, the process of gaining PCI DSS accreditation is nothing more than a tick box activity that they must go through – a rush to compliance nirvana.
Organisations need to stop going through the motions with PCI Compliance and adopt a risk based approach which will enhance their understanding and visibility of the whole business’ security risks.
> See also: The five myths of PCI DSS compliance, debunked
What is most concerning is that many business leaders do not have an understanding of the residual risk facing their organisation. They need to recognise that the business as a whole, not just the IT Department, must understand and overcome the cyber security challenges they are facing if they are to minimise the risk of loss of PII data or a breach.
Why there is a need for change
Within a large corporation there are lots of different ways that credit card data is processed, whether via the call centre, e-commerce sites or the traditional, physical stores – PCI is applicable to every one of those channels.
This means the requirements outlined by the PCI standard come to bear across the entire corporate estate. For a lot of large retailers, many of which have come about due to acquisition, packing together IT systems is fine and, within reason, ‘do-able’. However, when it comes to applying the PCI standard across the whole estate it is a gargantuan task and the cost is huge.
For most Level One merchants the cost of PCI compliance is between £10-18million. When in reality, not all controls need to be applied across the whole estate. If we go back to the numerous ways consumers purchase goods, the smaller percentage is carried out through the call centres.
Whilst these have obvious risks, if the volume is low why spend a disproportionate amount of time and money implementing endless controls when 95 percent of transactions go through the e-commerce and traditional face-to-face routes?
America vs. Europe
The way the PCI standard has been written is to assume all bases must be covered and should be ticked off in a long list of 'stuff to do'. Pragmatism, risk mitigation, risk reduction, acceptable risk appetite are terms which aren’t present within the PCI DSS standard and yet they should feature highly.
The greatest risk of the ‘cardholder not present’ transaction and the old method of signing the slip of paper – Europe dealt with in one fell swoop a long time ago when it moved to the EMV Chip and Pin method of payment, which saw fraud significantly reduced.
But in the US no such method exists and so organisations globally are faced with a list of 350+ controls and security measures that they are told need to be implemented.
It is therefore no surprise that we end up in a situation where European executives look at these controls and question the pragmatism of applying all of them.
As an example, the regulation says UK telecoms providers have to patch their servers every 30 days, but for the Telecoms provider to actually do that means their IT resource would have no bandwidth to do anything else due to the sheer volume they have. Whilst the intent of the PCI standard was never for it to be written in that way, unfortunately that has become the interpretation by too many QSAC’s.
So, in Europe, the way we try to persuade people to adhere to better behaviour is to explain why it needs to be done. We hope in that explanation, the level of security they need to implement is implicit and they go away with a pragmatic view on what they should do to ensure their business is less risky.
Our American counterparts, and the more litigious environment in which they operate, tend to prefer the prescriptive list of ‘do’s and don’ts’ after which they can negate responsibility and pass on the liability if there were a breach 'I did everything on the list of controls and therefore it’s not my problem'.
Whereas, in Europe we work on the basis of understanding. We understand the inherent risks and that we want to do as much as possible to mitigate these factors.
However, we acknowledge there is always a little risk left, so we quantify it and the potential impact to our business – this is the level of risk that we, as a business, are willing to tolerate.
Measuring business risk
Another factor to take into consideration is that PCI is not on the CIO’s agenda. The wider remit of cyber security is they do not want to end up in front of the cameras like TalkTalk last year.
The CIO is therefore interested in having one cohesive program that deals with all aspects of securing Personal Identifiable Information (PII) and valuable data. Within that remit they will recognise that credit card data will have its own intrinsic value.
But they may well, if they are a retailer, have a name, address, store card details and other endless pieces of information for each customer, so the CIO wants one consolidated view and approach to deal with all these elements. The next questions they then ask are ‘What does good look like when securing all our valuable data assets?' and 'what security framework should we align to?', nine times out of ten that framework is ISO27001.
Frameworks and standards
In most cases the CIO will adopt ISO27001, others may choose NIST, ISF and IASME, but regardless of the framework they all broadly adopt the same approach. They state that you must understand and define your risk (inherent and residual) and apply appropriate controls across critical systems accordingly to reduce the risk so that it sits within the organisations risk appetite.
This leaves PCI DSS rather alone as the only 'framework' which requires finite and complete implementation with no reference to risk.
This is why organisations have said they’ll take a risk based approach to PCI, which aligns with all the other activities going on within the business. For those adopting the risk approach, the key is to take a more pragmatic view of cyber security and stop looking at compliance as an end game as it offers no guarantees.
Ultimately, there is little point in achieving a PCI compliance goal when other information, such as bank account details, passports, driving licences or other PII data, are left unsecure.
Driving the need for change
The truth of the matter is that change is already underway, with organisations, merchants and acquiring banks turning their backs on the PCI checklist to a more risk based approach that aligns with business objectives and corporate risk.
A couple of years ago, alongside Barclaycard, we created the ‘Barclaycard Risk Reduction Programme’, which took the view of not chasing the compliance dream but focusing on reducing risk to your business.
The programme won plaudits from acquiring banks and the card schemes themselves, with a majority of merchants adopting it as it works in the context of their wider risk mitigation and governance schemes.
This move to the risk based model is further supported by the news that the card schemes have removed the non-compliance and non-progression fines for merchants. So, if you are not going to get fined for non-compliance, then you are less likely to find the need to be compliant in the first place. Equally, the fining mechanism for PCI data losses or breaches has also changed.
Of old, there would have been an investigation and fines for the number of live cards that you had at an appropriate point and price. Now the card schemes say that if you have a breach, you will be fined for the aggregated losses associated with that breach or loss.
So the course of direction that PCI and the industry is taking is one of alignment – bringing multiple elements together as one. In the way the European General Data Protection Regulation is saying it is up to the business whether they wish to do anything with data security, but in the event that you don’t and you lose the data, you will be fined up to 5 percent of global turnover.
Exactly the same principle now applies with PCI – if you lose 250 million credit cards, then you’ll be fined the aggregated losses that go with that, which could run into billions of pounds.
Many have been calling for a change of approach and to take data security more seriously for a number of years. Some have taken advantage already but many are now only just paying attention.
This is largely because legislation is coming to the fore, in the way of the EU GDPR, and the card schemes are aligning with the measures outlined. Now the PCI Council needs to follow suit.