UK: Payment Card Industry Data Security Standard - Does Your Company Store, Process or Transmit Cardholder Data?

" Deloitte demonstrated the required technical knowledge of the standard giving us assurance they would provide us with a practical and pragmatic roadmap to compliance."
Director of Internal Control and Compliance, Major Gaming Operator

Introducing PCI DSS

Following a series of high profile data security breaches, credit card users are putting payment processors and merchants under increased pressure to ensure the confidentiality and overall security of personal and transactional data.

Visa and MasterCard have now responded to these demands for improved security by issuing a single approach to safeguarding sensitive data for all card brands: namely the Payment Card Industry Data Security Standard (PCI DSS). This standard is also endorsed, amongst others, by AMEX and Diners.

Deloitte offer a comprehensive set of services to deliver the required security and fraud management processes needed for compliance to limit the overall impact of implementing the standard.

The standard aims to give cardholders the necessary assurance that their card details are secure and although the initial focus of the standard was online transactions, PCI DSS now applies to any organisation that stores, processes or transmits cardholder data.

The standard applies to all IT systems and components, including servers, applications and databases, throughout the transaction process. It also applies to the manual processes and procedures that are an integral part of any successful security and fraud management solution.

By complying with PCI DSS, a merchant or payment processor can benefit in one of several ways:

• Demonstrates to customers that management take security seriously and have effective controls in place over account and transaction information.

• Provides a competitive edge in helping to maintain a positive brand image and enhance trust to attract future custom.

• Provides the respective Regulator(s) with assurance that processes are suitably controlled.

• Offers exemption from any penalties, fees or fines from the card issuer after a security incident, if proper controls were in place and appropriate actions followed.

As a wide-ranging standard that makes extensive demands across such areas as IT infrastructure, security policies and encryption, some may find the practical application of the standard to be a difficult exercise. However a breach could incur substantial fines running to hundreds of thousands of pounds or lead to merchants being permanently barred from accepting card payments. With these stringent penalties for non–compliance and with the deadline for overall compliance looming, all member banks, merchants and service providers need to begin planning towards PCI DSS compliance now.

PCI DSS compliance is purposely tough to achieve with its requirements categorised as follows:

• Build and maintain a secure network.

• Protect cardholder data.

• Maintain a vulnerability management programme.

• Implement strong access control measures.

• Regularly monitor and test networks.

• Maintain an information security policy.

Deloitte is experienced at helping organisations achieve compliance with PCI DSS and have developed a 4-stage programme as shown in the diagram below.

1. Scoping

We identify the steps you need to take to become PCI DSS compliant, assess the number of system components that handle cardholder data and look at minimizing the number of people who have access to the data. This presents security and operational advantages from the outset and may result in a scope reduction for the compliance programme. We can also help you to select a Qualified Security Assessor (QSA).

We benchmark your current technical, policy and procedural controls against the standard, bridge the gaps and then form a prioritised, tailored action plan based on factors such as their relative urgency for risk mitigation, quick wins, and their complexity.

We help you divide your remediation programme into manageable projects, before helping you mobilise resources to address the work. We have experience in the implementation of projects likely to make up your compliance programme and can assist with programme leadership, resource shortfalls or advisory support.

We can support the certification process by conducting a pre-certification audit. As a qualified network security scanning vendor, we also undertake the vulnerability scans that are required for compliance.

Our Security and Privacy practice have performed many PCI DSS assessments building up a wealth of knowledge on the standard, how it needs to be applied and how to maximise benefit whilst minimising impact.

Our security consultants who deliver PCI DSS engagements are not only experienced with the standard but also possess CLAS, CHECK, HMG Vetting, CISA, CISSP or Prince 2 certifications.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.