Businesses are often telling me of their frustrations with the onerous task of getting their establishment into a compliant Payment Card Industry: Data Security Standard (PCI:DSS) state, writes Jim Seaman of RandomStorm.
When faced with the plethora of PCI:DSS controls and the myriad of three letter abbreviation (SAQ, AOC, ROC) based forms, I can appreciate the problems business are facing.
What is the purpose of PCI:DSS?
To truly appreciate what PCI:DSS is trying to achieve, it is worthwhile looking into its history. The current version (2.0) was launched in October 2010, having been developed, over several years, based upon each of the individual card brand’s programmes (VISA, MasterCard, American Express, Discover and JCB). The Payment Card Industry Standards Council (PCI:SCC) took each of these similar programmes and aligned them into a single standard, designed to help merchants meet a definitive ‘baseline’ level of security around their processes for storing, processing and transmitting of payment card data. The truth is that many merchants perceive their obligation for PCI:DSS as being an burdensome, difficult and costly procedure. However, if businesses were to look at the reality that lies behind the payment card industry, I’m sure that they would have a greater appreciation of its importance to their organisation.
Reality of the payment card industry
Any merchant that allows the purchase of goods and services with a payment card have a substantial reliance on their customers being happy to use this method of payment and, therefore, the safety and security of this is as important as them providing good customer service. There are a significant number of customers who are increasingly using payment cards to make their purchases and this number is only ever going to increase, as technology makes the payment process more flexible and reduces the burden of having to repeatedly visit the bank, to withdraw funds for a purchase. Take, for example this simple example, a pair of salesmen on a business trip who stop at a nice looking café, in a quaint village. After enjoying a nice meal, on expenses, they go to settle the bill using the corporate credit card. This is met by the embarrassing situation created from the Café only dealing in cash, leading to one of the two salesmen having to leave his colleague to drive and find the nearest ATM, enabling them to pay for the meal. Not only was this an inconvenience, impacting on their working day but it also created significant embarrassment for them. Would the two salesmen consider returning to this café, the next time? Unlikely.
This is the same for any merchant that does not offer the flexibility for using a payment card. Any potential customer may be tempted to make that impulse purchase, using a payment card. However, if the shop does not accept that facility, the additional inconvenience, and time, of having to find the nearest ATM may be enough to dissuade them for making that purchase. As a result, in 2012, there were a total of 169 million payment cards in issue, in the United Kingdom (56.4 million credit cards, 6.6 million charge cards, 88.6 million debit cards and 17.4 million ATM-only cards) . That equates to each member of the working population each owning an average of 4.4 payment cards.
The total payment card spending, in June 2013, was reported as being in the region of £43 billion, from a total of 880 million purchases (Average transaction: £48.86). To improve the access to this market the banks have allowed merchants access to the payment card data, which support the payment card process. The criminal fraternity have not been slow to recognise the potential for the harvesting and illegal use of this data, enabling them to have access to funds, which their ancestors would have had to rob a bank to gain access to the equivalent amount.
Application of PCI:DSS
The concept behind the PCI:DSS is nothing new and harks back to the days of the 4th Century Roman Empire’s application of ‘defence In depth’, whereby they would not prevent incursions into the Roman territory but aimed at neutralising them, on Roman soil, before they managed to reach the heart of Rome. Subsequently, turning their border regions into combat zones. Building on this, the PCI:DSS concept starts with the creation of a secure bunker, often referred to as the Cardholder Data Environment (CDE) at the heart of an organisation’s IT, segmented off from the Business As Usual (BAU) environment. This area supports all of their card payment processes (Storage, Processing and Transmission) – Requirements1-4. Having created the ‘Secure Bunker’ concept, it is essential that the integrity be well maintained so that any vulnerability is swiftly eliminated and that only authorised personnel are able to gain access, in order to carry out their payment card roles. This includes ensuring that the supporting IT infrastructure remains ‘fit for purpose’, authorised access controls are maintained and that the authorised employees activities, within the bunker are monitored (protecting from the ‘Human Factor’ threats, whether being deliberate or accidental) – Requirements 5-10.
With the ‘Secure Bunker’ concept in place, comes the proactive layer. This is where an organisation seeks to discover any further weaknesses to their environment through a combination of security testing (internal-external penetration tests) and patrolling (internal-external scans) – Requirement 11. Finally, with all this in place, come the policies and procedures that formally outline what is expected from an organisation’s employees, working in the payment card segment of their business. Ultimately, stating what they ARE and ARE NOT allowed to do and HOW to correctly use the supporting equipment.
With the best will in the world, it is important to remember that even a PCI:DSS Compliant business can not completely mitigate the risk from a successful incursion into their CDE. However, in the event of such an incident, an organisation needs to be able to react quickly and efficiently to the notification of a potential unauthorised intrusion, ensuring that effective counter-compromise action can be employed – Requirement 12.
Intuitive approach
This overview provides the platform upon which a merchant can build a PCI:DSS compliant process. The first step being the adoption of the KISS (Keep It Simple Stupid) approach: Consider your business environment and the best payment model that can be applied to support this. Here is a non-exhaustive list of the type of questions you should be asking yourself:
•What type of merchant am I?
oIf you’re a pure e-Commerce merchant build towards an SAQ-C
oIf I’m a small retail outlet (such as a Café), can I use a standalone payment facility – SAQ-B?
•Which payment model relies on the least supporting IT Infrastructure?
oThe smaller the supporting IT Infrastructures, the smaller the compliance burden.
•Is the proposed CDE built on ‘future-proofed’ technology?
oTechnology is, by its very nature, dynamic and swiftly advances, leaving the older technology in its wake. This then becomes unsupported, leaving it extremely vulnerable to attack.
•Can I benefit from outsourcing to a validated Service Provider?
oCan I transfer the responsibility for all, or some, of the PCI:DSS controls to an external party, who is already providing a PCI:DSS compliant payment facility?
•Do I have the staff, with the level expertise, to be able to monitor, interpret and react to any potential incursion?
oEffectively ensuring that an appropriate reaction timeline is in place, enabling you to respond, and react, to potential incursions. In effect, ensuring that any potential attacker may be Defended against, Detected, Deterred, Delayed, Disrupted or even Detained. Ensuring that the payment card data is adequately protected.
•When choosing automated monitoring tools, can you make sense of the wealth of data they may be collecting for you?
oCan you identify unauthorised access attempts?
oCan you detect unauthorised changes, within the CDE?
oDo the internal scans enable you to swiftly identify and remediate against any vulnerabilities?
oDo the ASV scans give me the level of detail needed to truly appreciate whether my infrastructure might be under attack? Remember, as with any attack, the perpetrator will carry out ‘Hostile Recognisance’ first, followed by ‘dipping their toe in the water’ before diving in.
These are the types of questions a good Qualified Security Assessor (QSA) would ask you during any Gap Analysis assessment. They will strive to understand how your business model works and how PCI:DSS could be effectively applied to bolster your payment card part of your business?Remember, this is an increasingly important part of your business and needs to be treated as such. The PCI Security Standards Council (PCI SSC) have gone to great lengths to provide businesses with a comprehensive set of controls to help you strengthen your environments and, if you are daunted by such a task, they have made available a number of security professionals, QSAs, to help guide you through this process (should you require).
About the author
Jim Seaman is a Senior Security Consultant at Randomstorm, a network security company. It’s a CESG CHECK security consultancy and a Qualified Security Assessor for the Payment Card Industry Data Security Standard. Visit www.randomstorm.com.
About PCI DSS: visit www.pcisecuritystandards.org.
