The PCI Security Standards Council has released some valuable information in relation to what’s new with compliance in 2016 – interestingly, things are changing. As the latest PCI DSS version 3.2 is due to be released soon, you’ll be wanting to know what the best PCI DSS project tips and insights are to help you with your compliance efforts.
Probably the most important tip and insight for your compliance plan in 2016 is that the Council has announced it will only release one update this year, which differs from previous years where there has usually been two update releases. The Council believes that compliance process has reached a “mature” stage “which doesn’t require as many updates as we have seen in the past”.
“Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard,” says the Council.
The Council says any time a new version of the standard is about to be released is a good time for any business to evaluate where it is at in relation to security & compliance – this, too, is a good tip for your PCI DSS compliance plan. “It is a healthy practice for any company to regularly evaluate how it accepts payments and whether it can reduce the risk to its customers and its organisation by changing business practices for cardholder data exposure,” says the governing body.
Another insight is that there are “drastic changes” to the way credit card payments are happening globally – from more sophisticated mobile phone payments to EMV chip card rollout in the US – though the latter has already happened in Australia.
“By releasing the standard early, with long sunrise dates, organisations can evaluate the business case for their security investments,” says the Council. “This also allows us more time to dedicate to security priorities for those specific payment channels in the future.”
The Council also goes into some detail about what it has evaluated in relation to the 3.2 version. “We are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed and including the updated migration dates for SSL/early TLS,” it says.
Another insight for your compliance plan is that the Council also suggests evaluating newer payment technology like tokenisation and encryption, which is something we have mentioned – and indeed recommended – in some of our previous blogs.
“The revision of PCI DSS is as good a time as any to reevaluate how to minimise effort while improving security,” it states.
Having managed a number of Australia’s largest PCI DSS projects, we have seen a number of recurring themes which should be avoided:
- PCI DSS Compliance projects particularly in the early stages are often incorrectly seen as purely technology projects. This is a potentially dangerous oversight as PCI projects can affect finance, customer support, operations and IT.
- Due to a lack of appreciation for the potential scope of PCI DSS projects, the level of executive support and budget allocation is often inadequate, particularly within corporate or trans-Tasman engagements which transcend divisional, business or geographical boundaries.
- Companies aren’t leveraging their PCI DSS investment to gain ancillary benefits such as improved governance and customer service, improved staff productivity, cash flow and redundancy. They are not exploring ways to leverage their investment to secure additional information such as customer bank accounts data etc.
- There is often a blinkered focus on credit card data at rest, only focusing on card storage can have serious consequences particularly when encryption is employed as more complex areas such as the call center & more innovative customer interactions often require greater flexibility not less flexibility.
- The previous point often leads companies to underestimate the complexities involved and as such they may unwittingly select services which only address a portion of their companies PCI DSS challenges. PCI DSS projects can be challenging and one size does not fit all, as each company has its unique processes and systems. It is clear that there is a significant gap between traditional payment products, banking products and unique corporate requirements.
- Token processing and credit card storage is a small piece of a much bigger picture. Understanding, mapping and de-scoping all of the front end ingress points and back end interfaces is where the real complexities arise. Enhancing security while maintaining flexibility to be able to cost effetely change as business requirements evolve is key.
- Not having a clear picture of the scope and size of the problem at the beginning of a PCI DSS project often results in misallocation of human and financial resources. Assumptions regarding where data is stored, the amount of data and its security are often incorrect. Companies should consider leveraging advanced scanning tools to identify areas of risk.
- Most companies do not understand the potential conflicts of interest between industry participants such as banks, QSA’s and vendors to their detriment. Its imperative that you have a clear understanding of these conflicts and ensure you’re are discussing your unique requirements with specialists who understand the big picture and have practical insights regarding remediation.
- It’s important to ask the right question, not “what will make my company PCI DSS compliant?” but rather “given my companies specific processes and business objectives what is the most cost effective way to achieve and maintain PCI compliance?” The answer to the first question many be in-house encryption, the answer to the second question is often not encryption.
- Project cost calculations often focus on short term considerations (i.e. the first twelve months) and tend to overlook the long term costs, as such the true total cost of PCI DSS compliance over the longer term is not minimized. It is critical that the costs of achieving and maintaining compliance are considered with any given solution in conjunction with solution suitability regarding the company’s broader business strategy.
- Don’t confuse theory with practice, the nuances of each credit card ingress points needs to be understood on a client by client basis and resolved at a practical level. Often we see companies bolt out of the traps down a given path only to grind to a halt when they hit unique complexities in certain areas such as the call center and in-house IVR systems etc. A holistic view is important at the beginning of such projects particularly when broader customer service, digital commercialization or Omni-channel business objectives are at play.
- One of the largest PCI DSS projects we managed & deployed affected over ten business units across two countries, at its peak involving 500 staff. It’s imperative that once PCI DSS certification is achieved that all managers and their staff are not disbanded back to their BAU activities. At the very least a skeleton team should be maintained to ensure that compliance is maintained after the initial certification i.e. ensuring that new payment initiatives don’t expose customer card data and bring the company into a none compliant state .