For my last session of the day at TRISC 2009, I decided to attend Joseph Krull’s presentation on PCI Compliance.  Joe works as a consultant for Accenture and has performed 60+ PCI engagements for various companies.  If your organization does any processing of credit card information, my notes from that session below should be useful:

  • As many as 65% of merchants are still not PCI compliant
  • Fines can be just the beginning; service charges and market share price dilution for non-compliant merchants have already had substantial repercussions in the US and may soon reach other regions·
  • Many retailers still don’t have a clear view of compliance, and cannot effectively identify gaps
  • The first steps to PCI compliance are a thorough internal assessment and gap analysis – many merchants skip these steps and launch multiple costly projects
  • PCI provides a regulatory and compliance framework to help prevent credit card fraud for organizations that process card payments
  • The framework is comprehensive and effective but adherence to the specific standards is often challenging – primarily due to the complexities involved in both program design and implementation
  • Any merchant that accepts or processes credit cards must maintain compliance with the PCI DSS.  Specific obligations vary based on transaction volumes.
  • Focus right now is on the Level 4’s.
  • TJX subject to 20 years of mandatory computer systems audits after massive breach

Challenges

  • Providing adequate and clear program management for all of the entire spectrum of PCI remediation activities (60-70% give to “Compliance guy” and typically fail.  Should go to senior security guy)
  • Accurately scoping requirements throughout the organization, including remote sites and international operations
  • Evaluating and then implementing a wide variety of complex technologies – including encryption
  • Redesigning or replacing internal applications and payment systems to adequately protect cardholder data
  • Developing, implementing and enforcing new or revised policies and procedures across the entire organization
  • Differing opinions with auditors regarding PCI compliance requirements, especially related to the concept of “Compensating Controls”
  • Verifying PCI compliance for 3rd party partners that process data on behalf of the merchant

Differences from PCI DSS 1.1 to 1.2

  • Active monitoring plans for all 3rd party PCI Service Providers (Requirement 12.8)
  • Visits to offsite data storage locations at least annually
  • Mandatory phase out of weak encryption for wireless networks
  • Additional requirements for the use of “Compensating Controls” for specific PCI security requirements
  • Assessor testing procedures changed from “Observe the use of…” to “Verify the use of”
  • Quality assurance program for PCI assessors
  • Process restricts or eliminates assessors from performing PCI work due to poor quality assessments
  • Assessors must now go beyond cursory observation of security controls and provide statistical samples
  • Assessors now going much deeper to include verifying individual system settings, requesting and analyzing configuration files, studying data flows, …

The Cost of Compliance and Non-Compliance

  • According to a comprehensive Forrester Research report on PCI compliance, companies spend between 2%-10% of their IT budget on PCI compliance
  • Credit card companies are levying fines on non-compliant merchants
    • Up to $25,000 per month for each month of non-compliance for L1’s ($5,000 for L4’s)
    • $10,000-$100,000 per month for prohibited storage of magnetic stripe data
    • Up to $500,000 per incident if a confirmed compromise occurs
    • Continued non-compliance may result in revocation of CC processing privileges
  • Banks and acquirers may increase processing fees for non-complinat merchants.  In 2008, one retailer estimated an annual increase in operational costs of $18 million due to this increase in processing fees on VISA card transactions alone.
  • Banks and acquirers can often pass on damages they incur to merchants
  • Repeat or additional PCI assessments & internal audits

Corporate Compliance Framework

  • Although PCI provides compliance requirements in most areas, it’s only a subset
  • ISO 27002:2005 is what they used for PCI
  • Good general requirements, but no explanation on how to do it
  • PCI sets best practices
  • For example, ISO 5.1.1 maps to PCI 12.1, 12.4, and 12.6.2

How to “Sell” PCI Compliance to Senior Management

  • Gloom and Doom
    • Fines and sanctions will sink us
    • Probability of success 40-50%
  • The PCI Umbrella
    • We need these 15 projects and ten new security products to be PCI compliant
    • Probability of success 40-50%
    • Who has done the gap assessment
  • The Long Term Approach
    • If we achieve PCI compliance we will also be well on our way to other requirements
  • PCI compliance is not a project or technology based solution – it is being able to demonstrate that an organization has the means in place to protect sensitive information
  • Use as a building block to sell to senior management