WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage, costly fines and even loss of the ability to accept and process credit cards.
Credit card breaches happen regularly to unprepared merchants around the country. Two high-profile examples illustrate how these breaches can balloon:1
- From July 2005 to January 2007, discount retailer TJX Companies, Inc. suffered the largest computer data breach in corporate history. The incident affected more than 45 million credit and debit cards and cost the company an estimated $256 million in lawsuits, computer system improvements, security upgrades, fraud monitoring and other claims. Information on at least 451,000 customers, including Social Security and driver’s license numbers, was exposed to identity theft.
- In January 2009, Robert Baldwin, Heartland Payment Systems’ president and CFO, stated that intruders had access to Heartland’s system for “longer than weeks” in late 2008. Tech security experts said the breach could set a record. With more than 100 million transactions per month, Heartland may yet discover that several months’ worth of transactions were captured.
Although six years and multiple deadlines have passed since the standard was devised, as of March 2008, only an estimated 77 percent of Level 1 merchants (those with more than 6 million annual transactions) and 61 percent of lower-volume merchants had fully validated their systems to demonstrate compliance.
Additionally, many more merchants believe they are in compliance when, in fact, they are not. They have either not taken steps to validate their compliance or have misinterpreted the requirements, and therefore are failing to protect their systems from security breaches correctly. Given the risks associated with data breaches, and the fact that most validations are performed by self-assessment, this is an issue internal audit departments should take more seriously.
This white paper provides an overview of what auditors need to know about PCI DSS compliance and why it should be an important initiative for internal audit. It spells out the steps firms should take to protect their interests.
PCI DSS Background
Originally, MasterCard, Visa and other card brands absorbed losses from security breaches on their own. Then, around 2000, MasterCard and Visa implemented programs to control and reduce those losses. The two programs eventually merged their standards in an attempt to unify the industry. In December 2004, the expanded PCI DSS was adopted by MasterCard and Visa, as well as American Express, Diners Club, Discover Card and JCB.
Since September 2006, PCI DSS has been administered by the PCI Security Standards Council. The standards undergo regular revision; PCI DSS 1.2 was released on September 25, 2008. The standards are not laws or regulations. Rather, they are established through contractual obligations between the card brands and merchant banks that acquire and process the transactions on behalf of merchants. However, the data security requirements effectively flow down to merchants, who agree in their merchant card processing agreements to comply.
PCI DSS is much more prescriptive and specific than regulatory requirements such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and state breach notification laws. For example, while the federal privacy laws are objective-based and require actions like risk assessments, PCI DSS imposes 248 individual requirements on merchants and service providers.
Compliance and Validation Requirements
The standards apply to all merchants and service providers – regardless of industry or size – that store, process or transmit cardholder data. Compliance is mandatory, but what is critical to understand is that compliance validation procedures differ depending on the merchant or service provider’s category level.
The table in the following section summarizes four levels of status as defined by American Express and Visa. Note that each level has different validation requirements.
Understanding the Scope of a Validation
In almost every case, breaches are traceable to merchants that have failed to comply with the PCI DSS requirements. Other than not validating processes at all, the most common error involves companies that perform the self-assessment questionnaire using a narrow scope.
Information technology (IT) organizations also tend to assume some controls are in place when they actually are not or they misinterpret the requirements. The result is management’s perception that they are compliant, when the reality may be far different.
Getting the scope right is critical to an accurate validation. Companies must keep in mind that PCI DSS applies to all of their systems, including:
- All external connections into the merchant network
- All connections to and from the authorization and settlement environment (e.g., routers, switches, firewalls, web servers and wireless connections)
- Any cardholder data repositories, including those outside of the authorization and settlement environment (such as document images and voice recordings)
- All systems connected to any of the above
Effectively, merchants and service providers must either “segment” their PCI-affiliated devices from the rest of their network or validate their entire network. This is an area of frequent misunderstanding by merchants. The following guidelines clarify how the audit scope, self- assessment questionnaire and scans should be interpreted:
- In a nonsegmented or “flat” network, all devices are in scope for audit and scans. The entire network needs to comply with PCI DSS requirements.
- In a segmented network, only devices within the discrete “PCI segment” are in scope and need to comply with PCI DSS audit requirements. Establishing proper segmentation is critical to being able to use the method to reduce your scope.
Steps to Compliance and Proper Validation
The following steps are a brief overview of what auditors can do to assess their company’s compliance with PCI DSS and remediate potential risks.
Step 1: Perform a Scope and Gap Analysis
The first step is to perform a scope and gap analysis of your systems and networks. This will determine if your configuration properly segments PCI data from externally accessible systems and the rest of the internal network. The gap assessment should then cover all of the PCI requirements within the appropriate scope. Although self-assessment questionnaires have recently been vastly improved to address all PCI controls, organizations should still refer to the PCI audit procedures document when carrying out the gap analysis to ensure the requirements are properly interpreted. As with any internal audit, it is important that the auditor independently validate compliance to the standard, since IT performed the initial assessment and may not believe there are any gaps. Determining your scope and gaps will assist in determining what might need to be remedied and how best to approach the remediation process.
Step 2: Reduce the Storage of Cardholder Data
Remove cardholder data from as many locations as possible. Typically, merchants store information that may include cardholder data for much longer than the business requires. By removing this information entirely, you may reduce your scope and actual risk.
Step 3: Segment Your PCI Network
One of the best ways to reduce risk – and the PCI scope – is to separate the PCI systems from other internal systems with a proper segmentation, including a firewall. Auditors need to work closely with their IT departments to ensure PCI DSS requirements are properly understood and implemented.
Step 4: Implement Other Ways to Limit the Scope
Other methods can be used to reduce the scope. The most common is PAN (primary account number) truncation (first six and last four digits only), or hashing. Since a truncated or hashed PAN is not considered cardholder data, it does not need to be protected and is not in the PCI scope. In addition, auditors can recommend specific process and procedural changes that mitigate the risk. However, these “compensating controls” must be above and beyond the requirements in the standard and also meet the intent and rigor of the original requirement.
Internal audit should keep in mind that companies often fail the validation process because of problems in key areas such as:
- Lack of or weak encryption processes
- Lack of documentation on process design, testing and support evidence
- Lack of network documentation and architecture
- Outdated equipment that is unable to support the strong authentication (no telnet or unencrypted admin access) and logging required
Penalties for Noncompliance and Safe Harbor
Penalties and deadlines are established by individual card brand, but they usually include fines, higher transaction rates, and the risk of the card brand revoking the merchant’s ability to accept the card. In the event of a serious security breach, fines of up to $500,000 can be levied for each instance of noncompliance. Most of the time these fines are not the most expensive result of a breach. The Ponemon Institute found that the average cost of a breach in 2008 was $202 per lost record.
Merchants and service providers can obtain safe harbor from penalties only if they are in full compliance with PCI DSS at the time of the breach, as demonstrated during a forensic investigation. The entity must have validated full compliance prior to the compromise. Neither submission of a report on compliance nor a self-assessment questionnaire alone will provide a merchant safe harbor status.
Taking Validation Seriously
In short, compliance with PCI DSS is an absolute requirement for all merchants and service providers. If the company is still not validating at all, or has validated based on incorrect interpretations or assumptions, action must be taken immediately to address the severe risk of a data security breach.