PCI Compliance

PCI DSS is the worldwide Payment Card Industry Data Security Standard that was set up to help businesses process card payments securely and reduce card fraud. This is achieved through the enforcement of tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.The payment standard has 12 high-level requirements which are divided into six categories. This includes:

• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

Achieving compliance with PCI DSS means that your organisation is doing its utmost to keep valuable information safe and secure and out of reach of individuals and other entities that could use your data for illicit purposes. Whilst reaching and maintaining PCI DSS is critically important for any business that stores, transmits or processes card data, compliance is much easier to achieve for businesses that do not hold data and this significantly reduces the risk of your customers being affected by a data breach. So in essence if you don’t need the data, don’t store it.

If you do store card data and you suffer a data breach (i.e. lose card data) and you are not PCI DSS compliant you may be prevented from accepting payments by card and you could incur card scheme fines for the loss of this data which could be up to £50,000 per infringement. You may also be liable for any fraud losses incurred against lost card data and the operational costs of replacing the accounts. If you are suspected to have suffered a data compromise, you will be required to engage with a PCI Forensic Investigator (PFI) to establish the source of the breach to ensure any compliance gaps are closed. The cost of a forensic investigation can run into thousands of pounds. You will be liable for these costs if evidence of a compromise is established.

Whilst the monetary fines and other costs are considerable, the reputational damage to your business could also be catastrophic as customers may lose confidence in your ability to secure their sensitive personal, business and card data.

There are many vulnerabilities that can lead to data breach including:

Computer Viruses
A computer virus is a program that can replicate itself and spread from one computer to another. The term ‘virus’ is also commonly used to refer to types of malware, often referred to as adware and spyware programs that do not have a reproductive ability. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.

Computer Worms
A computer worm is a self-replicating malware program, which uses a computer network to send copies of itself to other computers and nodes on the network without any user intervention. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause harm to the network, even if only by consuming processing power or bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Trojan Horse
A Trojan Horse may allow a hacker (also known as a computer criminal), remote access to target a computer system. Once a Trojan has been installed onto a computer system, a hacker may have access to your computer remotely resulting in them being able to perform various operations, but these may be limited by user privileges. Operations that could be performed by a hacker on a computer system include:

• Using the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
• Data theft (e.g. retrieving passwords or payment card and personal information)
• Installation of software, including third-party malware
• Downloading or uploading of data on the user’s computer
• Modification or deletion of files
• Keystroke logging (where hackers can track and record your keystrokes – anything that you type into your computer)
• Watching the user’s screen

Trojan Horses require interaction with a hacker to fulfil their purpose, though the hacker need not be the individual responsible for distributing the Trojan horse. It is possible for individual hackers to scan computers on a network using a port scanner in the hope of finding one with a malicious Trojan horse installed, which the hacker can then use to control the target computer.

Spyware
Spyware is a type of malware that can be installed on computers, which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect.

Here are some key questions you should consider to evaluate your PCI DSS compliance:

• Do your employees ask for card details over the telephone?
• Can you ensure data is not written down or entered into a separate application?
• Can you ensure that photographs or screenshots of transactional data are not taken?
• Are DTMF tones played to employees?
• Are you able to fully maintain the PCI DSS standard and keep card details completely secure?

If you are unable to fulfil any of the above questions then descoping your organisation from the requirements of PCI DSS, whilst benefitting from a fully accredited Level 1 card processing service is essential for your business.

Descoping provides a way of reducing the number of obligations that are relevant to your business in relation to PCI DSS processes. The simplest means to achieve this is to pass the responsibility to a third party provider. This usually reduces the overheads assigned to PCI DSS compliance related activities whilst also increasing the level of PCI compliance your business can attain for operational purposes (i.e., using a Level One compliant solution provider).

Many PCI DSS solutions are premise-based and require investment in additional hardware and software which needs to be maintained. This can often involve hardware add-ons which are connected to your phone system alongside software updates for your phone system and servers, additional cabling, handsets and more besides. Updates or changes to the infrastructure are not straightforward and it is typical that the solution vendor as well as the phone system maintainer will need to be on site to carry out upgrades and changes which can be costly and disruptive.

Significant investment is usually required and there are CAPEX costs to consider as well as OPEX-based maintenance contracts for the PCI solution and on-premise phone system. Moreover the on-premise solution is disadvantaged on the basis that the Service Level Agreement (SLA) is usually inferior to a hosted or cloud-based PCI compliant solution. This is because if there is a hardware failure an engineer will need to visit the site to assess the issue and if the correct spare part is unavailable (a phone system trunk card for example) a subsequent visit will need to be arranged to replace the damaged part. During this timeframe, you will are unlikely to be able to operate very efficiently, if at all. As cloud based solutions are operated in secure, managed data centres they offer much better reliability and superior response and fix times.  Depreciation is also a major factor when installing hardware and service replacement / continuity needs be considered as the hardware nears end of life.

On the other hand implementing a hosted solution provides increased flexibility, it’s easier to leverage improvements in technology without the cost of on premise software upgrades, allows you to rollout the service anywhere with very little CAPEX, it does not require hardware and phone system changes on-site and provides very efficient SLAs due to the solution(s) being accessible in a cloud environment at any time.