Payment Card Industry Data Security Standards (PCI DSS) are a set of standards for handling the information on payment cards securely, as prescribed by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC was established in December 2004 when the previously separate standards, and subsequent external audits, for processing payments from American Express, Discover Card, JCB Co. Ltd, Mastercard and Visa came together and combined their security requirements into one contiguous regulation and one audit.
Organisations that process card payments are required to meet PCI DSS to an acceptable level at each regular audit. The audits are generally conducted yearly, and performed by PCI accredited professionals working for PCI-accredited organisations. Accreditations are also renewed yearly, keeping the standards and auditors relevant to current threats and mitigations.
Apps for mobile devices that handle payment card information also must meet the Payment Applications Data Security Standards (PA DSS). Assessment of PA DSS is applied in a similar way to PCI DSS, and may be combined with PCI DSS assessments of cloud infrastructure to support the app.
Non-compliances discovered during the audits are rated Minor and Major, with each attracting an appropriate fine payable to the PCI SSC, ostensibly to offset the risk of fraud to the card companies. Major non-compliances or non-payment can result in withdrawal or cancellation of payment card processing for the company.
The PCI DSS and PA DSS standards are a collection of best practices and known working mitigations to significantly reduce the threat of payment card and cardholder information, which becomes more relevant considering the Privacy Act 1988 and the Part IIIC Notifiable Breaches amendment 2017, and may provide some assurances in applying parts of the standards to other areas of infrastructure.
The PCI SSC only recognises audit results from PCI Qualified Security Assessors (PCI QSA), certified security companies and individuals, with PCI DSS and PA DSS audits requiring highly trained and continuously certified QSA auditors to conduct the yearly inspections. Re-visits to verify rectification of issues can be costly and may be difficult to schedule.
The rate of change in modern markets is increasing, with Agile project frameworks and DevOps accelerating growth and requiring companies to adapt in order to remain competitive. Add to this the need to engage PCI QSA auditors, and PCI compliance can be a stressful time for companies, especially IT Managers and Security Officers.
Recommendations
Corporations can lower costs and increase assurance by using security companies that understand the pace of modern businesses and standards compliance, without taking on the overhead of QSA certification themselves.
Further, PCI DSS is the “Gold Standard“ measure for financial services infrastructure and may be used to give assurance of security levels around elements of infrastructure not in scope for a PCI DSS audit – for example, international links or surrounding infrastructure in the wake of the SWIFT thefts and attacks.
Companies looking to achieve initial PCI DSS compliance may follow the prioritised approach published by the PCI SSC.
Agilient have the highest calibre staff including policy writers, auditors, project managers and technical staff to perform vulnerability analysis and penetration testing that may be called on to assess security levels against any standard.
References and Resources
https://www.pcisecuritystandards.org/document_library
https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme