PCI Compliance: Where Does Your Company Fit?
The Payment Card Industry Security Standards Council, featuring five major global payment brands – American Express, MasterCard Worldwide, Visa Inc, Discover Financial Services and JCB International – was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.
The idea behind PCI compliance is to ensure that companies have improved security in cases where credit card details are stored or processed.
“We have seen a lot of cases in the world where the storage and processing of credit card details have been compromised and obviously more security is necessary and in turn, any organisation, any company, any non-profit organisation, it does not matter who, anyone who stores or processes credit card details would need to comply with PCI DSS,” explains Dr Angelika Plate, director of Strategic Security Consulting at help AG.
PCI compliance applies to almost everybody in the payment industry, whether it is a merchant doing a transaction, or a bank providing financial services. Anything to do with finance by any channel, PCI is relevant.
“As of today PCI has mandated the hardware manufacturers with a certain level of compliance depending on region,” says Niranj Sangal, Group CEO, at card payment specialists OMA Emirates LLC.
There are four different levels of PCI compliance and depending on which level you are on, you have certain rights.
According to Martin Waldenstrom CEO of online payment gateway cashU, on the different levels there are different requirements depending on whether you are a processor or merchant. If you are a processor you process for hundreds and even thousands of merchants but if you are a merchant it’s just for yourself.
The different levels are defined based on services provided by different financial organisations.
“Let’s take a bank; for a bank we have 12 different standards of compliance. We look at the security, including networks – which have to have a secure firewall – and data encryption. This is all there to protect cardholder information. We restrict information to only those required to see it. Then we look at the physical, logical security of the premises where the data is stored,” explains Sangal.
There are twelve different standards that a bank must look at or that Visa or MasterCard would assess the bank on. If you look at a merchant, for example Carrefour; it is an entity that is not a bank but has all the financial obligations in terms of a card used in its setup.
“When you look at the compliance level of a bank it must adhere to all the 12 standards, but when it comes to Carrefour, there are certain features that are not applied to them because they are a merchant. But in terms of the data transmission from the location to the bank, it needs to be secure, so we look at data encryption and decryption,” states Sangal.
“If you look at Duty Free, you need not do a compliance level for them because they have their own infrastructure. The banks do not force them to go with PCI standards because they have their own standards. All their applications are secure, which means if I go to a Duty Free setup I cannot use any USB or an external hard drive to download or upload data. So they are partially compliant when it comes to credit card transactions.”
The most important thing for a card used in a retail outlet or an SMB, is the card holder name, then CVV2 – card verification value: the security code on the back of the card – and then the track-one and track-two data which is on the magnetic strip. It is not required that everybody uses a chip card; today the US is still running mag-stripe cards or contactless cards.
“Today we are required to be fully EMV-compliant [Europay, MasterCard and Visa, also known as “chip and PIN”; a chip standard is already applicable, since 2006 in the Middle East. Today in the region about 80% of providers are still implementing chip; practical acceptance is still 60%,” explains Sangal.
There are a lot of standards that people can comply with and those standards that are build for compliance always have a set of requirements, PCI DSS has around 200 different requirements and sub-requirements.
“Very often I am asked ‘is one requirement more important than another?’. Whilst maybe people feel like it is, for example when there is a requirement to make sure that credit card details like the transaction numbers, and things like that, are stored in a secretive way. That looks more important than to have a written information security policy. However, on the compliance level it it does not make a blind bit of difference. A requirement is a requirement and non-compliance with one requirement will not lead to certification, as much as non-compliance with any of the other requirements,” states Dr Plate.
PCI compliance in UAE
Currently there are no laws or regulations in the UAE around PCI compliance, at the moment it at the discretion of the organisation whether they want to be certified or not.
“As long as there is no regulatory aspect around it, like maybe a decree from the central bank or some piece of legislation, compliance is only something that applies to people who want to claim compliance and any body wishing to claim compliance has to go through certification. What we have at the moment is a sheer mixture of some banks have it, some don’t. I think from any organisation, aside from banks, I don’t think anyone has really looked into it in the UAE,” says Dr Plate.
While PCI DSS certification is nice for companies to have, because it gives customers independent accreditation that the company is certified to protect their data, the only drawback is that it is very difficult for an organisation to prove that they are secure. Companies who are PCI compliant can let customers know through a badge on their website. Any certification helps to demonstrate to business partners, customers and the general public that they are operating completely securely.
“It is always good for any customer to double check if possible or get some additional credibility to make sure the payment gateway is secure. I have seen so many people claiming all sorts of compliance, it is one of the most mis-used words I have ever seen and everybody who can think of it claims compliance with all sorts of things and in many cases it is not relevant at all. I have seen organisations who have said they are compliant because they use PCI compliant products, which is simply not good enough,” explains Dr Plate.
At the moment the deadline to be PCI compliant is in 2014. Being PCI compliant is recommended but there are no penalties for not abiding by it.
“At the moment PCI is applied by each merchant in different ways because the processor may be PCI compliant. However there are some merchants who accept credit card details over the telephone or via fax and are not PCI compliant, which is not recommended,” says Waldenstrom.
“There is an avenue to report a website breach that may affect credit card details, one can report it to the e-crime department at the police or the central bank. But here in the UAE there is no action that will be taken.”
In the GCC the number of PCI compliant firms is much higher that for the UAE, OMA Emirates says that PCI compliance is a mandate so all institutions should be PCI compliant otherwise Visa, MasterCard and other schemes won’t certify them.
“I would say about 80% of regional institutions are fully compliant,” says Sangal.
Today the majority of credit card transactions go through COMTRUST, also known as the e-Company, and most of the banks are using the payment gateway of e-Company to do all of their e-commerce transactions.
“Keeping that in mind, there have been a substantial amount of frauds [mostly] on the African Continent. So now the schemes are providing these mechanisms directly to end-users, so if you don’t want to use e-Company you can use the Visa gateway,” Sangal says.
From 2012 onwards most financial organisations have started looking at a compliance levels because mandates have been coming from the central bank to ensure the core banking, card management systems and the network are compliant.
“Until 2011 we observed that each bank had one or two auditors who were not up to the level of doing PCI audits, and that was why you had professional companies charging $100,000 or $120,000 just to do an audit. To save this cost the banks have been hiring their own people to do PCI audits,” Sangal explains.
There was an incident in Algeria a couple of weeks ago, where Visa had certified a site and a fraud still occurred. In such cases the schemes are liable, but since 2006 most of the liability share is on the financial bodies.
PCI compliance is now mandated by nearly every scheme. There are audits a company must go through before it starts taking payments. There is an application form that must be filled in, on which they ask about Payment Card Industry compliance.
Without that compliance they won’t certify the premises.
“MasterCard has started working with four organisations locally [in the UAE] and Visa has been working with around 30 companies. These companies do the audits for Visa and MasterCard; they look at the compliance level of the site and the compliance level of the applications used. We call the applications compliance level PA-DSS [Payment Application Data Security Standard]. The auditors scrutinise the whole application in terms of the way the data is stored on it. For example, do they have some stored procedures that store data and then release it?” says Sangal.
In the last three years OMA Emirates has found that banks are starting to have PCI audit departments. About 80% of these banks are already compliant. Recently most of them have been working towards compliance because Visa and MasterCard have got a mandate to ensure these standards are followed.
Hardware manufacturers are also being certified because without the hardware you cannot run an application.
SMBs and compliance
None of the PCI compliance standards downsize well, according to Dr Plate, and the number and complexity of standards that must be adhered to to become compliant can be prohibitive for small and medium businesses.
“It is very difficult because the SME world is so diverse and some have higher security and some have lower and so there is no solution that fits all. At the moment at least, nobody has come up with a decent scheme that helps to reduce the amount of requirements for SMBs, as sorry as I am to say that,” says Dr Plate. “I am the member of the ISO committee where ISO27001 is developed, which is one for the inputs into PCI DSS and even there we keep discussing whether we can do something for SMEs and how can we help them.”
PCI compliance is all about security, so an SMB company will be assessed on: qualifications of staff, access rights, where a company hosts its system, auditing of the physical access to data rooms and IT department, companies are even assessed on whether they leave confidential documents in an easy to reach place, according to Waldenstrom.
PCI compliance requirements
There are a lot of requirements around PCI compliance covering the protection of the credit card data in storage, transmission, or as a process.
There is not as much consideration of integrity or availability, which are also very important aspects.
“I would recommend everybody considers availability. Nicely protected data does not mean anything if you don’t have availability,” states DrPlate.
Then there are a set of technical requirements related to the network that is processing the data, any applications that are used for this processing, and all the IT devices used for this process. These all go through a separate product certification for PCI compliance.
“The PCI DSS certification for organisations is always an organisation certification, that means that the organisation with its people, its processes, its IT, its technology, its policies and everything is assessed and of course for a product compliance assessment it is only the products that are looked at and for PCI DSS compliance at the organisational level, the organisation needs to use PCI compliant products in their processing to fully achieve that,” says Dr Plate.
The human element
There is yet another set of requirements for documentation, policies and processes, the people in the organisation need to be brought alongside in the PCI compliance process and very often the human being is the weakest link.
“Computers you can set up deterministically, it may take a little bit of effort to do so, but once you have done it, and done it properly it will work. It is not the same as people. You have to bring people on board and tell them what they are supposed to be doing and so it is important hat they are brought alongside in the process,” Dr Plate says.
There are between 12 to 15 steps that a company needs on its network to comply with PCI standards and it varies between merchants and processors.
“Today the greatest cost in PCI compliance is the network cost. I would not look at applications, because generally most of the vendors need to be compliant. The main part of the infrastructure in terms of spend is the network and PCI networks cost quite a lot of money,” states Sangal.
The cost of implementing Payment Card Industry compliance depends entirely on where the company is along the compliance ladder, if the company only does a tiny bit of credit card processing then the process is far easier then if it goes through a big network with a lot of connections to other organisations.
Also, the overall amount of people involved in the credit card transaction process and the overall amount of systems and complexity of those systems involved in the process is another consideration.
“Another thing to bear in mind is how good or bad the organisation is anyway. If there is a long way to go in order to achieve full compliance obviously there is more to do then if there is very little to do. Any finally if an organisation is using non-PCI compliant products and they need to replace them all with compliant products it will add an additional cost,” states Dr Plate.