PCI DSS Auditing and Compliance:
Merchants, banks, and other parties that play a role in processing credit and debit card payments must take steps to protect the privacy of account data—both to meet core business goals and to fulfill obligations under the Payment Card Industry Data Security Standard (PCI DSS), one of today’s most detailed and comprehensive data privacy standards. PCI DSS defines strict requirements for the processing, storage, and transmission of account data. Compliance must be validated periodically, and failure to comply can result in fines or even the termination of the ability to process credit cards.
Although it is specific to the payments ecosystem, PCI DSS is regarded by many as embodying a generic set of standards of due care that are appropriate to many types of sensitive data and could be seen as a model for other industries such as healthcare.
Organizations taking steps to comply with PCI DSS face multiple challenges:
- They are subject to proactive audit. PCI DSS audit procedures include annual on-site inspections by approved auditors or self-assessments, and regular penetration testing. In contrast, compliance with most other privacy mandates is audited only in the event of a breach.
- Compliance can affect numerous systems and processes. PCI DSS applies to any IT systems with access to cardholder data, anywhere in the enterprise. This requires a coordinated, cross-functional approach and can constrain flexibility in any one area.
- Minimizing the scope of compliance where possible. The constant motivation to reduce the scope and impact of PCI DSS has triggered publication of guidelines on the use of encryption and tokenization, but to ensure compliance while minimizing scope still requires considerable care.
- New technologies can drive up cost and complexity. PCI DSS is relatively specific and can trigger the deployment of new technologies such as encryption, the modification of existing business applications, and the creation of new security processes and access controls.
- An evolving standard gives rise to uncertainty. All data privacy mandates and disclosure obligations must evolve as they respond to changing threats and local legislation. Organizations face considerable uncertainty as they try to align their compliance obligations with their general security objectives.
Risks Associated with PCI DSS Auditing and Compliance
- Failure to comply can result in fines, increased fees, or even the termination of your ability to process credit cards.
- PCI DSS compliance cannot be considered in isolation; organizations are subject to multiple security mandates and data breach disclosure. On the other hand, PCI compliance projects can easily be sidetracked by broader security initiatives.
- PCI DSS includes common practices that are likely to be already in place. But some aspects, specifically those associated with encryption, might be new to the organization and implementations can be disruptive, negatively impacting operational efficiency if not designed correctly.
- Opportunities exist to reduce the scope of PCI DSS obligations and therefore reduce cost and impact; organizations can waste time and money, though if they do not exercise care to ensure that new systems and processes will in fact be accepted as compliant.
PCI DSS Auditing and Compliance:
Thales e-Security Solutions
Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales e-Security offers products and services that enable you to protect stored cardholder data, encrypt it for transfer, and restrict access on a need to know basis. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your compliance burden.
The PCI DSS standard (www.pcisecuritystandards.org) involves assessment against over 200 tests that fall into 12 general security areas representing six core principles. These tests span a wide variety of common security practices along with technologies such as encryption, key management, and other data protection techniques.
Thales offers comprehensive solutions that help organizations address the six core principles of PCI DSS:
- Protect cardholder data. Compliance requires the encryption of cardholder data flowing over public networks and the protection of stored cardholder data. In addition to deploying network encryption and SSL/TLS encryption for protecting data in transit, organizations will also deploy technologies such as storage encryption, database encryption, application level encryption, tokenization, and ‘point-to-point’ encryption to protect data at rest and reduce scope.
- Implement strong access control measures. All data protection techniques go hand in hand with access controls. Cryptographic technologies such as PKI and digital certificates are widely used to go beyond password-grade security for authenticating users and systems. Furthermore, controlling access to data decryption keys so as to unlock encrypted data only on a “need to know” basis provides a powerful additional layer of security.
- Build and maintain a secure network. In addition to network level encryption, an important component of network security is the strong authentication of network devices; digital credentials are increasingly employed at the device level to control network access and are an important security consideration for a corporate PKI.
- Regularly monitor and test networks. One of the challenges of an increased use of encryption is that network based monitoring can be blindsided by attacks operating under the cover of encryption. This creates the need to equip event monitoring and data loss prevention systems with the ability to safely analyze data by temporarily removing the shroud of encryption.
- Maintain a vulnerability management program. The rise of advanced persistent attacks that attempt to corrupt business applications by injecting malware has brought the use of digital signatures and code signing into focus as a way to prove the integrity and authenticity of business systems and application software.
- Maintain an information security policy. PCI DSS places great emphasis on establishing a clear separation of duties between staff members to minimize the risk of insider attack. The use of cryptography provides a powerful mechanism to enforce this separation and for creating a trusted record of events to demonstrate compliance.
- Significantly reduce the cost of compliance by reducing the scope of your compliance obligation.
- Utilize field-proven technology that helps to secure over 80% of the world’s payment transactions.
- Protect cardholder data virtually anywhere in the enterprise—including legacy systems or cloud-based deployments.