PCI DSS (Payment Card Industry Data Security Standard) is a regulation that encompasses any business that touches card holder data. It’s not just confined to a physical retailer you see on the high street; it covers eCommerce environments and contact centres processing payments over the phone too.
With the ongoing changes to the PCI DSS landscape, it has become increasingly difficult for contact centres to maintain a thorough and current understanding of PCI DSS, while at the same time, keep up with internal changes to infrastructure and personnel. Combined with new cybersecurity threats occurring daily, it’s become harder for the information security teams to stay ahead of the curve and prevent the next cyber-breach.
As a QSA (Qualified Security Assessor) the most common reasons we see for companies delaying or putting off their PCI DSS compliance can be broken down into three main factors:
With the considerable challenge that businesses face trying to obtain compliance, it’s not uncommon to see some delaying the process. Delaying PCI DSS does not come without consequence; loss of revenue comes to mind.
Potential clients often communicate their requirements (including PCI DSS compliance) in a “Request for Proposal” (RFP). Typically, if you are not already PCI compliant when you first receive the RFP, you will not have time to become compliant and be validated by a QSA, in time to submit your RFP response. It can often take many months to become compliant. In the case of Level 1 PCI DSS Validations, it could take upwards of a year to earn a compliant “Attestation of Compliance”. Generally, by the time you see the RFP, it’s already too late if you’re not PCI DSS compliant.
Another significant consequence is breach-related costs and financial penalties. If there is a breach involving credit cards, and the contact centre is identified as the Common Point of Purchase (CPP), a PCI Forensic Investigation (PFI) may be required. We are one of a few global PFI QSA Companies, and we have dealt with a lot of these cases.
If an organization has experienced a breach, depending on the impact of the breach, there may be a standard digital forensics investigation or even a PFI. In addition to the security aspects of a normal investigation, such as identifying how the breach happened, eradicating bad actors and restoring normal operations, PFIs have additional requirements.
PFIs contact directly between the client and PFI QSA, but they include oversight by banks and/or card brands and operate within extremely aggressive timeframes. PFIs are fact finders to determine what card data was exposed and how long the card data was exposed for. While the main focus of a PFI investigation is the analysis of the payment ecosystem(s), PFIs are also tasked with determining what security deficiencies were in place at the time of the incident.
They also include a PCI DSS assessment to determine if noncompliance with PCI DSS contributed to the breach. In every case I can recall, there were issues of noncompliance. Depending on the context and details, the card brands could issue an assessment that will be passed along to the contact centre. These assessment fees can have a significant impact on the business’ bottom line – particularly when added to the costs related to the investigation and required security measures that need to be put in place to comply with investigation findings.
If you haven’t already done so, call a QSA for a Gap Assessment! They will help you understand your obligations and prioritize your security and PCI efforts.
Once you understand PCI DSS, you can start looking for ways to minimize your exposure, both from a security and compliance perspective. The first place we always start is card data – don’t keep it unless you need to. There are a lot of simple ways to reduce your exposure, and a few innovative ways to reduce exposure in some trickier environments, like audio recordings. There are solutions available for pretty much every challenge. If you have the right guidance and insights, you can navigate the best way to move forward.
Also, be sure you have a practical Incident Response Plan (IRP) in place. Your IRP should be tested on a regular basis and adjusted as lessons are learned.
In this digital age, it doesn’t take much to get breached. A useful rule of thumb – unless you know you’re not breached, you probably are. At this moment, your environment may already be compromised; your data stolen and already for sale on the dark web, or even eBay!
Understanding PCI DSS is essential for any strategy to improve security and compliance, but few people make an effort to understand it. If you want to learn the details, hire experts like a QSA, to help you make sense of your situation and set priorities.
Next, consider the mantra, “Reduce, reduce, reduce!” Minimize your threat surface, minimize the card data you process and store. If you don’t need it, get rid of it (or don’t handle it in the first place, exposing yourself to an unnecessary threat).
Lastly, ensure you are familiar with PCI DSS requirements 12.8 and 12.9. Be prepared for clients to request written agreements acknowledging your responsibilities regarding PCI DSS associated with your services and know how to complete a responsibility matrix for each of your clients. Understanding these requirements will improve your relationship and help you focus your security and compliance efforts.