What PCI compliance means for the public sector

Written by Jeremy King, European director at the PCI Security Standards CouncilFor several years, major data breaches of payment information have hit the headlines, with shockwaves affecting many businesses and industries, including the public sector, underscoring the critical importance of securing credit card data.
No public institution wants to be caught exposing its customers’ sensitive information, nor encountering the subsequent legal and financial burden – including legal fees, call centre costs, regulatory fines, breach notification, public relations, and law suits that have reached into the hundreds of millions for some organisations.
While the bulk of media attention has focused on the activity of outside attackers, these breaches actually make up little more than 20 per cent of recent breach incidents. The greater threat is the number and type of data compromises caused by people within an organisation – poor procedures and human errors by staff (and the malicious activities of people on the inside of an organisation) account for more than 35 per cent of breaches.

Public sector payments
Each industry has its own challenges and the public sector is not immune, partly because the various organisations that it comprises – the military, law enforcement, public services – have greatly different needs and procedures. Recent research on data breaches in the public sector indicates:

  • A below average proportion of compromised host reports, but the proportion of processing errors was well above average
  • That either fewer compromises occurred due to a higher degree of preventative control, or fewer compromises were reported, possibly because of lower coverage by detective controls.

This underscores why the PCI Data Security Standard (DSS) is so important to securing cardholder data. A strong security strategy that helps protect against threats to sensitive payment card data must address people, processes and technology, and not one at the expense of another. The PCI DSS gives organisations a base set of security requirements with which to build this strategy.
In 2010, we will hear more discussion on the topic, especially as we approach the introduction of the newest version of the PCI Data Security Standard in October. In this piece, I’d like to highlight measures the PCI Security Standards Council (PCI SSC) has recently initiated and other activities we are conducting that will help you manage your own PCI security efforts more effectively.
There are actually three standards that the Council manages: The aforementioned DSS, which broadly defines in 12 requirements the process necessary to begin protecting payment card data; the Payment Application Data Security Standard (PA-DSS), a set of requirements for the software that processes payment transactions, including POS software and online shopping carts; and the PIN Transaction Security (PTS) requirements, which set a course for the physical hardware necessary to conduct secure payment transactions.  
The latter two, the PA-DSS and PTS standards, are relatively easy for you to put to use immediately, because the first rule to payment data security is simple: Don’t store what you don’t need.
This can be done effectively by asking your software, hardware and service providers if they are PA-DSS and PTS compliant and confirming that they are not storing unnecessary credit card data. You don’t even have to know all the particulars, since it forces them to address the issue on your behalf.
You can also check for PA-DSS compliant payment software and approved PTS devices and hardware on the PCI Security Standards Council’s website. The Council has very strict requirements for development of these products and a stringent testing protocol to ensure that these products can meet the PCI requirements. We’ve done all this testing – so you won’t have to. If the equipment you’re using is not listed, contact the manufacturer or service provider and ask some basic questions – do they plan to get tested and listed? How do they know if their product is storing cardholder data?
The DSS may require a little more effort to meet the 12 requirements, but if you begin your journey with security in mind, compliance will follow as a byproduct. I’ll talk more in a minute about the many tools and resources the Council offers to help you along the way.

Evolving payment security
In May of this year we launched the newest iteration of the PTS standard, and the next version of the DSS and PA-DSS will come this fall. In June, we announced significant changes in the standards development lifecycle, aligning all three standards on a three year timeline for updates. In response to feedback from all sectors of the payment industry, we did this to give you more time to better understand the standards, and more time to implement them. The three year cycle is also a win for the Council – providing us with an additional year to consider market dynamics, emerging threats and new technologies before issuing a new version, and an additional year for us to gain feedback from your real-world efforts to secure payment data.
We’ve presented and archived a webinar, explaining the lifecycle changes in more detail that you may find in the education section of our website at www.pcisecuritystandards.org.
These standards evolve from the feedback we get from hundreds of PCI participating organisations globally. We need to hear from you to continually evolve the standards to meet your needs, as well as those in all aspects of the payment chain. We invite and encourage the public sector to join us in shaping the future of payment security by becoming Council members and taking part in feedback periods and our annual Community Meetings, where we gather together to discuss with our peers the feedback, emerging technology and next iterations of the standards’ evolution.
You can find more about this year’s European Community Meeting in Barcelona, Spain on the website. With an agenda including presentations from industry experts on current issues surrounding payment card security, law enforcement and data breach investigations, in addition to the opportunity to participate in the development of the standards, it’s a great chance for members of the public sector to engage with the Council and connect with others in the PCI community.

In addition to the Council’s Community Meetings and the lists of approved software and hardware on the Council’s website, there are numerous tools and practices that can aid you in your organisation’s quest for payment card security. For example, on the resources section of our website you can also get: Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) listings; Self Assessment Questionnaires; access to the Council’s Prioritised Approach for DSS document, which helps identify how to reduce risk to card holder data as early on as possible in your compliance journey; fact sheets on the standards; as well as the most up to date guidance from our Special Interest Groups, including those on skimming fraud prevention and wireless deployments.
Another significant resource that the Council developed this year is the PCI Internal Security Assessor (ISA) Training Program. The PCI DSS training and certification for internal assessment staff is a direct response to Participating Organisation feedback on the need to improve educational opportunities for internal staff.
The three-day course is designed to test and qualify in-house security personnel on how to validate and maintain ongoing PCI compliance within their organisations. The session will arm attendees with the knowledge and resources needed to:

  • Enhance the quality, reliability, and consistency of internal PCI DSS self-assessments
  • Support the consistent and proper application of PCI DSS measures and controls
  • Effectively facilitate interactions with QSAs.

People and processes continue to be integral in developing a strong security strategy and meeting PCI requirements. With this new training offering, organisations have the chance to develop their own in-house PCI compliance experts, and with the many other tools and resources provided by the Council, can implement a stronger ongoing security process.
Reinforcing the global nature of our mission, the inaugural course kicked off in Sydney, Australia in May and will also be offered at the forthcoming European Community Meeting in Barcelona, Spain. Keep an eye on the Education section of our website for details on future training sessions.

Key dates in 2010
Aside from the key dates I mentioned above, the other calendar items senior managers and government organisations should have in mind include the following:

  • Summer: After review by the Council’s elected Board of Advisors, we will provide a summary of proposed changes to the DSS and PA-DSS to Participating Organisations and the market
  • The Council will release its emerging technology framework and a more detailed white paper on EMV technologies; this is part of a series of guidance to examine emerging technologies, like EMV, point to point encryption and tokenisation to help you better understand how these technologies may satisfy certain requirements of a PCI audit
  • 21-23 September 2010 – US Community Meeting, Orlando, Florida
  • 18-20 October 2010 – European Community Meeting, Barcelona, Spain
  • Late Autumn 2010 – This autumn, following our Community Meetings, the next iteration of the DSS and PA-DSS Standards will be released to the public.

Everyone recognises that protecting the credit card payment process can be a daunting task, but every little bit of security helps. As you move forward on your journey, just remember all the tools and resources that are out there to assist in the building of your security strategy. Build with security in mind, and compliance will follow.

For more information
Web: www.pcisecuritystandards.org

Please register to comment on this article