PCI DSS Compliance
The Payment Card Industry Data Security Standard (version 3.1) dictates that internally managed network security scanning and a log auditing process must be established by all retailers who handle major credit and debit cards. More specifically – they must perform routine systems vulnerability scans and auditing of server and network access log files – which sadly isn’t in place within many charity retail operations – probably because of the technical complexity and costs involved.
This article advises charity retailers on what they can do towards maintaining PCI DSS v3.1 compliance – with the aim of safeguarding customer payment card details from unauthorised access – by finding vulnerabilities before they become a business problem.
Image Attribution: Computer vector designed by Freepik
Wikipedia: The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
Having no PCI DSS Compliance Software in place can sometimes be down to a lack of in-house IT team knowledge (if the charity even has its own IT department), limited understanding of precise PCI DSS obligations or simply lack of time and resources. A popular misconception is “We’re OK – it’s our bank’s responsibility to sort the security scan once a year” and this may be why PCI DSS obligations are not formally managed and routinely reviewed by the IT department or their senior management team – who are ultimately responsible.
Verizon – a damning report on PCI DSS non-compliance in the retail sector
Our view also appears to be backed up by recent research from Verizon – it found the majority of UK organisations accepting payment cards fail to maintain Payment Card Industry Data Security Standards (PCI DSS) compliance. According to the Verizon 2015 PCI Compliance report – only 9% of merchants were compliant on Requirement 11 alone (11.4 is referred to later on in this article).
There are three areas on PCI DSS v3.1 compliance in this article – where Save9 hopes to help charity retailers improve upon – these are:
- Vulnerability Scanning
- Audit and Log Reviews
- Incident intrusion detection and reporting
Save9 has a detailed understanding of the obligations placed on retailers by the PCI and can help charity retailers avoid non-compliance by sign-posting them to a suite of low-cost vulnerability scan and logging solutions – frequently referred to as PCI DSS Compliance Software in the industry.
“Our retail shop’s card transactions are now handled in the Cloud – so I guess it’s not our problem?”
You’d be guessing wrong. According to the PCI their official PCI DSS SAQ (Self-Assessment Questionnaire) applies to cloud-based payment processing platforms too and it is specifically referred to as SAQ P2PE (this needs to be verified by your respective cloud retailing system provider though). Their requirements apply to any hosted third party solution because local networks and till systems in shop LANs (Local Area Networks) need to be securely protected and routinely monitored – e.g. to detect and prevent intrusions – even though data processing and storage is handled remotely in the cloud by a third party.
In theory, any cloud-connected shop till has a level of vulnerability if payment transactions are routed externally from a point of sale (including ‘secure networks’ protected by firewalls, private network links, encrypted SSL or VPNs) because data can be intercepted before it reaches the encryption stage – or the encryption process can be compromised by malware secretly residing on a retail system – additionally screen capture or data interception malware can exist on PC-based till systems, without the IT department’s knowledge.
The worrying reality for most charity retailers
Following discussions with a number of IT managers in the third sector – who look after their in-house IT and remote shop networks in charity retail environments – we are of the opinion (anecdotally of course) that most charitable institutions in the UK have not gone through any of the three internal processes required to meet PCI DSS requirements 6, 10, 11 & 12 (specified in version 3.1 of the PCI DSS requirements guide).
Our view is that IT managers in charity retailers should proceed with caution if they believe there’s no need to take action on the advice given – i.e. to routinely deploy vulnerability scans, implement access logging measures and introduce an intrusion-detection strategy.
Excerpts from the PCI DSS version 3.1 compliance document (categorised under the three processes explained above) can be found below…
Vulnerability Scanning – PCI DSS Requirement 6…
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as high, medium or low)) to newly discovered security vulnerabilities.
Guidance: The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information.
Audit and Log Reviews – PCI DSS Requirement 10
10.1 Implement audit trails to link all access to system components to each individual user.
Guidance: It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user.
Incident intrusion detection and reporting – PCI DSS Requirements 11 & 12
11.4 Use intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion detection, intrusion prevention, firewalls, and file integrity monitoring systems.
What should charity retailers do next – particularly if they have limited IT resources?
Save9’s recommendations are to signpost you to some low-cost but highly effective cybersecurity software solutions – with an indication of licensing costs:
A. Vulnerability Management & Penetration Testing for PCI Compliance: GFI LanGuard network vulnerability scanner licences (annually renewable) – Approximately £30 + VAT per annum then £15 + VAT per annum thereafter (example – per till PC).
B. Audit and Log Review for PCI Compliance (one server node): GFI EventsManager – Server log monitoring, management and archiving – Approximately £225 + VAT then £115 + VAT per annum thereafter for upgrades and maintenance.
C. Incident intrusion detection and reporting for PCI Compliance Reporting: GFI EventsManager Active monitoring add-on for event log based intrusion detection and reporting – Approximately £80 + VAT then £40 + VAT per annum thereafter for upgrades and maintenance.
Beyond our technology recommendations above – please make sure time is allotted for meeting and reviewing the scan results and log audits – at least every quarter. Ideally this should be performed by your retail operations management team and an IT Manager (and/or IT Security Manager). You’ll probably need a couple of hours’ needed for each session; excluding any emergency measures that need to be factored in for network breaches – which should be outlined in your in-house Incident Response document.
Note: Save9 can obtain an additional 9% discount on GFI’s costs for registered UK charities. We can also help devise a PCI DSS Incident Response document, to help square-off PCI DSS compliance. Note: this response procedure also needs to be tested once per annum according to the PCI DSS v3 standard.
Assurance testing is a completely separate topic all together, but I hope this article helps charity retailers implement better cybersecurity measures to safeguard customer payment card details, avoid a potentially embarrassing public relations disaster and negate those costly fines for non-compliance on PCI DSS v3.1 standards.