Living With the Paradox of PCI DSS


With the next generation of customers embracing the use of new technologies, the use of “dirty money” is becoming less popular. In its place, people are increasingly choosing to use payment cards.

This makes for some difficult decisions and consequences for merchants. If they choose not to embrace taking payments by payment card, they likely miss out on customer revenues. If they opt to take payments via payment cards, they have a duty to their acquiring banks, and even more importantly to their customers, to ensure that these payments are as secure as they can be.

However, the experience of trying to ensure that level of security is frequently perceived as extremely complex, difficult to achieve, time consuming, extremely expensive and near on impossible to maintain. Given that the supporting environments are extremely dynamic, it is a “war of attrition” trying to defend against ever-changing attacker tactics and involving multitudes of varying factors (technology, people and processes).

The increasing preference for paying for goods and services via a piece of plastic or technology makes for a greater attraction to the criminal underworld, whether from organised crime or the opportunist hacker. If a business has not identified a vulnerability in its payment card business operations, it is very likely that a hostile entity soon will.

Securing the payment card data life cycle becomes increasingly difficult when you consider the potential attack and vulnerability vectors:

Front-end operations:

  • eCommerce web pages
  • Mail order, telephone orders (MOTO)
  • Point of sale (POS) systems
    • PIN transaction security (PTS) devices
    • Contactless
    • Mobile
  • Automated teller machines (ATMs)
  • Receipts
  • Found payment cards

Back-end operations:

  • Networks
  • Systems
  • Storage
    • Databases
    • Files
    • Paper
      • Receipts
      • Chargebacks
    • CCTV
    • Call recordings
    • Backups
  • Transmissions
  • Vulnerability management
  • Change control
  • Software development
  • Access control
  • Data centers
  • Monitoring systems use
  • Security testing

Kinetic (external) attack vectors:

  • Organized crime
  • Opportunist hackers
  • Foreign intelligence services
  • Cyber terrorism
  • Industrial espionage

Non-kinetic (internal) attack vectors:

  • Insider Threats
    • Deliberate actions by authorized persons
    • Negligent actions by authorized persons
    • Accidental actions by authorized persons

When you start adding all these together, plus all the connecting infrastructures of a business’s payment card operations, it becomes instantly apparent just how difficult securing these operations can be. The figure below shows a simplistic overview of how a typical business’s payment card operations might look. However, in reality this is often far more complex.

To help businesses improve their payment card operations, the card brands and the PCI Security Standards Council have produced a suite of controls that provides a baseline upon which a foundation of secure operations may be forged.

In truth, without prior specialist knowledge and skills, this can be extremely difficult to successfully achieve. This can be likened to expecting anyone to be able to build a house, having given them all the tools and materials they need (sand, cement, water, bricks, tools, etc.). However, in truth, this is rarely the case and, in reality, such a scenario would often lead to the application of expensive underpinning or to even demolish the building and start again.

Consequently, before commencing any sort of improvements to any existing payment card operations, it is essential that businesses familiarize themselves with the latest version of the Payment Card Industry Data Security Standard (PCI DSS) and engage with a reputable and experienced PCI DSS professional (PCI Qualified Security Assessor [QSA]).

Additionally, ISACA has just produced an extremely informative PCI DSS guide A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS), covering a comprehensive overview of PCI DSS and some of its associated complexities. It provides valuable support for anyone involved in delivering secure card payment operations and meeting the high standards required for PCI DSS compliance.

Net Benefits
It goes without saying that PCI DSS compliance is essential for the protection of a business’s payment card operations and to help safeguard customers’ payment card details. The popularity of paying products and services via a payment card is only going to increase. Consequently, having a well-planned and implemented compliance framework is critical to the success or failure of any such projects.

Having access to ISACA’s useful reference guide and the continued support from a trusted and knowledgeable QSA will help ensure, amongst others, the following benefits:

  • Improved security
  • Improved understanding
  • Informed decision making
  • Better alignment with business strategy
  • Efficiency
  • Timely progress
  • Cost-savings
  • Clarity
  • Success
  • Fines avoidance

James Seaman, CISM, CRISC
Senior Security Consultant, Nettitude Inc.

[ISACA Now Blog]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.