8 PCI DSS questions every CISO should be able to answer

At the end of this year, the Payment Card Industry Data Security Standard (PCI DSS) is expected to get an upgrade to version 4.0. It has been around since 2001 and isn’t getting as much attention in the news as newcomers like the European General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

PCI DSS is very much relevant and applies to every company that accepts card payments, both online and offline. Here are the questions that CSOs are most likely to face when it comes to PCI.

What is PCI DSS?

PCI DSS is a standard backed by all the major credit cards and payment processors that is designed to protect credit card numbers. It specifies a set of cybersecurity controls and business practices and requires either self-assessments or external audits. The degree of reporting varies on the company size.

“The benefit to the merchant, service provider and their customers is an increased focus on data security,” says David Ames, principal in the cybersecurity and privacy practice at PricewaterhouseCoopers.

It might not always seem that PCI helps, though. “Sometimes, CISOs say to me, ‘What good is PCI? Most organizations were PCI compliant when they were breached!'” says Christopher Strand, chief compliance officer at IntSights, security technology and consulting company and member of the Payment Card Industry Security Standards Council. They may have passed their last audit, he says, but were they still compliant at the time of the breach? he asks. “Well, actually they weren’t.”

Do we have to comply with PCI DSS?

Every company that accepts credit cards, anywhere in the world, needs to comply with the PCI DSS. It doesn’t matter how few transactions you have. It doesn’t matter if all your payments are handled by third-party payment processors. It doesn’t matter if the credit card is never stored on your servers.

PCI compliance is, at its core, a contractual agreement between a company and the financial institution that handles the payments. As a result, says Ames, CSOs and CISOs should work with the company’s legal counsel or chief legal officer to make sure that everyone is on the same page.

What happens if we don’t comply with PCI DSS?

Fines for non-compliance can range anywhere $5,000 to $100,000 per month depending on the size of your organization — and if there’s a breach, you can be fined up to $500,000. Plus, if a company is not in compliance at the time of a breach, cybersecurity insurance companies may refuse to pay out claims, and the non-compliance can be fodder for a class action lawsuit. If compromised cards result in fraudulent payments, you may be on the hook for the fraud losses.

Companies that are not compliant also run the risk of losing their merchant account, so that they can’t accept credit card payments at all. If your company is placed on the terminated merchant list, you will be ineligible from getting another merchant account for several years.

It’s difficult to get an exact estimate of how much non-compliance will cost you, says Paul Cotter, senior security architect at West Monroe Partners, a Chicago-based technology consulting firm. “A lot of people have proprietary models, us included,” he says. “But you really don’t know until you get there.”

Say, for example, you have a breach. Now you have to notify the individuals impacted and pay for third-party monitoring services. “Those prices have gone down significantly, but you still have to pay for it,” Cotter says. Then there’s the cost of the forensic investigation, which may or may not be covered by a cyber insurance policy. “The scope of those investigations in recent years have dramatically increased,” he says. “That can run into very high dollar amounts.”

There’s also the cost of fixing the problems that led to the breach. “There, you’re over a barrel,” Cotter says. “You’re under the gun to get the remediation in place. You’ll probably be required to engage a qualified security assessor and run through a whole attestation of compliance.”

What controls are in place to make sure we are PCI DSS compliant?

This all sounds serious, and since the PCI DSS has been around for nearly 20 years, you might think that everyone is compliant. Are they? “By and large, no,” says Cotter. His company is regularly called in to do PCI compliance audits prior to mergers or acquisitions, and most companies have some compliance gaps, he says.

“With PCI, you’re either compliant or you’re not,” Cotter says. “If you have a single control missing, then you’re considered non-compliant.” For example, he says, Heartland Payment System had an attestation of PCI DSS compliance, but at the time of its 2008 breach, some security controls weren’t working correctly.

One problem is that things change. A system in compliance at the time of an audit may be out of compliance a week later. “Maybe you skip a check on something one week, or one month,” Cotter says. “Or there’s configuration drift.” He recommends that companies put solid change management processes in place, combined with continuous monitoring of controls and configurations.

Another mistake companies make is trying to save money by doing a self-assessment instead of hiring a professional. For companies that are careful to keep payment information out of their systems, a self-assessment may be enough. “If you’re small enough, it’s something to consider in terms of cost savings,” Cotter says.

The problem is that requirements are always changing and there are nuances and recommended practices and supplemental guidelines that aren’t in the standard itself.  Plus, companies that self-assess generally rate themselves generously, Cotter says. “If there’s an ambiguity, they look at it in the most flattering way possible,” he says. “You might spend $50,000 to hire a professional, but it might wind up saving you in the long run.”

According to a report released by Verizon late last year, compliance with the payment security standards decreased for the second year in a row — and is now down to just 37% worldwide. In the US, compliance rates are even lower — at just 20.4%, says Ciske Van Oosten, senior manager in the global intelligence division in Verizon’s Security Assurance Consulting practice.

Van Oosten agrees that the decline in compliance is mostly due to companies failing to maintain controls after the compliance audit is completed. “Getting the required PCI DSS controls in place is only one half of the challenge,” he says. “The second half of the overall challenge is ensuring that all controls and the environment it operates in are effective, and that it will be sustainable.”

PCI DSS specifies hundreds of controls, he says. And when one control breaks down, it often has a knock-on effect on other controls.

Can’t we just pay the fine?

With penalties of up to $100,000 a month, the non-compliance fines are nothing to sneeze at. And, of course, non-compliance increases the odds of a data breach, with all the associated costs.

“I have a few clients who are paying fines,” admits Peter Gregory, executive director for risk advisory at Optiv, a security consulting firm. “But they’re not doing it as their main strategy. They’re paying fines while they’re working to be fully compliant.”

If an organization deliberately decides not to comply, the fines get bigger and bigger, Gregory says. “Eventually the organization will have to take a different approach and become compliant.”

Renee Murphy, an analyst at Forrester Research, has a different take. It’s not that companies can’t get the security controls in place to achieve compliance, she says. It’s the opposite. With all the regulations that are now in place, companies have much more onerous requirements that they’re already having to deal with. “I think they’re probably at the point where PCI is the least of their problems.”

Companies that already comply with other regulations might not want to do yet another penetration test and have yet another auditor come in to do yet another assessment — and their banks and payment providers might not be too concerned.

“PCI is a pretty good practice, but it’s by no means the best practice,” Murphy says. In some cases, PCI DSS has questionable advice, such as the requirement to change passwords every 90 days.

“They can force you into binding arbitration, but I don’t think anybody would,” Murphy says. “If you’re the PCI council, do you want to pick that fight? If you lose, nobody will ever be PCI compliant again.”

Optiv’s Gregory disagrees. “You don’t need to do a separate pen test for each regulation,” he says. “You can do one pen test, as long as that single pen test is done in a way that satisfies all of them. If you have to do SOX [Sarbanes-Oxley] or ISO [International Organization for Standardization], there’s so much consistency for those standards that if you do some upfront planning, you can do things that will satisfy different requirements.”

What’s new with PCI DSS 4.0?

Late this year, PCI DSS 4.0 is expected to be released, with stronger requirements for authentication and encryption and a focus on cybersecurity as a continuous process, rather than an annual or quarterly compliance assessment. On the flip side, the new standard will also give companies more flexibility by focusing on the results of the cybersecurity requirements, rather than on the specific implementation details.

“The new validation option gives organizations the flexibility to take a customized approach to demonstrate how they are meeting the security intent of each PCI DSS requirement,” said Emma Sutcliffe, global head of standards at PCI Security Standards Council, in a Q&A posted on the organization’s website. For example, she says, “There are also proposed revisions to requirements on passwords to accommodate different authentication options.”

The organization just completed a request for comment about the proposed changes, says Mark Meissner, the group’s VP of public relations. “It produced the biggest response in the history of the PCI DSS. We received 3,254 comments from 154 companies.”

What do we have to do to get PCI DSS compliant?

Once a company has reduced the scope of the problem as much as possible, via point-to-point encryption, tokenization and outsourcing, the next step is to ensure that all the proper controls are in place on the data that’s left in the system. Companies need to be careful to avoid a checklist-style approach to compliance. “Unfortunately, we have seen that concentrating strictly on standalone compliance efforts can produce a false sense of security and an inappropriate allocation of resources,” says PricewaterhouseCoopers’ Ames.

Instead, PricewaterhouseCoopers recommends a more comprehensive, risk-based approach. “Use the PCI DSS as a baseline controls framework that is supplemented with risk management practices,” Ames says. “This gives the team an understanding of where they need to focus effort in alignment with the threat landscape.”

Then, companies need to make sure that they have processes in place to ensure that they stay compliant. That means that they need a way to monitor the controls, and if one fails, there’s a process to identify and correct the problem quickly.

How can we reduce our compliance costs and risk exposure?

Third-party payment gateways often take care of much of the PCI compliance challenge, allowing you to store tokens instead of actual credit card data so that you can reduce your exposure. While these services can make compliance easier, the buck will still stop with you.

Marc Rubenstein, COO at Salucro Healthcare Solutions, a health care payments company, is particularly sensitive to regulatory requirements. “Salucro operates at the intersection of healthcare and financial services, two highly regulated industries,” he says. In addition to PCI, the company also needs to comply with other regulatory frameworks, including HIPAA, GDPR and CCPA. “We serve some of the largest healthcare systems in the US and abroad.”

The top strategy for reducing both compliance overhead and cybersecurity risks, Rubenstein says, is to have as little payment data as possible in the systems. “Is point-to-point encryption fully deployed?” he asks. “P2PE is the gold standard for keeping sensitive payment data off your organizations’ network.”

Payment processors offer a variety of tools to help insulate companies from payment data. For example, Rubenstein says, vendors’ payment functionality can be embedded within an iFrame.

While third-party vendors can reduce the burdens of compliance, enterprises still have an obligation to choose their vendors carefully, Rubenstein says. “In addition to P2PE, what other measures do your payment technology partners have in place to maintain the highest levels of security and compliance?” he says. “This includes HITRUST certification, annual SOC 2 Type 2 audits, and more. Leaders should be asking for this documentation from their vendors regularly.”

When outsourcing to a third-party payments vendor, companies also need to be careful that they don’t have gaps. Take, for example, a small merchant that uses Square for payments, says Chip Wolford, managing director in the security and privacy practice at Protiviti, a Menlo Park-based consulting firm. A situation might come up where the merchant takes down credit card numbers manually to process the payments at a later point. “We run into this in large businesses as well,” he says. “You have disparate payment processes that evolve in the enterprise.”

In particular, companies need to be careful about manual processes such as accepting credit card information by phone, email or some other channel. In fact, manual processes are a danger throughout the PCI compliance process. Manual, survey-based assessments, manual monitoring of security controls, manual remediation all make it difficult to maintain compliance between audits. As in many other areas of cybersecurity, people are the weakest link.