PCI DSS compliance: 5 common mistakes to avoid
PCI DSS, the worldwide Payment Card Industry Data Security Standard, is designed to help e-commerce merchants process card payments securely and reduce card fraud.
There are 12 high level requirements, in six categories, encompassing the storage, transmission and processing of cardholder data. These were established by the PCI Security Standards Council (SSC) but they are enforced by the main payment card brands, who can impose fines for non-compliance that are “passed from the Card Scheme to the acquirer and then onto the merchant”.
The message is clear: if you take card payments, PCI DSS Compliance applies to you. So why do some merchants remain non-compliant and risk hefty fines, reputational damage and potentially losing their ability to accept card payments? Here are five common mistakes that we at Dionach regularly see in the course of our work as a PCI Qualified Security Assessor (QSA) and Forensic Investigator (PFI).
“The cost involved in dealing with the fall-out of a data breach will far exceed the cost of becoming PCI DSS-compliant.”
1. UNDERESTIMATING THE LIKELIHOOD AND IMPACT OF A DATA BREACH
Don’t fall into the trap of underestimating the sophistication of today’s cyber criminals or thinking that the worst won’t happen to you! Unfortunately payment card fraud is an everyday occurrence. Fraudsters are part of a highly organised supply chain, and they make their living by stealing cardholder data and selling it on.
Any weak links in your security posture exposes you to immediate risk. For instance, hackers will leap on new security releases for common e-commerce platforms and attempt to reverse-engineer them and exploit merchants’ sites that have not yet been updated. If you had adhered to PCI DSS controls, you would have patched your site within the recommended window and beaten the hackers to it.
If you do suffer a data breach, it’s likely you’ll be fined by the card company (via your acquiring bank) and have to hire an independent forensic investigator and a PCI QSA to produce a Report on Compliance for the acquirer. If compliance isn’t reached by their deadline, more fines may follow. This is quite apart from the commercial and reputational damage.
Let me put it plainly: non-compliance makes it easier for attackers to compromise your site – and the cost involved in dealing with the fall-out of a data breach will far exceed the cost of becoming PCI DSS-compliant.
“Any weak links in your security posture exposes you to immediate risk.”
2. ASSUMING PCI DSS COMPLIANCE DOESN’T APPLY TO YOU
a. Data transmission counts!
PCI DSS doesn’t just apply to the storage of card details but also to their transmission and processing.
For instance, if you receive payment calls over a VoIP line, or if your website users can submit credit card details via a form that you then forward on, you are transmitting card data. If you take telephone payments and enter card details into a vendor’s payment portal via a workstation, this is also transmission and the workstation – and anything on that network – will be in scope.
b. Outsourced card processing? You still have responsibilities
Even when you’ve outsourced all aspects of card processing to a payment provider such as Sage Pay or Worldpay, there is still a security risk inherent in your website’s redirection to the third-party – for instance an attacker could alter the payment options form in order to compromise credentials. So your website will be subject to some PCI DSS controls, usually Self-Assessment Questionnaire (SAQ) A.
You also have two areas of responsibility when it comes to verifying the compliance of your chosen hosting provider. Firstly you need to see evidence of their compliance by asking for their PCI DSS Attestation of Compliance (AOC), which needs to cover your specific payment environment and should be co-signed by a PCI QSA. Don’t be fobbed off with other standards such as ISO 27001, even if accompanied with a statement saying this is sufficient. It is not.
Be warned that just because a payment provider is well-known in its niche or has high-profile clients, it does not necessarily mean they are PCI DSS-compliant.
Secondly you must scrutinise the proposed agreement with the payment provider to ensure that they are responsible for their cardholder data environment. This is to make sure that you as the merchant are not liable in the event of a breach.
3. COMPLETING THE WRONG SELF-ASSESSMENT QUESTIONNAIRE (SAQ)
The SAQ you need to complete depends on your particular payment set-up or merchant environment.
A small shop that only handles face-to-face payments might be eligible to complete SAQ B with roughly 34 requirements. If you’re running an e-commerce site, you will fall into one of three categories: A, A-EP or D. If you don’t match any of the environments as defined by the forms, the catch-all SAQ D will apply, with approximately 330 requirements.
Choosing the wrong form could make you non-compliant. We’ve seen large organisations complete the wrong one if their finance function is tasked with it without sufficient technical knowledge of the company’s processes. Usually they pick the SAQ A, with 25 requirements, instead of the form that is applicable to their actual circumstances that is likely to have far more.
What will happen in this instance? If your data is compromised, and after the forensics investigation report is completed, you will be given 90 days by the acquirer to become PCI DSS-compliant. This is likely to be a stressful and time-consuming undertaking. For instance, complying to SAQ D within 90 days is normally not possible due to the volume and depth of the requirements, even for well-resourced organisations.
In fact, it is often easier to change your business operations to match the requirements of the SAQ, rather than vice versa. This may still prove challenging if done within the short timeframe of a post-compromise deadline.
4. MISUNDERSTANDING THE ROLE OF NETWORK VULNERABILITY SCANS
a. They do not make you fully PCI DSS-compliant….
A passing vulnerability scan conducted by a PCI Approved Scanning Vendor (ASV) only makes your site compliant with a small subset of PCI DSS controls.
Some vendors may even provide you with a PCI DSS compliance badge or icon following completion of these scans, but unfortunately this is misleading because you are not fully compliant.
b. ….but are a key part of cyber security best practice!
However, conducting regular vulnerability scans is a very good idea in the interests of pre-empting problems in your environment; you can view them as a regular health check. Signing up to an automated scanning service will probably provide you with at least four vulnerability scans a year and the opportunity to analyse and investigate anything unexpected.
5. NOT PRIORITISING COMPLIANCE
Complying with PCI DSS, like with any information security standard, makes good business sense – quite apart from your contractual responsibility. Ultimately the standard sets out a framework that will help you reassure your customers that you are doing your utmost to protect their data.
Turning compliance to your advantage is the most successful approach in cyber security. Ensure someone is tasked with responsibility for PCI DSS, and that they have the time and resources to achieve and maintain compliance. They should have the backing of management in order to overcome any technical or cultural hurdles that arise.
It’s always worth considering additional controls beyond the minimum requirements, such as an alert when files and directories on your e-commerce site unexpectedly change (File Integrity Monitoring or FIM). Also, vulnerability scans are a vital element of compliance and certainly have their place in cyber security best practice – but they are no substitute for penetration tests which incorporate a technical and manual evaluation. Companies typically engage us when launching a new website or when making major changes, but the ideal approach is to conduct penetration tests on an annual basis. I can say that I have never had to perform a post-breach Report on Compliance for a customer that had a programme of regular penetration tests – so that’s testament to their value.
My final piece of advice is to build compliance into your plans from the outset. Agree with your web developers to use an SAQ A-compatible implementation to minimise your compliance burden.
“Turning compliance to your advantage is the most successful approach in cyber security.”
In summary those companies that ignore compliance do so at their peril. The risk of suffering a data breach is high, and will have significant consequences on your customers and your business.
Find out more about how we can help your business achieve PCI compliance
