PCI DSS Non-Compliance – Where does the Buck Stop?

  • Nick Horne, Sales and Commercial Director at Suresite

  • 07.04.2021 01:15 pm
  • payments

The Payment Card Industry Data Security Standard – PCI DSS, was launched in 2004, courtesy of Visa. Two years later, major card brands formed the PCI Security Standards Council (PCI SSC) – to, in their own words, “develop and drive adoption of data security standards and resources for safe payments worldwide.”

No one would have thought that nearly 17 years after its introduction, the PCI standard would be such a hot potato for firms - especially retail outfits. Breaches of the standard are still providing headlines for newspapers and heavy fines for transgressors. The challenge of protecting payment card data is not confined to a single industry or country - companies across all sectors and in every geographic location are under constant threat from hackers whose aim is to steal cardholder data. Such events are often linked to broader data protection issues governed under GDPR and national Data Protection legislation, such as the recent ICO fine for British Airways.

US comms giant Verizon’s 2020 report on PCI compliance showed that for the third year in a row, compliance with the PCI standard slipped. “Only 27.9 per cent of organisations achieved 100 per cent compliance during their interim compliance validation,” says the report.

So why are we still seeing large organisations fall foul of the standard? Verizon points to a possible cause: “information security professionals continue to find themselves reacting to issues within the enterprise rather than taking a proactive stance.”

Achieving compliance

The latest PCI standard – version 3.2.1, came out in May 2018 and runs to – count ‘em – 139 pages, and there are 12 requirements in the standard that retailers need to tick-off to be compliant. There’s a lot of IT to deal with in the standard, ranging from protecting systems with correctly configured firewalls to risk assessment documentation associated with hardware, software, and the actual process of taking card payments. But there is, of course, also the human element that makes this happen and undermines all the technical efforts.

I believe retailers need to start educating their staff in PCI compliance and instead of concentrating on the technology, focus on the security policy requirements.

An example? Smaller retailers having to deal with Wi-Fi networks often don’t consider the different data traffic crossing that network. Unprotected Wi-Fi used to process payment card transactions can easily fall foul of the employee who might also be using it to keep checking their Facebook page, so retailers should be thinking about policies linked to what can be accessed over those networks.

If I were doing a staff training day on the niceties of PCI compliance, it would be instructive to explain how simple it is to get hold of cardholder information. 

Consequences of PCI non-compliance

One only needs to recall an example of a major PCI data breach in the retail sector to appreciate the need for PCI standards. At one large retail brand, 80GB of cardholder data was siphoned-off over 18 months, amounting to nearly 46 million records exposed. 

Now, let’s put the PCI-related and GDPR fines aside for a minute - which even for small companies could total a significant amount per month - and think about the reputational damage. Would you buy from a firm where your personal information and card details had been exposed and possibly were being touted on the dark web, up for grabs by any Thomas, Richard, or Harold? Add it up – fines, reputational damage, customer goodwill, inability to process cards, while PCI forensic investigators must be employed to determine how and where the breach occurred and has the gap been plugged.

PCI - whose responsibility is it?

So where does the buck stop when your firm is not PCI-DSS compliant or has a breach demonstrating that fact? Is it the IT department, sales, finance? Well, responsibility for PCI DSS compliance is just like that for GDPR - it’s the remit of those at the top of the organisation, which could be an owner-manager or a full executive board. 

In today's fragmented retail ecosystem, who does the ‘board’ consist of if the business has only one site? In that case, it would be the owner-manager, but for bigger firms, some would lay the responsibility with finance, since PCI falls under payments – doesn’t it?

With brand-owned dealer operated sites - often seen in convenience and forecourt retail - it’s slightly more complex, with the key question being – ‘who owns the Merchant ID (MID) that the site is using to process a payment?’ It’s the MID that determines who needs to be PCI compliant in the majority of cases, although that responsibility could be subject to contracts and procedures individually agreed between the brand owner and the dealer.

Looking through the 139-page PCI standard – which is packed to the rafters with IT requirements, it’s easy to see why lots of companies - wrongly - lay compliance responsibility at the door of the IT department. At a low level, you could say that responsibility for PCI compliance lies with every member of the company and shouldn’t rely exclusively on the grey matter between the tech guys’ ears. 

Given the business risks PCI can bring, IT should be working hand-in-hand with other departments – like finance. Very large organisations that operate at level one (the most impacted level) of the standard, might have a chief risk officer (CRO) or chief information security officer (CISO) assuming responsibility for compliance. These officers should be escalating awareness of any PCI compliance issues to top-level executives and ideally those responsible for the bottom line of the company because these people are ultimately responsible for PCI compliance – the buck stops right here.

Challenges of the pandemic

Cash was already being replaced by the use of credit/debit cards, and the pandemic is speeding this up. For example, public utilities like Transport for London have ‘retired’ cash, requiring you to pay online for Oyster cards or using specialised ATMs. According to UK Finance, a record 62 per cent of debit card payments last August were contactless, as physical cash could be a vector for the coronavirus.

Then when you look at smaller retailers, convenience and forecourt, since people are driving less in the pandemic, they are visiting forecourts more frequently, paying for smaller amounts of petrol and other goods via contactless. This will affect retailers who are borderline for the number of transactions they do annually, so the increase in the volume of transactions could put them up a merchant level on the PCI scale. 

Smaller independent retailers may also be forced to cater to an increased demand for telephone orders from customers housebound due to the lockdown, which opens up a new channel mandating PCI compliance.

And finally …

If a single card payment is made, in-store, using email or telephone, or through online websites, then a retailer could be subject to merchant acquirer fees and card scheme fines if they are not PCI compliant. Ostrich-like behaviour with regard to PCI compliance for large and small retailers is not on, especially with the added complexity inherent in new payment methods, which could only increase the likelihood of a PCI breach. But if Verizon’s report is anything to go by, there are still firms sticking their head in the sand. It seems alarming that PCI data breaches have risen, and PCI compliance has fallen. The challenge for all retailers remains the same in 2021 as it has been over the past 17 years, wake up and start taking PCI seriously.

 

Related Blogs

Other Blogs