The Payment Card Industry Data Security Standard (PCI-DSS) is a mostly technical set of controls that are applicable to any organisation that stores, processes or transmits payment card data or anything that could affect its security. The standard is set by the PCI Security Standards Council (PCI-SSC), mandated by the various card providers and enforced by the banks that issue them.
These days, when organisations are recommended to take a holistic approach to security and focus on implementing what’s commonly referred to in the security industry as ‘defence in depth’, PCI-DSS is not popular amongst many merchants. Indeed, some view these controls as onerous and expensive to undertake, especially in conjunction with other regulatory requirements and security best practices.
This has led to the development of alternative options that are designed to provide easier PCI compliance, allowing merchants to achieve the necessary certification and meet the banks’ requirements without the need for implementing costly and resource heavy controls, such as centralised logging or file integrity monitoring.
The alternative options include outsourcing the card data environment, reducing the scope of the card data environment or reducing the risk associated with the card data environment. These ‘PCI Pills’ are designed to make compliance a much less painful experience and cover the three main payment flows for merchant transactions: Mail Order/Telephone Order (MOTO), eCommerce and face to face in store.
Call centre environments typically involve customers providing their card details to telephone agents. This data enters the call centre environment and is transmitted across a Voice over IP (VoIP) infrastructure, within the scope of PCI-DSS, before it is received by the agent. The agent then types the card data into their workstation in scope and it is transmitted across the corporate local area network (LAN), again, in scope, to a local payment application or an internet-based payment service provider (PSP).
As workstations are connected to the LAN and may have significant connectivity to LAN-based servers and services, such as active directory, file shares, etc., it is typical that the entire local infrastructure, and in many instances, the wider area network of the corporation, is in scope.
In order to de-scope the call centre from a PCI compliance perspective, it is necessary to remove the card data from the environment entirely. One option for doing this would be for the merchant to engage a cloud-based dual tone multi frequency (DTMF) service provider. A cloud based service provider would sit upstream, in-between the customer and the merchant’s call centre. This would intercept the primary account number (PAN) DTMF tones entered by the customer, and enable a payment to be made with the PSP on behalf of the merchant. Confirmation would then be sent to the merchant that the payment has been accepted.
As no payment card data is stored, processed or transmitted by the merchant, no technical controls are therefore applicable to its environment. The merchants’ only PCI obligation would be to ensure the DTMF service provider is PCI compliant.
Face to face
Large retailers are increasingly dependent on smart Point of Sale (POS) solutions, which interact with their PIN entry devices (PEDs). The interaction between the POS and the PED allows a smooth customer experience and the integration of additional functionality. This means the PED device must be connected to, or on the same LAN, as the POS.
Unfortunately, this connectivity also introduces compliance requirements. Only the PED device interacts with a customer’s credit card, but the connectivity between the PED and POS devices means the POS is also in scope. Larger merchants’ storage environments typically have a back office and limited segmentation across the LAN; this usually results in the entire LAN and any centrally managed POS solution also being in scope for PCI.
The card vendors and PCI–SSC recognised that this was presenting a problem for many merchants. The majority of PED devices encrypt the card data prior to passing it onto the POS or LAN, but the quality of this encryption varied wildly between vendors and PSPs. With this in mind, the PCI-SSC defined a new data security standard, entitled Point 2 Point Encryption (P2PE). This standardisation ensures that the card data is encrypted on the PED and can only be unencrypted by the PSP.
Vendors and service providers have been given the opportunity to align and assess their existing and upcoming PED device encryption and management solutions against the new P2PE standard. If certified, merchants will be able to use these new solutions to provide assurance that their POS and the LAN are out of scope. Then, the only applicable merchant requirements for PCI-DSS would be applicable to the PED devices and their management.
eCommerce is a high risk payment channel as websites act as a globally accessible central repository where large volumes of customers enter their credit card details. This means that a hacked website that processes payments often results in a data breach yielding numerous customers’ payment card details. In comparison, the volume of card data stored in a face to face environment is limited to the number of people who paid using that PED.
This increased risk is directly reflected in the number of applicable controls in an eCommerce environment. In many cases, online merchants face adhering to more than 300 controls.
In a similar way to a MOTO environment, the best method of reducing compliance obligations is to outsource the payment channel. This can be done relatively easily by implementing an iFrame or full redirect to a PSP. Repeat payments can be managed simply with the integration of a tokenisation solution.
Merchants should remember that simply implementing these solutions does not guarantee that their card data environment is secure. They should be aware that PCI-DSS defines and mandates many controls that are industry best practise from a security perspective. Even though such controls may not be required for a merchant to achieve PCI-DSS certification, it is always recommended that a holistic approach to security is taken to ensure the organisation protects its systems and data from malicious third parties or accidental disclosure.
Protecting against cyber-attacks is no simple task and compliance alone will not necessarily solve the problem. In fact, all too often, companies are left with a false sense of security. Given the sophisticated nature of today’s threat landscape, a multi-layered approach should be taken in order to give organisations a fighting chance when, rather than if, they are targeted.
By Nigel Gildea, Principal Security Consultant, Nettitude.