Management, compliance & auditing

How PCI DSS acts as an (informal) insurance policy

July 15, 2022 by Ken Chikwanha

We are firmly in the post-digital era, and the number of data breaches continues to increase in proportion to the volume of data being generated.  This data is central to our business strategies.  Organizations need every possible advantage if they hope to stem this tide and protect their value and reputation.

Unfortunately, this worrying trend in data breaches is not matched by an increase in organizational readiness.  Many organizations are seriously underprepared and, even to this day, fail to implement the basic security measures needed to prevent cyber and similarly damaging incidents.

Enter industry frameworks, including the likes of PCI DSS (view my PCI-DSS course in Infosec Skills) and ISO27000!

What exactly is it?

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of measures (technical, procedural and, very importantly, cultural) that are designed to help protect customers’ data and (incidentally) reduce credit card fraud.

Non-compliance can be complicated and expensive!

Why the fuss?

PCI DSS as an industry framework has numerous benefits for organizations implementing its requirements.  In addition to providing a framework for implementing best-in-breed information security, PCI DSS has other (and you could argue for, intended or unintended) consequences.

To the man on the street and the regulator alike, implementing PCI DSS is a show of the organization’s:

  • clear intent and discipline, especially when they are making data a strategic organizational priority;
  • priority and focus on what matters to the customers, investors and business partners; and 
  • risk maturity, by virtue of having a clear roadmap and metrics for the systematic implementation and monitoring of risks relating to information security.

Formal and informal insurance policies

A disclaimer right out the gate is that any references we make to PCI DSS as an (informal) insurance policy should not be confused with actual cyber liability insurance policies.  There is still a place for these policies, which cover the organization’s liability in the event of a cyber incident.  To be clear, they are non-negotiable.

Cyber liability insurance provides coverage for assessments, fines or penalties imposed by banks or credit card companies due to non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) or payment card company rules. And, because most insurance carriers that offer this type of insurance are global, it is advisable to implement universally recognized IT security best practices.  

Enter PCI DSS as a commonly accepted industry gold standard, which gives all stakeholders (customers, investors, regulators and business partners alike) the warm and fuzzies by offering the comfort that the organization has been and remains intentional about its accountabilities as a processor of sensitive personal information.

I like to classify PCI DSS as “informal insurance” because, although most country data protection legislation refers to a need to put in place “appropriate security safeguards”, they are not prescriptive as to the type of controls. 

For example, in CPRA  1798.100. (d)(5)(e) “A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification,…”

Because “reasonable” is open to interpretation, it becomes harder to enforce consistently.  Another reason is that, due to the sheer diversity of the available security safeguards and the size and complexity of different organizations, there is no one size fits all.  This opens the door to the prospect of self-regulation by industry players when determining “reasonable security procedures,” a cause to which PCI DSS lends itself comfortably due to the prescriptive nature of its control framework.  

The regulator’s angle 

Globally, data protection legislation has, at its core, a clear requirement for organizations to protect the information in their custody from unauthorized access.  For example, Article 32 of the GDPR explains that “In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular, from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

An important aspect of the GDPR is its emphasis on preventing unauthorized access to sensitive information. The PCI DSS delves into this prescriptively and at length to remove ambiguity. For more details, refer to Requirements 7-10 of version 3.2.1 of PCI DSS.

On a side note, starting from March 31, 2024, PCI DSS version 4.0 comes into effect, while some of the provisions under this version will only become mandatory after March 31, 2025.  One of the biggest changes in version 4.0 is that it allows businesses the flexibility to implement alternative technical and administrative controls as long as they meet the broader control objectives, it doesn’t take anything away from the robust control framework that is PCI DSS.

Because it is an industry-standard and not a law, even with the latest version, non-compliance with PCI DSS would technically not be considered an infringement of regulatory requirements.  However, compliance or implementation of the critical data protection requirements of PCI DSS is certain to be viewed favorably by authorities as a clear statement of intent. 

An important thing we’ve observed about regulators investigating a data breach is that they no longer focus solely on the breach itself.  Instead, they are particularly keen on understanding what protective measures the breached organization has in place.  In addition, they are interested in how well prepared and how effectively the organization can respond to such incidents.

In closing

It’s not surprising that regulators tend to see the implementation of PCI DSS-strength data protection controls as clear evidence of an organization’s discipline and risk maturity when it comes to protecting the interests of the public by safeguarding their data.  These are factors considered when determining the size of a regulatory fine or the seriousness of a regulatory sanction.  Now, if that isn’t an informal insurance policy, what is!

View my course on PCI-DSS for Developers in Infosec Skills to learn more.

Sources 

Posted: July 15, 2022
Author
Ken Chikwanha
View Profile

Ken Chikwanha is a professionally qualified practitioner with more than 15 years of international hands-on and managerial experience in delivering programs relating to Data Governance, Information Security and Data Privacy. He has a passion for people development and leadership with a track record of building and leading delivery teams. With his comprehensive and varied industry experience, he carries an in-depth understanding of the management of Information Risk and control-related matters. Ken holds a Bachelor of Commerce in Informatics along with internationally recognized certifications in Information Governance and Information Systems Security, including, Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Data Management Practitioner (CDMP) and the Sherwood Applied Business Security Architecture framework certification (SABSA). When he’s not advising corporates, Ken spends his time speaking at local and international industry conferences and authoring journal articles. In between engagements, Ken enjoys running, watching football matches with his 3 sons and discovering new music.

Leave a Reply

Your email address will not be published.