PCI Security Awareness: Who Needs Training and Compliance?
With financial reward being one of the main motives behind online frauds, the Payment Card Industry (PCI) is constantly under cyber-attack by hackers. The business sector is refining its efforts to counter fraud by adopting stringent data security standards and security best practices for handling, storing, and sharing sensitive data for the hundreds of millions of people worldwide that use payment cards at ATMs or at merchants.
According to Dan Berger, CEO of the National Association of Federally-Insured Credit Unions, retail data breaches are still on the rise and it calls for proper attention to standards implementation. “Last year, the number of data breaches shattered all records and climbed 40% higher than reported in 2015 and there is no sign of the criminals letting up. In 2017, we have already hit 110 breaches, a 36% percent hike over the same time last year.”
Payment card hackings can have devastating financial effects for all stakeholders. The Nilson Report, a 46-year old publication providing news and analysis of the global card and mobile payment industries, shows how, in 2015, payment card fraud totaled $21.84 billion worldwide (38.7% of which is the U.S. portion). Card issuers worldwide absorbed approximately 72% of the loss ($15.72 billion, mostly deriving from the hospitality sector), while merchant ($5.9 billion, mostly from card-not-present transactions) and ATM acquirers ($217.4 million) the remaining 28%. The projected amount of losses in 2020 is $31.67 billion.
PCI Data Security Standards
According to pcisecuritystandards.org, “The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.”
Its founding members, American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc., originally had their own security programs, but they saw the need for a joint effort and consistent data security standards to protect cardholders and their data. The first PCI Data Security Standards (PCI DSS) were released in 2004; the latest edition (version 3.2) is dated April 2016. PCI compliance is not a directive but is made up of industry-imposed rules and self-regulatory standards to protect the integrity and confidentiality of credit card information.
PCI DSS provides a list of 12 requirements that fall under 6 categories upon which are based technical and operational actions aimed at protecting card payment safety and account data. The PCI DSS applies to merchants, processors, acquirers, issuers and service providers, and, in general, to all those who “store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).” CHDs include the name of the account holder, the account number, the expiration date and service code; SADs include track data on the magnetic-stripe or chip, the CAV2/CVC2/CVV2/CID and the PIN.
Some of the requirements are common sense, but they are nevertheless the foundation upon which to build an effective system of security layers. In addition, they are just the start of a cardholder data security program and can be complemented by further protective measures based also on other regulations, local laws and additional industry-specific requirements.
The 6 categories (and 12 requirements) are as follows:
- Build and Maintain a Secure Network and Systems
- Entities need to install and maintain a firewall to protect data.
- Immediately change system passwords and other security parameters from vendor-supplied to business-chosen.
- Protect Cardholder Data
- Protect cardholder data when stored.
- Encrypt transmission of cardholder data.
- Maintain a Vulnerability Management Program
- Ensure the use of anti-virus and anti-malware tools and keep them updated.
- Use and maintain secure systems and applications.
- Implement Strong Access Control Measures
- Protect data by restricting access only to those who have a genuine, business need to know,
- Make sure every access is identified and authenticated.
- Restrict also physical access to cardholder data.
- Regularly Monitor and Test Networks
- Monitor all access to network resources and cardholder data.
- Test security systems and processes periodically.
- Maintain an Information Security Policy
- Create and enforce a policy that addresses information security in the organization.
Anyone who stores, transmits or processes cardholder data needs to worry about Payment Card Industry Data Security Standards, especially considering the fact that all major credit card brands have generated and enforced these requirements. In fact, businesses of all sizes can be asked for proof of compliance by the credit card companies they choose to utilize. Validation requirements vary according to the business’ classification, and can go from self-assessments to quarterly external vulnerability scans by authorized scanning vendors and annual onsite assessments.
Each credit card brand, in fact, determines its own program and classification of merchants according to the number of transactions handled in a given period. Visa, for examples, classifies merchants with less than 20,000 transactions per year as a Level 4, with Level 1 being a business that processes more than 6 million Visa payments annually. For American Express, in contrast, a Level 1 is a merchant who has more than 2.5 million transactions per year.
Safety needs to be ensured at all levels, as it involves not only the electronic means of handling the information, but also the location where data is handled and the operators who are tasked to do it. Sensitive cardholders’ data shouldn’t be stored in an endpoint that is not protected but in systems and servers physically secure behind locked doors. All employees managing the data process need to be authorized to do so and no other personnel need to have access to the space to get to the data.
Retaining customers’ info should be avoided without a legitimate business need and without, obviously, authorization. If data is to be retained, it is necessary to use PCI-compliant terminals to collect data, PCI-compliant applications to process them and strong cryptography to transmit them. In any case, some data cannot be stored regardless of reasons: pin and pinlocks, unencrypted card numbers, CVV and CVV2 and track 1 and 2 data.
What happens if a business is not in compliance? The first consequence is in terms of possible higher risk of a breach. A security leak and data compromise can be lethal for a merchant’s reputation and can result in monetary loss, legal issues, loss of jobs and possibly lack of credit card payment processing support. Losing the trust of clients has long-lasting consequences that definitely have an effect on current and future opportunities for a company.
There are also fees and penalties involved with non-compliance. Fees vary but a credit card company can fine an acquiring bank $5,000 to $200,000 per month for each PCI compliance violation. The bank will then decide how much to charge the merchant and on whether or not continuing the relationship is viable. The account agreement will have information on the relationship between the merchant and the bank and their mutual responsibilities.
What Are Some Common Fraudulent Practices?
In 2015, Robert Anderson, executive assistant director of the FBI’s Criminal Cyber Response and Services Branch, reported how hackers had stolen more than 500 million financial records in 2014, “essentially breaking into banks without ever entering a building. […] About 35% of the thefts were from website breaches, 22% were from cyberespionage, 14% occurred at the point of sale when someone bought something at a retail store, and 9% came when someone swiped a credit or debit card.”
The FBI has reported many cases of both individual and corporate account takeovers in which cyber criminals have compromised the online banking credential of an account holder through fraudulent websites, malware or keylogging programs that harvest users’ online banking credentials. Problems are also seen at many automated teller machines (ATMs), where skimmer devices are used to collect card numbers and personal identification number (PIN) codes. Point of sale (PoS) terminals might also be infected with “sniffer” programs and “smart” cash registers can be hacked.
In the past few years, several major attacks on retailers’ payment systems have made the news. Last year, the Veridian Credit Union accused Eddie Bauer for inefficient security standards and failing to discover malware on its PoS that read credit card numbers before they were encrypted and sent to payment processors. Credit-card and debit-card payments made between January 2, 2016 and July 17, 2016 might have been accessed.
Eddie Bauer is just one of many U.S. retailers that have experienced a breach with an amount of personal identifiable information (PII) being compromised. Target in 2013 leaked the credit card numbers and personal info of millions (over 100 million it seems) of customers; Home Depot saw 56 million payment cards compromised in 2014 through malware that affected its PoS and pretended to be an antivirus software. Recently, Arby’s fast food restaurants might have experienced the breach of more than 355,000 credit and debit cards at its point-of sale registers because of malware.
The latest breach seems to have affected the hospitality field and, in particular, Select Restaurants Inc., the owner of several eateries across the US. The hacking was most likely carried through Select’s PoS vendor, 24×7 Hospitality Technology, which was illicitly accessed from late October 2016 to mid-January 2017. According to Brian Krebs of security blog KrebsonSecurity, 24×7, the attackers executed a PoSeidon malware variant, “which is designed to siphon card data when cashiers swipe credit cards at an infected cash register.”
Organizations should already be addressing this issue by implementing Payment Card Industry (PCI) solutions (like chip-based card anti-fraud technology that has eased the onslaught of breaches) and by using standard controls (such as auditing) and protocols (the EMV Channel Establishment Protocol, a chip and pin cryptographic protocol suite). But what more can they do?
Can PCI Awareness Training Help? Who Needs It?
As mentioned on the website of IT security company Trustwave Holdings, “The human factor – what employees do or don’t do – is the biggest threat to an organization’s information security, yet it’s often the most overlooked. Whether they are processing credit cards, handling clients’ personal information, or developing software solutions for your business, your employees are ripe targets for information thieves seeking access to your sensitive data, unless you help them learn how to protect against and respond to security incidents. It’s vital to your business to provide security education to your employees and partners.”
With an increase in fraud losses in recent time, it will take both the banks’ sophisticated fraud-prevention systems and customer vigilance to put an end to PCI’s fraud loss. In addition, “by promoting employee awareness of security, organizations can improve their security posture and reduce risk to cardholder data,” says pcisecuritystandards.org.
One of the requirements of PCI, in fact, is the need for a clear, enforced security policy. This includes also the need for all organizations accepting or processing payment transactions (from merchants, banks, payment processors, service and technology providers on to the commercial customer and cardholders) to inform all stakeholders adequately on PCI requirements as well as threats related to the payment industry.
Management, executives and staff members who have any operational or technical part in processing the cardholder data need to be trained upon hiring and must periodically go through refreshers and update info sessions. Therefore, not only should compliance officers, finance specialists, audit managers and credit analysts be involved, but also webmasters, system administrators and developers.
Just like with any general security awareness training, the information needs to be tailored to specific audiences; however, general principles of IT security need to be addressed too as they apply to any industry: phishing, physical security as well as mobile device security and viruses should be discussed. All personnel in the business (bank, merchant, credit card brand, store) need to be aware, at a minimum, of general security training tips, definitions of what cardholder data (CHD) and sensitive authentication data (SAD) are and their responsibility to safeguard them. Depending on how the credit card info is normally collected (phone, electronically, on paper) correct, specific handling procedures are also to be addressed.
General staff should also be aware of the consequences of non-compliance but more in-depth information should be given to management. This category of stakeholders need to be fully aware not only of the monetary consequences of breaches and non-compliance, but also of possible repercussions on the business’s reputation as well as the responsibility the company retains even when outsourcing the actual payment collecting process.
IT staff in different capacities will obviously need to be trained in depth on the more technical requirements linked to PCI compliance as they are ultimately responsible for the configuration of the infrastructure. They should also be fully aware of the flow of information within different departments, company non-IT policies and business requirements.
Staff that are directly involved with the processing of payments (accounting personnel, cashiers) need to be aware of their responsibility in reporting suspicious activities and problems at the point-of sale as well as in correctly identifying cardholders when performing transactions with or without the card being present.
The PCI-SSC offers a series of trainings including the PCI awareness training program which is suitable for merchants and service providers who are interested in learning more about PCI roles and responsibilities as well as in understanding how to reduce risks for customers and the organization.
Infosec Institute has a PCI DSS module as part of its AwareED computer-based security awareness program, with hands-on simulations that help employees retain the material better. The training covers “essential cardholder data security requirements for all different payment environments; card present, card-not-present, mail, fax, online, and phone (individual or call center.)” As the PCI Security Standard Council points out, role-based security awareness training will help “to build a reference catalogue of various types and depths of training to help deliver the right training to the right people at the right time.”
Keeping abreast of the latest PCI compliance standards and applying the latest technologies are the only chance that stakeholders in the Payment Card business have to protect themselves and their customers from breaches and theft. Appropriate security awareness training on PCI DSS requirements is the best way to address vulnerabilities linked to the human side of credit card data processing. Anyone in the organization, from management to the accounting department, to cashiers, IT managers and systems administrators, can benefit from training tailored to their role in the payment card data workflow.
Keeping up-to-date with the latest trends is also important and a number of conferences can help managers do that throughout the year. The Cards & Payments Summit on the 27th & 28th of March in London, for example, shows the industry’s challenges and the opportunities that will have an impact on security and customer experience. Also, worth considering is the Cards & Mobile 2017 event in Latvia on the 30th of May that will discuss how the credit card processing industry has evolved by introducing new equipment and payment capture technologies with innovative developments in credit cards, such as embedded digital IDs and biometric data, and contactless co-branded cards.
Abezgauz, I. (2014, June 26). Does PCI Compliance mean PII and Card Data Security? Retrieved from http://www.quotium.com/resources/pci-compliance-mean-pii-card-data-security/
Bukhari, J. (2017, February 3). That Chip on Your Credit Card May Not Be Stopping Fraud After All. Retrieved from http://acrossthefader.us/archives/25888
Ebrahimi, A. (2011, June 14). Everything You Need to Know About PCI DSS Compliance. Retrieved from https://www.merchantmaverick.com/pci-dss-compliance/
Ebrahimi, A. (2011, July 8). PCI Compliance Fees: What They Are, and What to Do About Them. Retrieved from https://www.merchantmaverick.com/pci-compliance-fees/
Kelly, E. (2014, October 20). Officials warn 500 million financial records hacked. Retrieved from http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/
PCI Security Standards Council. (n.d.). PCI Awareness Training. Retrieved from https://www.pcisecuritystandards.org/program_training_and_qualification/requirements_awareness
PCI Security Standards Council, LLC. (n.d.). Document Library. Retrieved from https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
PCI Security Standards Council, LLC. (2014, October). Information Supplement: Best Practices for Implementing a Security Awareness Program. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf
PCI Security Standards Council, LLC. (n.d.). Payment Security Educational Resources. Retrieved from https://www.pcisecuritystandards.org/pci_security/educational_resources
Seals, T. (2017, March 17). PoS Breach Hits High-End Eateries Across the US. Retrieved from https://www.infosecurity-magazine.com/news/pos-breach-hits-highend-eateries/
Snow, G. M. (2011, September 14). Testimony – Cyber Security: Threats to the Financial Sector. Retrieved from https://archives.fbi.gov/archives/news/testimony/cyber-security-threats-to-the-financial-sector
The Nilson Report. (n.d.). Payment Card Fraud. Retrieved from https://www.nilsonreport.com/
Weise, E. (2017, February 9). Arby’s probes possible data breach of credit cards. Retrieved from http://www.usatoday.com/story/tech/news/2017/02/09/arbys-breach-may-have-hit-355000-credit-cards/97702594/