Should Sri Lanka adopt payment card industry data security standard?

Growing security threat

During the past few years several data breaches have made global headlines. You may remember the Target Stores data breach in 2013 that put the credit-card numbers and personal information of millions of people into the hands of cybercriminals. 

According to the court documents about 42 million people had their credit or debit information stolen. Target subsequently agreed to pay $10 million to settle a class-action lawsuit related to the company’s data breach. Further, the court documents showed hacking victims could get as much as $10,000 apiece. It cost Target over $162 million in 2013 and 2014.

In a more recent case last year, banks in India will either replace or ask users to change the security codes of as many as 3.2 million debit cards in what’s emerging as one of the biggest ever breaches of financial data. The breach is said to have originated in malware introduced in a system, enabling fraudsters to access information allowing them to steal funds.

According to industry reports, payment card data made up 48% of data breaches investigated in 2012 and was also the second largest volume of records affected and payment card data targeted in 61% of breaches investigated in 2013. Commonly targeted industries includes Retail (45% of breaches), Food and Beverage (24% of breaches), Hospitality (9% of breaches), Financial Services (7% of breaches), Non-profit (3% of breaches) around the world. 

Many of the high-profile data breaches reported as “complicated” or “sophisticated,” when in reality, most occur due to low-level, very basic security practices are overlooked. Credit card data breaches are becoming so frequent globally that related stories seem barely newsworthy unless they involve huge data leaks from major corporations. But, for those impacted, even a small breach can be significant. 

Besides the aggravation of having to deal with fraudulent transactions, fraudulently exhaust out credit limits that prevent legitimate cardholders from using their cards until charges are detected and reversed, denied payments when an issuer cancels a card due to a suspected breach and fails to quickly notify the cardholder, and other payment issues, the stolen data can sometimes be used in various ways to commit non-credit-card-related identity theft.

In a survey conducted in the US, it was found that two-thirds of adults would not return to a business after a data breach. With the growing security awareness amongst the public, they are less likely to patronise a business which has had a security breach and hence customer confidence can affect the profitability of a business. 

The customers trust the organisation with their card data when they make transactions. When a security breach occurs, both parties are affected. Should an organisation get breached, not only will they have to deal with the loss of data, but may also have to deal with fines and lawsuits from customers and other organisations. Data breaches cost organisations a lot in both money and customer confidence. The cost of replacing credit cards, paying fines, and paying compensations for what the customers have lost, investigation costs and audits. 

Between 1998 and 1999, Visa and MasterCard report credit card fraud losses totalling 750 million US dollars which is an insignificant amount with compared to hundreds of millions of dollars in transactions processed annually. With the growing consumer comfort with online purchasing, merchants rolled out e-commerce websites and connected their payment processing systems to the internet. This encouraged fraudsters to capitalise on poorly protected systems from which the payments and card data can be stolen, making payment card fraud faster and easier than ever before. 

Security risks became increasingly high with the increased instances of card-not-present transactions. These information security incidents and financial losses gave credit card companies an intensive amount of work towards implementing a solution to the problem.

PCI-DSS as a solution

With the rise in payment card data breaches globally, the need for a sophisticated security program aroused. In 2004, all the major credit card companies responded to this crisis by joining together to create a comprehensive security standard. Thus, pioneer ‘Payment Brands’, namely, American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc., formed the ‘Payment Card Industry Security Standards Council’ (PCISSC) in 2006.

Five different security programs; Visa’s Cardholder Information Security Program, MasterCard’s Site Data Protection, American Express’ Data Security Operating Policy, Discover’s Information Security and Compliance, JCB’s Data Security Program were similar in objective of creating an additional level of protection when the payment data is stored, processed or transmitted. The founding members of PCISSC aligned and improved said existing internal information security programs to come up with a unified information security program. In this light, the Payment Card Industry Data Security Standard (PCI-DSS) was created along with some of the other supporting standards such as PA-DSS, PCI-PTS, P2PE, etc.

The PCI-DSS helps protect the safety of payment card data. PCISSC set the operational and technical requirements for organisations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions. The goal of the PCI – DSS is to protect cardholder data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting payment card data and has specific rules for different businesses, based on the type of the business (processing, storing and transmitting of payment card data), depending on size of the organisation measured in number of transactions.

Compliance is essential

Being compliant to the standard, can reduce these fines and also reduce the amount of lawsuits and liability an organisation may incur. One has to prove that they were compliant for the fines not to be as bad if you were not making the effort. Hence, compliance is a top priority for merchants and organisations that process electronic payments. The standard helps issuers, acquirers, retailers and third party service providers to improve card data security. The standard was created so organisations could re-evaluate how they were actually using and managing cardholder information.

PCI-DSS specifies 12 different requirements for compliance, organised in to six different ‘control objectives’.

1. Build and maintain a secure network

2. Protect cardholder data

3.Maintain vulnerability management program

4. Implement strong access control measures 

5. Regularly monitor and test networks

6. Maintain information security policy

The execution of PCI compliance creates secure, regularly-assessed environments and processes surrounding the handling of payment card data during its processing, storage and transmission. This includes the protection of cardholder data at not only the point of sale, but during its storage and transmission in a cardholder environment. This includes both network access by external parties and internal access to system components in the cardholder environment. 

As the PCI DSS demands the implementation of security standards for these environments and processes, complying with PCI security standards helps ensuring the safety of cardholder data. Additionally, PCI compliance requires regular assessment, remediation and the process of compliance facilitates better internal security strategies and can help prevent future problems.

Maintaining payment security is a serious business. The card data of the customer needs to be protected by the organisations and the organisations are responsible for keeping the customer card data safe as far as the card data stored, processed or transmitted by the organisation.

While many organisations may not see the PCI-DSS as a necessary evil, it is important to both organisations and their customers that they follow the requirements. After all, organisations are handling valuable information about their customers, and should the information get stolen, it has repercussions beyond just a simple theft.

It is vital that every entity responsible for the security of cardholder data diligently follows PCI-DSS. Unlike any other prevailing security standard, the PCI-DSS requires 100% compliance with the standard if not penalties could be enforced by payment brands to the organisations who are in non-compliance with the standard. Following PCI guidelines goes a long way to securing payment data. Doing so assures customers and vendors that financial information is protected to the highest standard against identity theft and fraudulent purchases. 

Situation in Sri Lanka

In Sri Lanka, organisations have been paying attention to physical security in their businesses, but are they dedicating enough time and effort to protect the information digitally? The cybercriminal is not concerned about which part of the world you’re in and is looking for the easy pickings. 

The standard is not only applicable to websites that accept and process credit cards but also that outsource the processing of credit cards to third parties, if they accept credit card payments over the phone, or even in person. So there is still a lot of work to be done to make organisations become more aware of their responsibilities and obligations when accepting credit cards. And if we can enable our small merchants to make the right decisions by using the guidance that has been published, then that will protect and contribute toward protecting the small merchants as well.

Until the PCI-DSS is adopted in Sri Lanka, Sri Lankan organisations will struggle to comply with varying security standards in various international markets especially with regards to payments. This drive toward having a single standard for the payment industry should be everyone’s interest especially those who want the electronic payments landscape to grow within the country.

“The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organisation. Most organisations never fully recover from data breaches because the loss is greater than the data itself”— Quick Service Restaurant (QSR) Magazine.

[The writer is a Governance, Risk and Compliance professional and Director at Information Security Professional Associates (iSPA). He is the founding member and Secretary of the (ISC)2 Chennai Chapter and a board member of the (ISC)2 Colombo Chapter. He can be emailed at [email protected].]