While compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a requirement for all card-accepting businesses, the results of various organisations’ PCI initiatives can vary widely. For some businesses, compliance efforts can cost a lot, while yielding little value in return. For others, the process can yield both improved security and a strong return on investment. What makes the difference? To answer this question The Logic Group and partners SafeNet brought together a group of leading security experts from the U.K. and European payments industry. Roundtable participants included consultants and assessors, individuals with years of practical, hands-on experience in PCI DSS compliance initiatives. Through this discussion, these practitioners shared a wealth of proven guidance, and also offered a glimpse into the future of payments and security. They came up with 9 key best practices:
Focus on the fundamentals:
What is the intent of the standard and what was the risk it was designed to address? The first thing you do when approaching new technology is to assess it and understand the risks within the business in order to guide whether and how you roll that technology out.
Understand where sensitive data is:
While on the surface this is a basic concept, it’s not always so simple in practice. Locating sensitive information and being sure it doesn’t somehow creep out to other systems is often a significant challenge. The most recent version of PCI DSS has become more specific in saying organisations need to have a good inventory of PCI data and where it resides. Although not a specific requirement of PCI DSS, data loss prevention (DLP) solutions can be helpful in meeting this requirement.
Minimise data retention where possible:
When it comes to information security, like any other battle, the fewer fronts to fight on, the better the chances of success. Business should only keep sensitive information in instances and systems in which there’s a clear business need to do so. It is very common for QSAs to see some degree of unneeded data retention, often “just in case we need it in the future” and this represents a single resource that, if compromised, could present a huge financial and competitive penalty.
Reduce scope by harnessing point-to-point encryption:
Once sensitive data is identified, and, where possible, eliminated, organisations can further reduce scope by leveraging point-to-point encryption. At a high level, point-to-point encryption refers to encryption between two points within the PCI ecosystem, for example from the time a card is submitted in a PIN entry device (PED) to the time the data is needed in the clear in a payment processor’s data centre. In doing so, for example, a retailer can effectively take portions of their infrastructure and business out of the scope of PCI DSS, and realise significant cost savings as a result.
Reduce scope by leveraging tokenisation:
Employed for online credit card transactions or transmission of other sensitive data, tokenisation works by replacing sensitive data with tokens that retain the characteristics of the original data. With tokenisation, security teams can ensure that a host of databases, applications, and users cannot access sensitive data, and only interact with placeholders for that sensitive data. However, as with just about any other specific security technology, tokenisation won’t typically completely remove a vendor from the scope of PCI DSS – if tokenisation is implemented correctly, there may be an overall reduction in scope, but an organisation still has to maintain very high levels of security around that card data somewhere else.
Understand who’s responsible:
Businesses need to be crystal clear about their roles with respect to PCI DSS compliance. Use of a PA-DSS (Payment Application Data Security Standard) compliant payment application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor.
Tailor security to the business model:
Security and compliance can never be a completely standardised approach across businesses. Businesses, and the QSAs that serve them, need to map the requirements of PCI DSS to their specific business models. For instance, while not retaining credit card data is a good principle, for some businesses such as hotels to accept customers’ bookings they need to keep the credit card number from the time they reserve to the time they check out. Security and compliance approaches need to be adapted to these realities.
Security is more about business process than technology:
No matter how many robust security solutions are deployed, if business processes aren’t clarified and aligned with security objectives, neither compliance nor security will be attainable. Consequently, understanding and improving processes within the organisation is essential. Focusing on technology adoption rather than business process is a critical mistake. It is process that enables the technology to work, but often the apprehension about changing process leads to taking the technology route as an easier option. Changes around how cards are handled within a company have to be supported from the top and require the coordination of efforts across disparate groups, which often haven’t historically interacted much.
Treat the QSA as a consultant, rather than an auditor:
The QSA can play a vital role in terms of how successful a business is, not just in terms of meeting compliance obligations, but in getting the most security and value from these efforts. Fundamental to this is how the client approaches working with the QSA.Treating the QSA as a consultant, taking the time to give them an understanding of the business will mean that they make the best recommendations for the business, not only about PCI DSS compliance, but security as a whole
In the end, the most important thing to remember about PCI DSS is this: it’s about security. While PCI compliance can be the carrot or stick that can help justify the required investments in time and budget, security, not compliance, needs to be the key objective. When it comes to PCI DSS compliance, much of the focus is on the “stick” or the risks of non-compliance. The penalties are significant, and it often takes some upfront education to impress that point on business leaders. On the other hand, organisations can look at the “carrot”, or the incentive to achieving PCI compliance, namely, the benefits that can come through a cohesive security programme. By implementing a comprehensive security programme, rather than doing the bare minimum to get past the next compliance deadline, organisations can realise a great deal of value, beyond just avoiding fines for non compliance or breaches. Part of the process in supporting a best practices approach is to look not only at card information but other assets as well. Security best practices represent processes companies should be doing anyway. Anything that’s an asset to the company, whether its credit card data, customer data, or other sensitive information, needs to be protected.
The full report of this roundtable discussion can be downloaded from the Logic Group website at
The Logic Group
direct +44 (0)1252 644 320
mobile +44 (0)7919 922749