Why must a payment card processing entity comply with PCI DSS Standard?
Before we answer the question above, lets take a look at the means and motives for a threat actor to act maliciously against any business. The most common motives are money, business records and sensitive data, design plans, business plans, medical records, legal records, business reputation and others.
How does a threat actor carry out a malicious act?
The Cyber Kill Chain model shows a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attackers path.
- Reconnaissance: The efforts of threat actors to gain as much information about the network as possible before launching other more serious types of attacks, using methods such as social engineering.
- Weaponization: DDOS, BotNet, or Malware
- Delivery: Attacker sends malicious payload to the victim by means such as email, which is only one of the numerous intrusion methods the attacker can use.
- Exploitation and Installation: After identifying the vulnerabilities, the attacker exploits the weakness and carry out the attack. During the exploitation phase of the attack may install malware enabling the attacker to execute commands or download additional malware.
- Command & Control: A compromised resource is usually accomplished via a beacon over an allowed path out of the network. Example: Ransomware uses command and control connections to download encryption keys before hijacking your files. Remote-access Trojans open a command and control connection to allow remote access to your system, allowing persistent connectivity for continued access to the environment.
- Action: The attackers final goal such as extracting a ransom from you in exchange for decrypting your files or exfiltrating customer information or payment card data out of the network.
An Effective and Enterprise Wide Information Security Plan can prevent an attacker from carrying out any of these stages of attacks and often early along the attackers path.
PCI DSS follows common sense steps that mirror best security practices. PCI DSS standards provide a payment card processing entity and a structured security plan to implement in order to protect payment card data. PCI DSS compliance is an effective verification of a successful information security plan.
Non-Compliance essentially means there are vulnerabilities within the enterprise that an attacker may exploit in order to carry out cyber attacks resulting in what is known as a data breach.
According to Verizons annual data breach investigations report, 75% of the breaches are perpetrated by outside attackers and 25% of the attacks involved internal actors. The major breach tactics included hacking, malware, stolen or weak passwords, and social attacks. 61% of the entities under 1000 employees were data breach victims.
According to a survey report from Forrester Consulting on state of PCI Compliance: 81% of businesses store payment card numbers. 73% store card expiration dates. 71% store card verification codes. 57% store customer data from the payment card magnetic stripe and 16% store other personal data. According to PrivacyRights.org, 510 million records with sensitive information have been breached since 2005.
Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Vulnerabilities may even extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.
Consequences of Non-Compliance
Now back to the question, what are the consequences of non-compliance, in other words a potential card data breach?
We will answer the question with an example among the many many entities that have suffered debit and credit card data breaches.
Retailer: Target Corp
- 40M credit card and debit card numbers stolen
- 70M records containing personal data stolen
- 46% drop in business revenues and market capitalization (loss of customer trust)
- Estimated cost of $200M to credit unions and community banks for reissuing 21.8M cards
- $100M cost of upgrading the payment terminals at all stores
- Resignations of top executives as a result of the breach
Standard fines and penalties imposed by Payment Card Brands for card data breaches takes into consideration the following:
- Number of card numbers stolen
- Circumstances surrounding incident
- Whether track data was stored or not
- Timeliness of reporting incident
Visa and Mastercard: Up to $500,000 per occurrence
Fines for non-compliance: $5000 to $25,000 every month
Fines for storing sensitive account data: Up to $100,000 per month
Other financial costs include:
- Fines levied by card associations to make notifications to all card holders and replace credit cards
- Costs of notifying taxpayers of incident, pursuant to the Identity Theft Protection Act
- Forensic Investigation Costs
- Cost associated with discontinuing accepting cards
- Cost of an annual on-site security compliance audit estimated $20,000 every year
The cost of Payment Card Industry Data Security Standard (PCI DSS) compliance audit may not be as understated as the tangible and intangible costs of a data breach. According to Gartner, 8 percent of retailers have been fined for failing to comply with PCI, while 22 percent have been threatened with fines for their noncompliance.
Potential Liabilities of a data breach
- Non-compliance raises the specter of poor management and poor governance
- Loss of reputation and customer trust and confidence and enterprise brand value
- Lost jobs (CISO, CIO, CEO and dependent professional positions)
Going out of business
The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process credit card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.
How does PCI DSS help protect credit card data?
PCI DSS security standards help significantly reduce the risk of a data breach by helping the entities achieve the following technical and operational goals:
- Network Security
- Card Data Protection
- Continuous Vulnerability Management
- Strong Access Control Measures
- Regular Monitoring and Testing
- Effective Configuration Change Management
- Effective Incident Response Plan
- Physical Security
Beyond avoiding monetary fines and breaches, following PCI security standards and understanding the PCI compliance fee is just good business. Such standards not only help the institution avoid a PCI compliance audit, but help ensure healthy and trustworthy payment card transactions for the hundreds of millions of people worldwide that use their cards every day.
About RSI Security
RSI is the nation’s premier information security and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI can assist all sizes of organizations in managing IT governance, Risk management and compliance efforts (GRC).