PCI DSS: the end is more important than the means

After making its mark in the US and the UK, the Payment Card Industry Data Security Standard (PCI DSS) has its sights on the rest of the world, writes...

After making its mark in the US and the UK, the Payment Card Industry Data Security Standard (PCI DSS) has its sights on the rest of the world, writes Roger Rawlinson, director of consultancy at NCC Group.

While the younger markets in the Far and Middle East may find compliance relatively easy to achieve, older systems in the EU are likely to require a huge amount of financial investment. This will be one of the greatest technical challenges that retailers in particular have faced in recent years - PCI DSS is notoriously difficult to understand and implement correctly.

Look, for example, at our big supermarkets, which are increasingly spreading their international wings, often through acquisition rather than by building new stores. Many will have a tilling solution across every store that is out of date from the point of view of PCI DSS, and that is unable to deal with the collection, holding and transmission of data securely enough. If replacing each till costs €500 and there are thousands of tills across the chain in Europe, the bill will run to millions.

The thing that many people don't realise is that the standard does, in reality, offer some room for manoeuvre. It is important that businesses - and, indeed, consultants - are pragmatic in the way they understand and implement the standard and its requirements, looking at the threat and seeing if the risk can be mitigated through appropriate countermeasures. For example, many older tills will not support antivirus software, but this can be implemented across the network with careful controls to fulfil the requirements of the standard.

With some of the organisations we work with, the first task is to change the way of working, not to replace every piece of technology in the business. In the retail sector in particular, many businesses use credit card data as the main form of customer identification.

The issue can be resolved technically simply by masking the credit card number and/or by using end-to-end encryption, so that staff never see the digits behind the stars.

The technological issues, then, while a challenge are not insurmountable. But companies then need establish better ways of identifying customers, and this is the real frustration. Credit card numbers are used by so many companies in so many instances that it is a hugely complex task to untangle the data from the network. If you pay for a parking space on your card, your credit card identifies you when you leave the car park; if you're travelling by train, it's your credit card number that secures your ticket.

It is vital that businesses stop using this as a means of identification and begin the move towards tokenisation, using a representative number to replace the credit card. As it stands, consultants like me need to discover every last piece of cardholder data in an environment. When they are hidden in every corner of the business it's a huge issue - not only in terms of time and cost wasted, but also in terms of threats to security.

In theory, a large part of the standard can be met by way of so-called 'compensating controls'. In reality, of course, the number of compensating controls needs to be manageable. The intent of the standard is more important than the detail, and as long as customer data can be proved to be safe, there are a number of ways in which compliance can be achieved without necessarily following the rules slavishly. What is needed, however, is a greater awareness of the need to protect customer data - companies need urgently to look at new ways of working to reduce the risk of a catastrophic security event.

Read more on IT legislation and regulation

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.