Protect payment card data

Submitted by cdangelser@amar... on Fri, 27/07/2012 - 09:34

By Brendan, Amaris Consultant

 

Since the appearance of the first credit card, the payment has been democratized to become today one of the most used methods in the world. A major challenge in using a credit card is the security of data it entails. Major brands, which want to protect their image and reassure their customers, are increasingly sensitive to data protection. Brendan tells us about his project compliance according to the existing standard.

 

  • In a few words, can you describe your project?

I am working for one of the world leading Nutrition Company’s subsidiary, which has shops all over the world.  The project, managed out of the IT Security Department, is responsible for the achievement of compliance with the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS is a set of criteria introduced by Visa and MasterCard. The aim is to reduce payment card fraud by improving data security at merchants and their suppliers, who have access to, process, transmit or store card holder information. PCI is not a general legal requirement, but a contractual obligation between the merchant, who accepts the payment, and the acquiring bank, which carries it out.

The card scheme began to impose fines for non-compliance on acquiring banks, which, in turn, fine the merchants. PCI standards are applied worldwide, but are currently more actively pursued in the UK and the US.

PCI DSS is basically a set of around 200 requirements covering a range of areas such as policy, networks, development, logging, intrusion detection, scanning, staff checking, security awareness, user access, patching, anti-virus, physical security, call recording, paper documents and service providers. It is based on the principle of multiple layers of security. It uses industry best practices in many areas and does not really introduce requirements beyond this.

The validation of PCI compliance is on an annual basis; the larger merchants (over 6m of transactions per year) need to be audited by a certified PCI auditor, smaller merchants can complete a self-certification.

The project has three main areas of activity:

     - Reduction of scope by network segregation through the use of firewalls and approved rules sets, and by changing business processes, including the elimination of unnecessary use of card data, and the reconfigured or new payment equipment in shops

     - Compliance of the in-scope infrastructure and systems , including policies, standards and up to date patching

     - Installation and configuration of new intrusion detection, file integrity monitoring, scanning, penetration testing and logging systems.

It is more a program than a project; it involves managing initiatives across all technical support areas, as well as the business areas, and in multiple markets.

We are concentrating on 3 markets initially, which are being audited by a Qualified Security Assessor, a PCI specialist auditor.

     - Switzerland, which houses the central service operations

     - UK, where the banks are most active on requiring PCI,

     - And France, the single largest market.

The project has been running for some time ago and Amaris joined at the beginning of 2011 that will manage it until 2012.

  • What are the context and the objectives?

Recently, there have been many stories in the press of data breaches at merchants and payment processors involving millions of credit cards, resulting in losses in millions $ for banks and merchants. The best known of the data breaches are T K Maxx in 2009, and Sony in 2011, which alone involved over 100m payment cards.

The objective is to achieve compliance with PCI DSS globally. But, in this situation, the obligation is between each market (usually a country) and the local Acquiring Bank. This latest provides the merchant account, which allows the card payment. Our client is not one global entity in terms of PCI profile. This means that there is not one compliance validation exercise involved. The priority is given to higher profiles and larger markets.  The business in multi-channel, with eCommerce, Call Centres and Boutiques, each handling payment cards through different systems. The eCommerce system and the main system for the Call Centers are centrally supported in Switzerland, and these central systems must be PCI compliant in order to make the individual markets achieving their compliance.

  • What are your role and the Amaris contribution in that project?

I am PCI Project Manager and responsible for bringing together all the various activities, across many teams and many markets; that includes dealing with the outsourced call centers and IT support providers. This is my third PCI project; I have previously worked for one of the largest retailers in the UK and then a global web-based gambling company. My previous experience, in identifying issues and possible solutions, was a great value for this project... The technical aspects of the project are treated by the experienced IT security staff.

  • What do you get of that experience?

The interesting thing for me is the multi-channel global scale of our client with local markets which manages many aspects of the business. I also had the opportunity to visit Paris, New York, and, many parts of the UK, to assess the status of the PCI compliance in the local market.