The Global Payments data security
breach has prompted many questions around card data security
standards. With the company still processing transactions despite
being removed from various networks’ registry, Duygu Tavan asks:
What is the point of PCI DSS compliance for
processors?
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
After Global Payments
admitted to a significant data breach last month, Visa announced
that it had taken the processor off its register of service
providers that meet PCI Data Security Standards (PCI DSS). Almost a
month on, and Global Payments has admitted that “some card brands”
have followed Visa’s decision and removed the payments processor
from their list of PCI DSS- compliant service providers. It is
unclear yet which other card networks have taken the step, but
MasterCard confirmed that it has done so.
“Global Payments will
continue to process transactions for all card brands,” the company
announced on its website.
And many industry
insiders have voiced their cynicism about these types of issues
surrounding PCI DSS compliance.
PCI DSS expert and QSA
Colin Dixon of consultancy Ascentor explained why Global Payments
is able to continue processing payments despite of the
breach.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“Essentially, PCI DSS
compliance is a condition of the contracts that are in place
between the card networks and the acquirer. It is also a condition
of the contracts between the acquirer and the merchant. However, as
a third-party processor, Global Payments is under no such
contractual obligation to Visa,” he says.
“There are a only a
handful of payment processing companies, so a card network is not
going to throw them away – which means that any ‘sanctions’ that
may take place are pretty meaningless,” highlights Simon Bain, CTO
of Simplexo, a UK-based technology company focused on
next-generation unified search and secure-access
software.
So what is the point of
having standards like PCI DSS if a company can get away with a slap
on the wrist? Ray Welsh, head of marketing at The Bunker, a data
storage centre in the UK, argues that if payments through the
Global Payments network had been blocked, the parties involved
would have lost business revenue. Customers and merchants would
have gone back to cash.
Simplexo’s Bain blames
the IT industry for the shortcomings of data protection in the
cards and payments industry. “We are the ones that go out to banks
and say we have the security, we are able to implement it for you.
The IT industry is not the only villain in this, but they are on
top of the pile.”
Victims and
villains?
Bain next blames the
payment processors. “The problem is the way we do business in the
security and IT industry – we are working very reactionally. We try
to combat problems that have occurred, rather than look into the
future and ask where the next problem and breach may come
from.
“I think card networks
are more victims than baddies, but I also think they should feel
very guilty about such a breach. They should absolutely insist that
the information kept on their systems is encrypted. They have the
power and money to change their suppliers – whether that is a
payment processor or IT supplier.”
Welsh agrees with Bain
and says The Bunker sometimes even describes itself as a risk
management company. The Bunker achieved all 12 PCI DSS requirements
in April and uses this certification, but petty penalty fees and a
lack of legal enforcement makes PCI issues meaningless, he
says.
“Penalties are quite
insignificant. Non-compliant organisations are maybe fined £50 per
month. If PCI compliance was legislated, security would increase.
The more legislation about PCI, the better. The industry needs a
top-down approach because otherwise the interpretation among
organisations will vary,” argues Welsh.
“The Data Protection Act
would be the piece of legislation that significantly increases
security. At the moment, a breach doesn’t have to be reported. An
organisation would keep as quiet as they possibly can,” he
adds.
Best
Practice
This, as in the case of
Global Payments, raises doubts about best practice. Hacks into
systems are nothing rare. A few days after the Global Payments
breach, a public broadcasting service in the US was hacked and
1,900 records from its database stolen.
The rise of electronic
payments has also led to a rise in hacking. Last year, two
prominent breaches shocked the industry: Citigroup and Sony were
both breached and lost substantial quantities of sensitive customer
data.
“Reporting a breach is
not mandatory; some changes are being discussed on the Data
Protection Act. A Green Paper is going to lead to a consultation
period which would last years if it is to become a legal
requirement, but nobody knows what the outcome of the consultation
period will be,” Welsh says.
“Some companies see
compliance in terms of ‘let’s make the regulator go away’, but
compliance should be a side effect of proper controls and
procedures,” says Philip Lieberman, CEO and president of Lieberman
Software.
“The card networks
themselves take security so seriously, it is often hard to tell
their systems apart from those of government agencies. And that
needs to be followed throughout the supply chain,” he
urges.
You can read the full Global Payments Information
Security Update here.
