With several high-profile
data breaches in the news over the past year, the issue of data
security is once again prominent in the minds of payment players.
Victoria Conroy looks at the challenges of securing data and the
benefits of managed services with two industry
Cyber crime is continually evolving
and no more so than in the area of payment card fraud, particularly
online. Although several solutions such as two-factor
authentication and EMV have been put in place, perhaps the most
widespread anti-fraud initiative is that of the Payment Cards
Industry Data Security Standards (PCI DSS) requirements, which
govern the storage of cardholder data.
But with many high-profile data
breaches having occurred over the past few years, just how
effective are the standards, and what other solutions are emerging
in the marketplace?
EPI spoke to Dave
Whitelegg, IT security manager at Capita Software Services, and Ian
Rutland, director of marketing and communications at Commidea, two
of Europe’s largest payment processing service providers, to throw
some light on the most pressing issues.
EPI: With recent
high-profile data breaches at merchants/payment processors making
the news, even in some organisations that were considered PCI DSS
compliant, just how fit for purpose is PCI DSS, and do the card
schemes Visa and MasterCard need to put more stringent compliance
requirements in place?
Dave Whitelegg (DW): There
haven’t been any data breaches reported of an organisation that was
fully PCI DSS compliant at the time of the incident, which suggests
that the framework is working well. Maintaining PCI DSS compliance
is a 365 days a year, 7 days a week task.
Although the assessment is
undertaken once a year, in practice achieving and maintaining
compliance should be an ongoing process.
PCI DSS has moved beyond suggested
best practice and is now mandatory. Any organisation that is
subject to a data breach that was not at the time proven to be PCI
DSS compliant risks hefty fines.
They could also be accountable for
reimbursing the costs of the security forensics teams, the consumer
for the amount fraudulently obtained and reissuing replacement
cards to consumers. The risk of non-compliance also goes beyond
It can often be very difficult for
a brand to recover its reputation and regain customer loyalty.
Ian Rutland (IR): PCI DSS is a
continually evolving standard and as newer risks become apparent
and the industry learns from experience, the standards change. It
is the PCI Standards Council and Board of Advisors that sets the
standards and they were originally formed by the major schemes. But
there are other participants in the standards council.
Prior to the set-up of the council,
Visa, MasterCard, Amex and so on had their own standards which were
slightly different. The idea was to give the industry a set of
global standards that everyone had to comply with.
Visa and MasterCard certainly had a
very heavy influence over how these were developed, but they’re not
the only people who are responsible for how they are formulated.
The PCI Standards Council is effectively an independent body.
When an organisation, whether it is
a retailer or a card processor or a bank, is assessed for PCI
compliance, at the time you are assessed, you are found to be
either compliant or non-compliant with those standards.
Let’s say on day one you are found
to be compliant, there is nothing to say that three weeks later you
still will be. It’s not an ongoing guarantee. You continually have
to be ensuring that your business is adhering to the standards and
maintaining your defence.
One of the most ironic things I’ve
often heard spokespeople from the card schemes say is that no
compliant bank, merchant or processor has ever been breached.
That’s slightly disingenuous because the schemes argue that it was
only at the point at which an organisation was breached that they
When someone is assessed for PCI
compliance, it is more akin to a risk assessment and how you are
controlling the risks, rather than a very detailed and almost
forensic investigation into the integrity of your systems.
There are many of us in the
industry who would be happier if there were even more stringent
assessment procedures because that will always favour those players
in the market that are investing heavily to ensure they are doing
all the right things.
EPI: What are the
benefits of a managed PCI DSS service in terms of cost savings and
efficiency for an organisation?
DW: A managed service provider removes the burden of an
organisation maintaining onsite infrastructure, whether that is
hardware or software.
There are significant costs
involved in achieving and maintaining PCI DSS compliance. Any
organisation using an onsite card processing solution would need to
make significant investment in dedicated and suitably-qualified
inhouse resource in order to achieve annual certification and
ensure year-round compliance.
By removing the cardholder data
from an organisation’s network, much of the PCI DSS responsibility
is delegated to the managed service provider – although this is
only true for the data that they process. It would also be
essential for organisations to source a PCI DSS-certified solution
provider in order to recoup the benefits of reduced
A managed service provider can
often deliver a high spec solution more efficiently, with expert
support, than an organisation would have access to internally.
Also, the sheer volume of
transactions that a managed service provider processes over the
course of a month means they can negotiate a reduction on the costs
per individual transaction processed on behalf of their
IR: The issue for retailers who have historically
maintained their own insourced solution is that the major burden of
maintaining PCI DSS compliance sits with them. Many of them are now
questioning whether data management and security is one of their
Financially, by using a managed
service, the benefits can be absolutely huge. They clearly vary
from merchant to merchant, but I know from some of my experience in
dealing with the major retailers that the costs that can be avoided
run into multi-million pound sums.
There is the initial cost of
gaining compliance, and many of these retailers have old legacy
systems that require a lot of intervention and upgrading of
hardware and software to bring them close to compliance.
Then they have the ongoing cost of
maintaining their compliance, and as the standards evolve, the
requirements become more rigorous. If you outsource that then
clearly you’ve passed the challenge of maintaining that to someone
For retailers there is also the
opportunity cost to consider. If you’re having to spend many
millions of pounds on achieving PCI DSS compliance, you’re probably
diverting those IT investment dollars from more customer-centric
and profitable areas.
There really are significant cost
savings in moving down the managed service route.
EPI: Is there a case
for implementing end-to-end encryption or is this too costly or
complex to implement on a widespread basis?
DW: End-to-end encryption is not a silver bullet – it is still
early days. For the solution to work successfully, it requires the
use of multiple systems that are compatible with each other and
standards will again have a role to play.
We would expect a “wait and see”
approach to discover how the end-to-end encryption develops and,
perhaps, when a few major players have implemented it, then we will
see more organisations following suit.
IR: One of the reasons I think that
there is absolutely a case for this is that it simplifies a
merchant’s compliance, which in turn can reduce the scope of the
cardholder data that they have to manage.
If you’re using a good encryption
solution that effectively eliminates sensitive cardholder data from
your entire network, you can simplify your compliance requirements
by removing whole chunks of your systems from the PCI DSS
In an ideal word, point-to-point
encryption would start at the point a card is inserted into a
terminal or PIN entry device, and the data would remain encrypted
through any service provider involved, through the acquirer, out to
the card schemes and then to the card issuer who is doing the
authorisation on that transaction, who unencrypts it and sends the
response back in encrypted form, which then gets unencrypted again
at the terminal.
That’s probably not foreseeable in
the near future because you’re talking about having a
point-to-point solution that works across a global network of
banks, card schemes and processors.
Already at Commidea, we can move
the end point of the encryption of the data right into the
acquirers’ technical infrastructure and place our decryption point
within their infrastructure, so the first time cardholder data
becomes unencrypted is when it is with the merchant’s bank.
This will further minimise the risk
from a merchant’s perspective. Additionally, because you can take
the solution as a managed service, you haven’t got lots of upfront
costs and capital investment in things like hardware security
modules. People only really started moving to point-to-point
encryption within the last 12 months.
EPI: What are the
benefits of placing cardholder data within a specialist managed
function rather than an extension of information and communication
technology service provisions?
DW: Achieving and maintaining PCI DSS compliance is a large
undertaking and there are very few organisations – either in the
private or public sector – that would have the budget, resources
and expertise to dedicate to this.
With another version of PCI DSS due
out at the end of September 2010, organisations will be required to
review and update their processes accordingly. There is much to
gain from outsourcing the expense and demands on resources.
IR: From a card payments and card
data perspective, one of the biggest challenges for some of the
tier one retailers is that historically they have always regarded
this as a core activity that they undertake and they’ve insourced
all that activity.
For them to make a leap of faith
and use a managed service is quite a big one, and a number of them
have looked at setting up stand-alone entities within their own
groups to manage the cardholder data.
But the challenge that still
remains for them is that, depending on how they collect that
cardholder data and transmit it to that entity within their group,
they could still end up with all of their businesses still being in
full scope of PCI DSS.
The utilisation of a third party
may enable them to take more of the complexity and cost of
achieving and maintaining PCI compliance out of their lives.
The schemes and the law enforcement
agencies have a massive role to play. They become aware of real and
potential risks much earlier and more frequently than other players
in the market. I think they’ve got a major role to play in
improving the dissemination of that information to all players in
the value chain to continually upgrade their defences.
Visa, for example, has a very good programme of communication
with payment service providers and processors like ourselves in the
US, but they haven’t replicated that in the other major markets.
There is a great opportunity for the communication around real and
potential threats to be improved.