Continuous monitoring the key to compliance with new security standard
Continuous security monitoring is the key for compliance with the new Payment Card Industry Data Security Standard (PCI DSS) standard, as well as GDPR. Failing to comply with one will mean failing to comply with both.
When the Information Commissioner’s Office recently fined DSG Retail Ltd – owner of Curry’s and PC World – it sent a signal to retailers it would act harshly with any business failing to adequately secure ‘point of sale’ computer systems for customers.
The security breach compromised the credit card details of some 14 million people after ‘point of sale’ malware was installed on more than 5,000 tills over nine months. The stolen data, including names, postcodes, email addresses, failed credit check information and the details of 5.6 million payment cards used in transactions, exposed customers to significant risk of follow-on identity fraud and financial theft.
The “poor security arrangements” highlighted by the ICO included ineffective software patching, the absence of a local firewall and lack of network segregation and routine security testing.
Fortunately for the retailer, the breach occurred in 2017, prior to the introduction of GDPR. Consequently, the ICO was only able to impose a maximum fine of £500,000 under the former 1998 Data Protection Act. But the office warned it would have been “much higher” had it occurred under the GDPR laws.
Breaching PCI DSS rules
Along with failing to comply with data protection regulations, DSG Retail also breached PCI DSS requirements involving ‘point of sale’ credit card security. This failure to comply with PCI DSS can also involve additional penalties such as financial sanctions and procedural requirements, such as a forensic audit (at the non-compliant company’s cost). If the business is found to be a serial offender, its ability to take credit cards may eventually be revoked.
Nevertheless, DSG Retail should consider itself lucky it avoided a double whammy of GDPR fines and the additional scrutiny that is due when the updated PCI DSS 4.0 comes into force later this year. The resulting fine and sanctions would have been far more serious for the company.
Unfortunately, the DSG Retail failure to comply with PCI DSS and data protection regulations is common among organisations globally. Network service provider Verizon recently reported that compliance had dropped for a second year in a row, from 52.5% in 2018 to 36.7% in 2019. And in 2018 a whopping $24 billion was lost globally to payment card fraud.
While commentators claim merchants and service providers do abide by the rules of the PCI DSS standard with a once-a-year assessment of requirements, others say the decline or total lack of security monitoring between assessments is responsible for the rise in breaches and credit card fraud. The annual assessments – known as the point-in-time approach – tend to leave businesses wide open to security breaches in the interim.
Consequently, many in the industry claim there is an urgent need for an ongoing security oversight – and this is predicted to be addressed in the 4.0 update. A continuous security posture avoids the “crunch time” deadlines for compliance (or otherwise known as the “headless chicken” scenario) that often happen ahead of a QSA’s annual assessment.
A point-in-time compliance approach tends to downplay the urgent requirement for ongoing security oversight. This lack of continuous security maintenance contributes to a failure to address organisational security procedures across the company’s people, processes and technologies. With a methodology that factors in security across normal business operations, organisations will be able to deploy an entirely different approach to comply with PCI DSS and GDPR at the same time. It will help them to mitigate or even eliminate risk and lapses in their compliance posture throughout the year.
What to expect in PCI DSS 4.0
So no surprises then that the next iteration of the PCI DSS standard will focus on strengthening security and adding flexibility. It will take into account the world of cloud technologies, AI and emerging cyber security threats, focusing on the benefits of ongoing, real-time compliance management to reduce risk and avoid data breaches.
Under 4.0 the 12 key PCI DSS requirements will remain the same, but new requirements will address these evolving risks and threats to payment data and to reinforce security as a continuous process. Furthermore, all requirements will be redesigned to focus on security objectives. With 4.0, the PCI Council is evolving PCI DSS to support a range of evolving payment environments, technologies, and methodologies for achieving security. The requirements will be written as outcome-based statements focused on implementation of the security control as the end result.
While many companies will continue to flout the PCI DSS standard, they will no longer be able to hide behind the ‘point-of-time’ assessment approach. Continuous monitoring means exactly that – a constant vigilance across the organisation to ensure security is the highest priority. And with many jurisdictions across the world now deploying their own versions of GDPR, businesses that fail to comply with PCI DSS requirements will likely also fall foul of increasingly stringent data protection laws. Ignoring 4.0 will mean failing to comply with more than just PCI DSS in the future.