How Should Large Organizations Achieve and Maintain PCI Compliance?
Since 2006, the PCI Security Standards Council (PCI SSC) has managed the evolution of the Payment Card Industry Data Security Standard (PCI DSS). It does this by frequently assessing and updating the standard through collaboration with participating organizations. In order to help organizations achieve and maintain PCI compliance, it also releases information supplements, for example 2019 saw an updated version of the Protecting Telephone-Based Payments Supplement (an overview of this can be found here.)
In February, the first information supplement for large organizations was released. By nature, large organizations tend to have more complicated networks. Therefore, understanding their PCI DSS scope and responsibilities can be challenging to manage. So, what exactly does this supplement advise to achieve and maintain PCI compliance? Well, it can be broken down into four broad categories – Identify, Record, Report and Maintain.
Section 4.1 states that ‘To ascertain who has ownership of PCI DSS compliance activities, large organizations should first determine where the organization performs payment card functions.’ Initially this may seem obvious and the supplement acknowledges that most large organizations will already have a plan in place for this, but it can prove difficult. There could be multiple physical locations, payment channels or even franchises which all need to be considered. Along similar lines, large organizations need to determine the roles, responsibilities, and ownership of PCI compliance amongst employees. The challenge for large organizations is that misunderstandings and varying interpretations can lead to lapses in compliance. It is therefore just as important to clearly define and allocate responsibilities for PCI DSS to the correct employee(s.) Table one of the supplement lists roles and teams and gives examples of where PCI DSS responsibility lies for each as a way of steering this.
Section 7 states ‘conducting multiple different audit processes may require evidence to be provided from a common set of assets, which risks that the requested evidence may not be consistent and results in a potentially considerable amount of duplicated effort.’ How do large organizations manage PCI compliance without duplicating effort? By maintaining a ‘centralized oversight of PCI DSS compliance activities’ as described in section 4. By having an omniscient view, large organizations should be able to identify where these instances could occur and, just as importantly, identify if there are any lapses in compliance easier than if business units are siloed. This ensures accountability and responsibility within different business units are aligned and that the entire organization remains compliant. Table two lists some examples of common documents and how they can determine ownership. Interestingly several of the documents mentioned in section 4.3 are useful for planning and evidence for PCI assessments, further highlighting how valuable record keeping is key to maintaining PCI compliance throughout the year.
It’s common for organizations to have several different payment channels. For example, a retailer could take card payments in store, via their website and in their contact centres via telephony or digital channels which will all fall into scope of PCI DSS. Each channel will require a different SAQ, and some will need third party assessment. Large organizations can also have the added complexity of having to validate compliance to multiple acquirers who all have different compliance programs, for example, larger organizations who acquire other businesses could have more than one merchant bank to consider. It is possible therefore, that there can be multiple payment channels and multiple acquirers to consider. Section 6 of the supplement reiterates the need to for organizations to be clear on their compliance validation obligations. To do this, it recommends large organizations should contact all acquirers to understand their obligations and to know which SAQ(s) they need to complete.
Section 9 states that ‘Large organizations often have a wide variety of networks, hardware, system types, server types, and operating systems (OS) that are distributed over multiple locations and exist in large groups,’ Large organizations should treat PCI compliance as a year-round process (e.g. through assessment, controls, patch management….)
But what about people? Some functional roles (i.e. infosec, data protection) require a sound knowledge of PCI DSS by default. But PCI compliance extends out beyond these roles, so what is the best approach to train other staff and create a human firewall? Section 8 recommends relevant training for various roles and teaching the essentials for example contact centre agents will only require training in relation to the processing of payments to adhere to PCI DSS.
Beyond PCI DSS
Large organizations need to be aware of what legislation and regulation is applicable to them, especially if they have a global presence. The final word, Section 10, covers Additional Standards and Frameworks. PCI DSS can complement other standards to assist with compliance and vice versa. Examples of this are the GDPR in Europe, which is concerned with protecting personal data such as credit card information, and The National Institute of Standards and Technology’s Cybersecurity Framework NIST in the US, which is concerned cybersecurity to prevent the loss of data.
People, Process and Technology
Since 2006 the primary focus of PCI DSS has been heavily focused on the storage of credit card data. This changed in 2019, and the PCI SSC highlighted a shift in focus to concentrate on PCI compliance, which incorporates People, Process and Technology as the underlying principles. As a first version, this supplement incorporates those principles from the outset. But it also goes further by breaking it down into smaller steps. The message is that for any large organization which accepts credit card payments:
- People – Identify which roles in your organization are pertinent to PCI compliance. Ensure responsibilities are clearly defined and understood, and that the correct and relevant training is given to relevant staff.
- Process– Map where cardholder data is present in your organization. Keep records of documents as proof of compliance. Centralize how this is overseen to ensure no lapses or duplication of effort. Treat PCI compliance as a year-round process through audits and regular testing.
- Technology – Map which technologies fall into scope of PCI DSS. Discuss with your acquiring bank(s) what your obligations are to achieve PCI compliance in relation to these and which SAQs you need to complete. Ensure compliance year-round by installing updates and taking precautions such as changing passwords regularly.
Large organizations face unique challenges in that by their nature there are lots of moving parts to consider in relation to PCI compliance. Because of this it can be difficult to achieve and maintain PCI compliance year-round as non-compliance could cost organizations dearly. It is therefore important that large organizations take PCI compliance seriously and, where possible, descope as much of their organization as possible.
Download our Top Ten Tips infographic for a practical guide on what large organizations should focus on.