Since 2006, the PCI Security Standards Council (PCI SSC) has managed the evolution of the Payment Card Industry Data Security Standard (PCI DSS.) It does this by frequently assessing and updating the standard through collaboration with participating organisations. In order to help organisations to achieve and maintain PCI compliance it also releases information supplements, for example 2019 saw an updated version of the Protecting Telephone-Based Payments Supplement (and overview of this can be found here.)
In February, the first information supplement for large organisations was released. By nature, large organisations tend to have more complicated networks so understanding their PCI DSS scope and responsibilities can be complicated to manage. So, what exactly does this supplement advise to achieve and maintain PCI compliance? This can be mainly broken down into four broad categories – Identify, Record, Report and Maintain.
Section 4.1 states that ‘To ascertain who has ownership of PCI DSS compliance activities, large organisations should first determine where the organisation performs payment card functions.’ Initially this may seem obvious and the supplement acknowledges that most large organisations will already have a plan in place for this, but it can prove difficult. There could be multiple physical locations, payment channels or even franchises which all need to be considered. Along similar lines, large organisations need to determine the roles, responsibilities, and ownership of PCI compliance amongst employees. The challenge for large organisations is that misunderstandings and varying interpretations can lead to lapses in compliance. It is therefore just as important to clearly define and allocate responsibilities for PCI DSS to the correct employee(s.) Table one of the supplement lists roles and teams and gives examples of where PCI DSS responsibility lies for each as a way of steering this.
Section 7 states ‘conducting multiple different audit processes may require evidence to be provided from a common set of assets, which risks that the requested evidence may not be consistent and results in a potentially considerable amount of duplicated effort.’ How do large organisations manage PCI compliance without duplicating effort? By maintaining a ‘centralised oversight of PCI DSS compliance activities’ as described in section 4. By having an omniscient view, large organisations should be able to identify where these instances could occur and, just as importantly, identify if there are any lapses in compliance easier than if business units are siloed. This ensures accountability and responsibility within different business units are aligned and that the entire organisation remains compliant. Table two lists some examples of common documents and how they can determine ownership. Interestingly several of the documents mentioned in section 4.3 are useful for planning and evidence for PCI assessments, further highlighting how valuable record keeping is key to maintaining PCI compliance throughout the year.
It’s common for organisations to have several different payment channels. For example, a retailer could take card payments in store, via their website and in their contact centres via telephony or digital channels which will all fall into scope of PCI DSS. Each channel will require a different SAQ, and some will need third party assessment. Large organisations can also have the added complexity of having to validate compliance to multiple acquirers who all have different compliance programs, for example, larger organisations who acquire other businesses could have more than one merchant bank to consider. It is possible therefore, that there can be multiple payment channels and multiple acquirers to consider. Section 6 of the supplement reiterates the need to for organisations to be clear on their compliance validation obligations. To do this, it recommends large organisations should contact all acquirers to understand their obligations and to know which SAQ(s) they need to complete.
Section 9 states that ‘Large organisations often have a wide variety of networks, hardware, system types, server types, and operating systems (OS) that are distributed over multiple locations and exist in large groups,’ Large organisations should treat PCI compliance as a year-round process (e.g. through assessment, controls, patch management….)
But what about people? Some functional roles (i.e. infosec, data protection) require a sound knowledge of PCI DSS by default. But PCI compliance extends out beyond these roles, so what is the best approach to train other staff and create a human firewall? Section 8 recommends relevant training for various roles and teaching the essentials for example contact centre agents will only require training in relation to the processing of payments to adhere to PCI DSS.
Not Just PCI DSS
Large organisations need to be aware of what legislation and regulation is applicable to them, especially if they have a global presence. The final word, Section 10, covers Additional Standards and Frameworks. PCI DSS can complement other standards to assist with compliance and vice versa. Examples of this are the GDPR in Europe, which is concerned with protecting personal data such as credit card information, and The National Institute of Standards and Technology’s Cybersecurity Framework NIST in the US, which is concerned cybersecurity to prevent the loss of data.
People, Process and Technology
Since 2006 the primary focus of PCI DSS has been heavily focused on the storage of credit card data. This changed in 2019, and the PCI SSC highlighted a shift in focus to concentrate on PCI compliance which incorporates People, Process and Technology as the underlying principles. As a first version, this supplement incorporates those principles from the outset. But it also goes further by breaking it down into smaller steps. The message is that for any large organisation which accepts credit card payments:
- People – Identify which roles in your organisation are pertinent to PCI compliance. Ensure responsibilities are clearly defined and understood, and that the correct and relevant training is given to relevant staff.
- Process– Map where cardholder data is present in your organisation. Keep records of documents as proof of compliance. Centralise how this is overseen to ensure no lapses or duplication of effort. Treat PCI compliance as a year-round process through audits and regular testing.
- Technology – Map which technologies fall into scope of PCI DSS. Discuss with your acquiring bank(s) what your obligations are to achieve PCI compliance in relation to these and which SAQs you need to complete. Ensure compliance year-round by installing updates and taking precautions such as changing passwords regularly.
Large organisations face unique challenges in that by their nature there are lots of moving parts to consider in relation to PCI compliance. Because of this it can be difficult to achieve and maintain PCI compliance year-round as non-compliance could cost organisations dearly. It is therefore important that large organisations take PCI compliance seriously and, where possible, descope as much of their organisation as possible.
Download our Top Ten Tips infographic for a practical guide on what large organisations should focus on.