PCI DSS Compliance

Interested in PCI DSS compliance? Do you need to comply with the Payment Card Industry (PCI) Data Security Standard (DSS)? A merchant, service provider or bank that processes any cardholder data, needs to know about PCI DSS and what is means for them.

What does it apply to?

It applies to cardholder data, which broadly includes the:

1. 13-16 digit number on the payment card itself (the PAN), and
2. the cardholder name, service code, or validity dates if you process them in conjunction with the PAN.

Some of that data can be personal information as defined by POPI.

Who does PCI DSS apply to?

It applies to any organisation that stores, processes or transmits cardholder data, including merchants and service providers. Remember that “processing” is very broadly defined by POPI.

Merchants are organisations directly involved in the processing, storage, transmission and switching of:

1. transaction data,
2. cardholder information, or
3. both.

Service Providers are not directly involved in (i) to (iii) above, but includes organisations who:

• provide services to merchants, or
• control the security of cardholder data, or
• could impact the security of cardholder data in other way.

Bottom line

The Payment Card Industry Data Security Standard (PCI DSS) applies globally to all entities, regardless of their size, that process debit or credit card information, including all merchants and service providers who process, transmit or store cardholder data.

Introduction: PCI DSS and PCI DSS Council

Each of the different individual card companies initially had their own independent security programs to protect and secure the personal data that was handled and held by them. The five major card companies however formed the PCI DSS Council (the Council) in 2006 to develop a global security standard for the safe handling of all card information, namely the Payment Card Industry Data Security Standard. The Council is an independent body that manages and maintains the PCI DSS. The PCI DSS assists merchants, service providers and other card processors that store, process or transmit cardholder data, with the safe handling of sensitive cardholder information. The security of cardholder data and the unauthorised or fraudulent use of data have been a constant concern to the Payment Industry in the past and as a result, the Standard details general security measures for data security and consists of 12 requirements to be adopted globally by all processors of card data. It comprises six high-level objectives, broken down further into 12 individual (mandatory) requirements.

Over and above the current version of the PCI DSS, v3, the other important documents that have been released by the Council include the PCI Audit Procedures and Reporting, the PCI Data Security Scanning Procedures and the PCI Self Assessment Questionnaire.

Enforcing PCI DSS

The PCI DSS is not law in South Africa – it is merely a standard. As King III™ so clearly states you must comply with all applicable laws and you should consider adhering to related rules, codes or standards. The Council, a regulator or the police are not going to come after you for failing to comply with PCI DSS.  The Standard is however enforceable by the Card Brands (American Express, Discover Financial Services, JCB International, MasterCard, Worldwide and Visa Inc) on contractual grounds. The question you need to ask yourself is – Have we agreed to comply with PCI DSS with anyone? If you have and you fail to comply with PCI DSS you will be in breach of contract. The Council does not mandate compliance, but relies on the banks that issue the cards to enforce the requirements of the PCI DSS.

Consequences of Non-Compliance

Non-compliance may result in penalties, or the suspension or revocation of an organisation’s right to accept or process card transactions. The implications of a suspension or revocation are severe: customers simply expect nowadays that merchants will accept payment by card.

PCI DSS Objectives and Requirements

The standard comprises 6 high-level objectives, broken down into 12 individual (mandatory) requirements.

The 6 objectives are to:

1. build and maintain a secure network;
2. protect cardholder data;
3. maintain a Vulnerability Management Program;
4. implement strong access control measures;
5. regularly monitor and test networks;
6. maintain an Information Security Policy.

Meeting the following 12 individual requirements will ensure compliance with the Standard:

1. Install and maintain a firewall configuration to protect cardholder data;
2. Do not use vendor-supplied defaults for system passwords and other security parameters;
3. Protect stored cardholder data;
4. Encrypt transmission of cardholder data across open, public networks;
5. Use and regularly update anti-virus software;
6. Develop and maintain secure systems and applications;
7. Restrict access to cardholder data by business need-to-know;
8. Assign a unique ID to each person with computer access;
9. Restrict physical access to cardholder data;
10. Track and monitor all access to network resources and cardholder data;
11. Regularly test security systems and processes;
12. Maintain a policy that addresses information security.

You can download a great quick reference guide from the Council.

PCI DSS Compliance

Although the different card brands (like VISA and Mastercard) have independent programs and criteria to determine compliance, the programs of both brands are based on a validation system with:

1. specific requirements for (a) merchants and (b) service providers, and
2. different levels of merchants according to the number of annual transactions processed.

In general, it will be expected from merchants and service providers to develop and apply a formal compliance structure (an audit) and to undertake self-assessments on a regular basis. Organisations that have been pre-approved by PCI DSS, namely Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) can assist entities with the assessment of their compliance.

PCI DSS compliance may also result in entities complying with the following different requirements in terms of South African laws and standards:

• The Common law ‘duty of care’
• Electronic Communications and Transactions Act 25 of 2002: section 43(5) requires entities to utilise a payment system that is sufficiently secure with reference to accepted technological standards
• SANS 27001
• King III™ Information Security Best Practice Guide

Data Protection and PCI DSS Compliance

If you comply with PCI DSS you will probably comply with the conditions for lawful processing of personal information in the Protection of Personal Information Act (POPI) when it comes to cardholder data. It therefore makes sense to consider PCI and POPI at the same time. But remember PCI only applies to cardholder data, whilst POPI applies to personal information – a much bigger category of information. POPI is much bigger than PCI.

The other thing to remember that the penalties for not complying with POPI regards account numbers are greater than other kinds of personal information. You should focus on lawfully processing account numbers in accordance with POPI.  And cardholder data in accordance with PCI.

Conclusion

The due date for PCI DSS compliance for the majority of entities has lapsed already.  You should:

1. determine whether you are required to adhere to the PCI DSS,
2. check with your bank which deadlines and penalties apply to you,
3. take immediate steps to determine your current status of compliance,
4. if necessary, implement internal policies and procedures to ensure that all 12 requirements are met,
5. check what the overlap is with your efforts to comply with POPI to try to kill two birds with one stone.

Although penalties have in the past mostly been awarded in instances where actual loss of data occurred, all entities not complying with the PCI DSS run the risk of penalties, and the suspension or revocation of their right to process payment cards.