|EXECUTIVE SUMMARY |
Becoming familiar with the Payment Card Industry Data Security Standard is a prerequisite to understanding the regulatory environment in which many businesses that accept credit and debit cards operate.
PCI dovetails with a CPA’s core competencies in attest work, risk management, internal audit support and fraud prevention.
PCI is not a standard affecting only merchants and card issuers. Through its three frameworks, it sets new standards of reasonable care and responsible safeguarding of cardholder data throughout many sectors of the economy. Simply accepting debit or credit cards or outsourcing such functions can trigger responsibilities to safeguard data or properly oversee business partners.
PCI is a different animal from Sarbanes-Oxley or SAS no. 70, Service Organizations , and requires separate investments. Fulfilling the demands of the standard may require sophisticated access control, activity logging and data encryption. Bruce Sussman, CPA, CISA, CISSP, CBA, is senior manager, risk services, for Crowe Chizek and Co. LLC in Livingston, N.J. His e-mail address is BISussman@crowechizek.com.
I n January 2007, TJX Companies Inc. began notifying its customers and business partners along with regulators and law enforcement agencies that it suspected someone had hacked into an area of the company’s computer network that held data from credit card, debit card and check transactions and pilfered sensitive information.
TJX, the parent company of retailers T.J. Maxx and Marshalls, first reported that the hacking might have affected more than 45 million accounts. The tally of affected accounts may be closer to 94 million, according to documents in a lawsuit filed by banks and banking associations against TJX and Fifth Third Bancorp, the bank that handled its card transactions.
The highly visible breach has been costly for the company’s reputation and balance sheet. In September, TJX agreed to settle customer class action lawsuits in the U.S. and Canada related to the security breach. Estimated costs for the settlement and other expenses stemming from the crime were reflected in TJX’s second quarter filing as a charge of $118 million and an estimated future charge of $21 million.
One question asked in the wake of the TJX breach was whether the retailer complied with the Payment Card Industry Data Security Standard (PCI DSS) at the time of the attack. When a card fraud or breach occurs within a business, the five major credit and debit card corporations—Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services and Japan Credit Bureau (JCB)—use the standard as the starting point for determining compliance and potential liability.
The standard is now the metric through which global credit and debit card organizations define standards of due care. While complying with the standard is not required by law, businesses of all sizes that accept cards as payment and those that process card transactions must meet the requirements as a condition of doing business with the five major payment card networks. They also must provide each credit card company they work with proof of their compliance with the standard.
Regardless of whether or not a business suffers a data breach, failing to live up to the core data security framework of the standard can, under the terms of a business’s contract with a payment card company, result in sanctions, increased audits or bans prohibiting businesses from issuing or accepting credit or debit cards or otherwise playing a role in such transactions. For financial institutions that authorize a merchant to accept credit card payment, working with noncompliant businesses can result in fines levied by credit and debit card networks.
CPAs who serve financial institutions that play a role in card transactions or merchants that accept credit or debit cards must be knowledgeable about the standard. This article will highlight PCI’s major components and the role CPAs can play in its implementation. This article will also touch on lessons learned from certain high-profile breaches.
In September 2006, Visa, MasterCard, American Express, Discover and JCB formed an independent body, the PCI Security Standards Council, which is managing the evolution of the Payment Card Industry Data Security Standard—the framework that is the focus of this article (see sidebar, “The Anatomy of the Standard,” for information about two additional frameworks within the standard).
The development of the council and the standard is the industry’s response to security lapses and the liabilities that stem from them. The guidelines are also an effort to address public concerns about identity theft and the safety of consumer data.
Merchants, service providers, software providers, Web hosting companies, ATM operators and even managed security providers often fall within PCI requirements. Even small merchants processing fewer than 20,000 card-based transactions a year need to comply.
CPAs should develop knowledge of the standard to advise their clients or employers on the scope and strength of internal audit programs, risk assessment, anti-fraud programs, vendor management programs, compliance plans and control culture.
To avoid common PCI compliance pitfalls, businesses should:
Securely dispose of unneeded data. TJX collected too much data and kept that data too long, according to an investigation by the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta. After authorization and settlement, very little cardholder data needs to be kept for inquiry and adjustment purposes.
Perform an inventory of all servers, databases, test facilities, networks, paper records, and transaction and activity logs. All service providers and contractors should be included in the search.
Identify all physical and logical points through which cardholder data enter and leave an organization. This will mean scrutinizing data reports, log files, servers, e-mail and file transfers.
Ensure that data encryption is consistent across a company’s computer system. Credit card data may be protected in some instances, but not others. TJX relied on a weak encryption protocol and failed to segregate its data so that cardholder information could be held on a secure server during the company’s conversion to a Wi-Fi Protected Access encryption system, according to the Canadian report.
Log all network activity. Failing to capture the activity makes it impossible to spot instances where hackers or anyone without authorization attempted to access card data. Companies should conduct regular scans for software vulnerabilities and abnormal activity.
Train staff to prevent data leaks to establish a final line of defense and ensure that sensitive information stays put.
Recognize there is no silver bullet. No single product or service can address a business’s PCI Data Security Standard compliance demands. Every business and every network is different, and PCI Data Security Standard controls must be tailored to an organization. There is no one-size-fits-all approach.
The standard has created demand for certified consultants that can provide PCI assessment and network scans and determine the scope of a PCI review or audit. Merchants and service providers that process, store or transmit data from a high volume of transactions are required to have their compliance with PCI guidelines certified by two outside consultants—Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). The PCI Security Standards Council now manages the lists of certified QSA and ASV firms.
Unless a CPA in public practice has invested in a top-notch security lab—a collection of dedicated scanning tools and servers—becoming an ASV would be unlikely. But CPAs with sufficient expertise in information technology and data security can provide their firm’s qualifications to the council for accreditation as a Qualified Security Assessor. Because payment card companies may hold assessor firms liable for data breaches involving entities the QSA has served, firms should consider the risks associated with the work.
CPAs who advise small merchants should encourage their clients to maintain good relationships with the financial institutions that back their ability to accept credit card payment and should encourage them to leverage all of the PCI compliance tools those financial institutions provide merchants, including training.
The Anatomy of the Standard
The Payment Card Industry Data Security Standard was conceived to bind together the proprietary yet similar security standards major credit card and debit card brands had developed over time. The result is a ubiquitous standard providing a framework for developing a robust account data security process.
The standard traces its roots to Visa’s Cardholder Information Security Program, a proprietary standard for securing credit and debit networks, card data and PIN numbers. Similar requirements and concepts were also found in MasterCard’s Site Data Protection program. These requirements were consolidated into version 1.0 of the PCI requirements, which was first released in January 2005.
The standard was revised in September 2006. Responsibility for the standard shifted that month to the newly minted PCI Security Standards Council, formed by Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services and Japan Credit Bureau (JCB). Previously the standard had been either individually managed by the payment card companies or informally managed by the group of companies.
Merchants, banks, transaction processors and point-of-sale vendors can join the council as participating organizations. That group, which includes CVS, Hertz, PayPal, Star, Bank of America and JP Morgan Chase, has an opportunity to influence the direction of the guidelines through advance review of drafts of standards and supporting materials and communication with key stakeholders.
The PCI DSS is the best-known of three PCI-related frameworks and the focus of the accompanying article. The 12-part standard addresses infrastructure such as data networks, servers and firewalls. The requirements include:
Maintaining a firewall configuration for wireless and Internet-facing connections
Protecting data when stored, processed or transmitted
Not retaining unnecessary cardholder data after transactions are authorized and settled
Updating antivirus software
Securely developing systems and applications
Regularly performing vulnerability assessments and network scans (depending on the volume of transactions such as sales or ATM withdrawals)
Ensuring that business partners maintain PCI compliance
The second, lesser-known framework is the PCI PIN Entry Devices (PED) Security Requirements, which requires tamper-resistant terminals for all ATMs and PIN pads for debit and credit transactions. Its purpose is to guard against devices that surreptitiously capture customer PINs. Management of the PED framework shifted from JCB, MasterCard Worldwide and Visa Inc. to the PCI Security Standards Council in September 2007.
The third PCI framework, Payment Applications Best Practices (PABP), requires the use of approved payment application software that closely mirrors the objectives of the DSS. The PABP program is migrating from Visa’s ownership to that of the council, where it will be known as Payment Application Data Security Standard (PA-DSS). A final version of that standard is expected to be published during the first quarter
While PCI provides common technical requirements across all major card brands, individual payment card companies maintain and enforce their own programs to address non-compliance. Visa and MasterCard generally have the same validation requirements. For example, service providers that support fewer than 6 million card-based transactions annually are generally required to conduct a self-assessment but are free from compliance audit requirements.
American Express and Discover require all service providers to undergo an on-site assessment regardless of their volume of transactions, while Visa requires the on-site review only for merchants processing more than 6 million Visa transactions per year. CPAs in business and industry should see that their companies conduct the proper assessment.
Figures released in October 2007 by Visa offer an indication of how far the company’s business partners have come in proving to Visa that they are complying with the Data Security Standard. Sixty-five percent of Visa’s Level 1 merchants—a category for businesses involved with more than 6 million Visa transactions per year—had validated compliance with the standard. The remaining 35% had submitted their initial validation and were working to address remaining security deficiencies.
Among Level 2 merchants—those processing 1 million to 6 million Visa transactions a year—43% had validated their compliance.
Visa’s enforcement efforts include fines for acquirers—the financial institutions that allow merchants to accept credit cards—for data compromises involving merchants of any size. Fines have also been assessed on acquirers that did not provide a PCI compliance plan for their Level 1 merchants by Sept. 30, 2006. Visa levied $4.6 million in fines in 2006, up from $3.4 million the year before. Often financial institutions will pass the expense of the fines along to the merchants in question.
In December 2006, Visa announced a program of incentives and fines designed to encourage adoption of the PCI Data Security Standard. Acquiring financial institutions are subject to fines of between $5,000 and $25,000 a month for each of their level 1 and 2 merchants that had not validated their PCI compliance by Sept. 30, 2007, and Dec. 31, 2007, respectively.
Visa announced in July an initiative to head off any potential migration of threats to smaller merchants as larger businesses increasingly adopt the security standard. The company is calling on financial institutions to pay closer attention to the defenses of the small merchants they work with.
Enforcement is a matter of business judgment. During a recent case involving a business that processed transactions, two credit card companies and two payment authorization entities all had the same information about a breach of cardholder data. One credit card company acted immediately to revoke the processor’s status as an acquirer. The other credit card company and one payment network waited more than a month to expel the processor. The remaining payment network did nothing.
Lawmakers across the nation also have taken notice of security lapses exposing consumer data. The National Council of State Legislatures reported that bills regarding breaches and information security had been introduced in 26 states in 2007. Legislation requiring some form of disclosure of data breaches or specific protection of consumer card information had been enacted in at least 35 states as of January 2007. A number of states go further by requiring procedures to secure private consumer data and ensure appropriate retention and destruction policies.
In October 2007, California Gov. Arnold Schwarzenegger vetoed a bill that would have limited the retention of personal information from a card transaction and required certain notification and reimbursement actions. Schwarzenegger, in a statement about the veto, said he was concerned that the measure would have been costly for businesses, especially small businesses, and that it might have conflicted with the industry requirements spelled out by the PCI guidelines.
Legislation related to data breaches and PCI has a high potential for affecting the legal environment in which CPAs operate. A list of such bills is available at www.ncsl.org/
Because the Payment Card Industry Data Security Standard is increasingly seen as the default standard for determining reasonable care and assigning liability, understanding the guidance is critical for CPAs who provide vendor management, forensic analysis, internal audit support and risk assessment services.
AICPA IT Membership Section and CITP Credential
The IT Membership Section provides resources, best practices for protecting privacy and details about becoming a Certified Information Technology Professional (CITP). See www.aicpa.org/infotech or www.aicpa.org/CITP
Information on the Payment Card Industry Data Security Standard is available here
The PCI Data Security Standard is available on the PCI Security Standards Council Web site at www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.