A 2012 global-fraud survey conducted by ACI Worldwide, a global provider of electronic payments solutions for financial institutions, retailers, and processors, showed that one in four respondents said that they have been victims of credit, debit or pre-paid card frauds over the last five years.
Whilst in Singapore, over the last five years, 23 per cent of respondents had experienced credit card fraud, 11 per cent had suffered debit card fraud, and six per cent had fallen victim to pre-paid card fraud.
This survey has proven that card fraud continues to be one of the greatest threats and concerns for consumers, financial institutions and retailers alike.
Whilst there have been significant advances in fraud- prevention technology, more needs to be done to educate consumers about fraud and engage them when it occurs.
Furthermore, financial institutions and retailers also need to remain vigilant and earn the trust of customers by working with them to combat fraud.
One way of being vigilant is to comply with the Payment Card Industry Data Security Standard (PCI-DSS). It is mandatory for any organisation that stores, processes or transmits payment cards to protect that data; thereby reducing the number of instances in which sensitive payment card data is lost or stolen.
PCI-DSS contains several hundred specific information-security controls that are intended to protect against a myriad of known computer-security vulnerabilities. Prior to the standard being created, each card brand had distinct security standards.
This meant that compliance was cumbersome and that compliance levels were low.
Many organisations fall into the trap of believing that a compromise of cardholder data within their systems will have no effect on them – after all, it is the cardholder and the cardholder’s bank that will bear the fraud losses.
This is unfortunately short sighted, and does not take into account the impact of negative public relations resulting from a compromise, or the costs associated with investigating and resolving a compromise.
Depending on the size of the merchant, the PCI-DSS requirements vary. Very large merchants must have a third party attest to to their compliance each year.
Meanwhile, medium and small merchants are required to attest their compliance via a Self Assessment.
Merchants that are compliant have some protection in the event there is a compromise within their environment.
Non-compliant merchants are likely to bear the full cost of a compromise, which can include non-compliance fines and bank charges.
In addition, the negative public relations associated with suffering a compromise whilst in a non-compliant state can also be very damaging.
So how do you manage PCI-DSS compliance without getting overwhelmed? These six tips take us back to basics on how to approach PCI-DSS compliance:
1. Assign an owner
Designate the right person in your business to “own” the self-assessment process. Realise that PCI-DSS is not just a technical standard and requires input from all areas of your business.
2. Understand card data flow
Identify and track the processes where the card information is present. You may have card data in digital as well as paper format. Understand why, where and what information is retained.
Lower your risk by permanently deleting card information that is no longer required.
3. Know which part of your system touches cardholder data
Also known as “scope identification”, it is important to know which pieces of your infrastructure touch card data, and how all these systems are connected, even if they have nothing to do with card transactions.
4. Limit the systems that touch cardholder data
Once the scope has been identified, take precautions to limit the systems that touch cardholder data, and segment or remove connections between systems.
This step involves using technology to segment and protect your network. For example, a managed firewall can protect your network from Internet threats, or segment pieces within a single network.
This safeguard will help reduce the number of security controls you need to have in place and simplify your compliance process.
5. Don’t pigeon hole the PCI-DSS standard
The rule of thumb here is not to pigeon hole the PCI-DSS standard as just a technical standard – as it requires technology, people, processes, and procedures to all work together.
Many businesses overlook ensuring an integrated approach to PCI-DSS compliance – when business processes are often at the core of security and compliance.
6. Stay the course
PCI-DSS compliance is not a one-time event. Security takes diligence and ongoing monitoring to make sure that the right controls are in place.
Managed Security Services can help remove the burden of this ongoing monitoring – so you can stay focused on running your business, whilst your security controls are managed.
The views expressed in this column are the author's own and do not necessarily reflect this publication's view, and this article is not edited by Singapore Business Review. The author was not remunerated for this article.
Do you know more about this story? Contact us anonymously through this link.
Prateek is the Principal Consultant for Trustwave in Asia Pacific. He has more than twelve years of information security experience. His role involves delivery
of all compliance (PCI DSS, PA DSS, CoBIT, ISO 27001) and information- security related assignments in the region, as well as performing many speaking