How strong is your security culture? Is your organization’s approach to managing risk and protecting data compliance-centric or security-centric? Is the focus of your security culture to be compliant to some regulatory standards? It’s a known fact that complaint organizations may not necessarily be secure. In recent times, organizations that were declared “PCI-Compliant” have been victims of security breaches. Being compliant can give an organization a false sense of security and leave them exposed.
The concepts of Security and compliance ideally should be complimentary but often times we find them conflicting with each other.
The goal of compliance is to force organizations to put in place minimum security controls. It is supposed to be a baseline for security. Compliance requirements and activities are externally defined and does not often reflect an organization’s business needs and an ever changing security landscape. Organizations that are compliance-focused often do not have a maintenance culture to sustain what was built quickly to satisfy an external party.
On the other hand, good security strategy takes a holistic approach to protecting an organization’s assets. It is based on business needs and minimizing an organization’s risks. Good security is principled. It cares to measure the effectiveness of the controls that are implemented. It tries to understand what the business is trying to achieve, investigate solution options, selects the best and the most cost-effective solution for the organization and finds a way to measure if the solution works.
How can organizations get the most out of both worlds? Simply, it by making good security the goal. Good security will often facilitate compliance efforts. It is also true that most security programs will be enabled and fostered by compliance projects – but that should just be a starting point not an end. Security, when implemented correctly makes compliance easy as you only need to provide evidence that you have the controls in place. Meaning, good security leads to compliance but compliance is not equal to good security.
Finally, it is important to always remember that neither security nor compliance are destinations, they are a never ending journey as both must be sustained continuously. That is the key to success.
You might want to be forgotten, if a certain data about you is wrong and it’s widely populated on the Internet and comes up in searches when people type your name in.
You might want to be forgotten, if a prior conviction has been expunged still comes up in searches when people type your name in.
You might want to be forgotten, if you or someone else have posted some compromising or detrimental photos of you on social media.
You have the right to request the erasure of unwanted data and the controller of the data must comply without any undue delay. However, this is not an absolute right. It only applies only in these six specific circumstances:
Processing No Longer Necessary – when processing of the data is no longer necessary in relation to purpose the data was initially collected;
You Withdraw Consent – when you, the data subject, withdraws consent and where there is no other legal ground for the processing;
No Legitimate Grounds – when you object to processing of the data and there are no legitimate overriding grounds for ongoing processing;
Unlawful Processing – when processing of the data is unlawful;
Retention Period Over – when the personal data has to be erased to comply with legal obligation; such as, the legal retention period has passed.
When personal data was collected for in relation to information society services for a child
However, as an organization may refuse a data subject’s request to erase personal data where the organization need to comply with a legal obligation to keep the data; for vital interests or tasks that needs to be carried out in public interest; when archiving in relation to public interest, scientific/historic or statistical research or when the data is required for the exercise of legal claims. One last wrench into this whole discussion, the right to erasure or to be forgotten does not apply where processing is necessary for “exercising the right of freedom of expression and information”.
The right to be forgotten will be one of the most challenging areas for organizations to comply with in GDPR. Compliance with this may require revamping entire systems and considerable change to business logic. Organizations may have to rely on some out-of-the-box solutions to help purge the data. Solutions may include pseudonymization or anonymization of the data such that the data subject is no longer identifiable. It should also include monitoring any access to the data if the data is still accessible but has been pseudonymized.
]]>Many merchants and service providers are struggling to bring their credit card processing environment in compliance with the PCI Data Security standard. The key to this is planning and preparation: proper prior preparation prevents poor performance. PCI DSS compliance is a demanding task and companies must carefully prepare and plan for it.
Organizations must first seek to understand their cardholder processing environment before any planning activity. Completing a Self-Assessment Questionnaire (SAQ) and performing a preliminary gap analysis to assess your readiness are two critical steps to understanding your environment.
With a good understanding of your environment, you should now have an idea of where you are. Now you can start planning on how to get to where you need to be.
What you need to know
Find out what you need to do to demonstrate compliance: On-site audit, self-assessment questionnaire or quarterly scans?
Get senior management buy-in: Compliance with PCI DSS is a business risk issue. Get senior management support before you embark on this journey as you will need a lot of resources to achieve compliance: money, people and time.
Involve multiple departments: PCI compliance is not just an IT or corporate security initiative. Involve HR, operations, finance, accounting and others.
Leverage other compliance programs: The work required by PCI DSS may already be done. Make sure you align your PCI compliance efforts with other compliance efforts going on in your organization.
Review third-party agreements: Make sure third-party and all connected-entity agreements contain language that they must be PCI compliant, if necessary.
Segment your network: Although internal network segmentation is not a requirement of PCI DSS, it can significantly reduce the scope of your PCI assessment, and therefore the cost and effort required. A flat network design puts your whole organization in scope of the PCI assessment. Review your network diagram and have your cardholder processing environment adequately segmented from the rest of your network, if required.
Information security management system: To comply with PCI DSS you must have a comprehensive set of security policies in place.
Take advantage of compensating controls: If you will not be able to meet certain PCI requirements the way they are written, you can use alternate controls to compensate for the gaps. The compensating control must be above and beyond other PCI requirements and must also meet the intent and rigour of the original PCI requirement.
Vulnerability assessment: This will help identify vulnerabilities you may have on your network and to start the remediation efforts ahead of time.
Retain only necessary data: If you don’t need it, don’t store it. Eliminating sensitive cardholder data from your environment does two things for you: it immediately removes your risk and it reduces the scope of your PCI assessment. You do not need to keep sensitive cardholder data post authorization.
Get documentation ready for assessors: Make sure you have well documented policies and procedures, third-party agreements, configuration standards, technical documentation and network diagrams ready for the assessors. Make sure they are well organized, clear and up-to-date.
Get clarification from the PCI Council or your acquirer: If you need help with the interpretation of any of the PCI requirement, send an e-mail to the PCI Council at [email protected]. Your acquirer can help answer questions relating to your merchant or service provider level and compliance validation.
Finally, be ready to prove that you have exercised “due care.” Companies should focus on building good security into their network, rather than the PCI compliance itself. Mostly, the PCI Data Security Standard is all about best practices and a set of controls that organizations should have always had in place. With this approach, demonstrating your PCI compliance becomes easier as all you now have to do is document your security controls and be ready to prove you have put in your best effort and done your due diligence.
]]>It true that companies that have been found to be PCI compliant in the past have had their payment card environment compromised in the same year of their compliance. Why? An information technology environment is constantly changing–it is never static. There are new vulnerabilities that are discovered everyday, and people that are ready to exploit these vulnerabilities are always on the move. They never stop.
The largest known compromise to financial data to date involves CardSystems Inc. (a large third party credit card processor in the United States), who according to some reports was compliant in 2004 but in 2005, 40 million accounts were compromised under their watch. Further investigation revealed that CardSystems failed to provide reasonable and appropriate security for sensitive consumer information. They paid dearly for this mistake–extinction.
Visa states that a PCI review or audit represents only a “snapshot” of security in place at the time of the review, and does not guarantee that those security controls remain in place after the review is complete. Furthermore, these reviews do not cover proprietary software solutions that may be used or sold by these companies. Having a fully compliant report in June 2005 does not guarantee that you are still compliant in July 2005 because a lot would have changed in your environment in just one month.
This means that from the moment the PCI assessors leave, you have to proactively review your people, technology and processes over again. The hackers are not resting, so you cannot. You need to have the dedication and the discipline to stay on course. The on-site audit or self-assessment is required be completed every year. This is an opportunity for companies to adopt a continuous audit approach. The attitude should be–this year’s audit is done, it’s time to get our controls in place for the next audit. The period in between the audit should be used as a pre-assessment period, assessing the changes to the environment and closing any new gap that is found. One of the objectives of PCI is to ensure that a consistent “standard of care” is used to protect payment account, transaction and authentication data. The keyword here is consistency.
Another very important factor to consider in the PCI compliance race is the quality of the Report on Compliance (ROC) that has been issued to a company by the assessor. While the experience and reputation of the Qualified Data Security Company (QDSC) is important, what is more important is the qualification and experience of the actual individual assessors. Companies should take a proactive approach in making sure that the assessors carrying out the audit are knowledgeable and have expertise in the subject at hand.
While Visa has a process in place to assess the quality of a ROC that has been issued to a service provider (organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers), it will take some time before they review every ROC that has been submitted to them. Merchants (businesses that accept credit card payments from their customer in exchange for service provided or items sold) submit their ROCs to the Visa member (organizations with direct relationship to Visa) that signed them up. Having a false sense of security is the worst thing that can happen to a company.
One other very important piece of the PCI compliance is security scans, both external and internal. There are companies out there that are offering $100 scans. You should stop and think–you get what you pay for. What is the depth of the scans being offered? Yes, you can have a fully compliant report but are you really compliant?
While PCI security solutions might not be cheap, loss or theft of customers, credit card account information is even more expensive. A company might be subject to penalties such as fines both from Visa and the FTC; they face loss of revenue, company reputation and competitive edge. Some companies have had to close their businesses because of restrictions that Visa and other credit card companies placed on them after an incident.
There is a safe harbor that protects members from Visa fines in the event of a compromise. According to Visa, to attain safe harbor status:
1. A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
2. A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
3. It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.
A fully compliant PCI “Report on Compliance” is not a guarantee that you will never be subject to an attack again nor is it an insurance against hackers. Hacking activities are not only on the rise but hackers are getting more sophisticated day by day. They have recently attacked established companies like AT&T, CardSystems and many other big names. No company is immune. Companies must be consistent and thorough in their approach to data security. They must always remember that they are under a contractual agreement with the credit card companies to keep the consumer data secure. They must be ready to prove that they have exercised “due care” to the data that have been entrusted to their care at all times.
]]>PCI DSS applies to any organization that store, process or transmit cardholder data. PCI applies to any organization that accepts credit card for payment even if the number of transactions is just one card. PCI compliance is required of these organizations to keep cardholder data safe from hackers and fraudsters. Three things to keep in mind:
Destroying the credit card data immediately after processing it does not exempt you from PCI compliance – your processes and policies, around access to, retention and destruction of the data will still need to be validated.
Entering credit card information directly into an online application or virtual terminal for processing is considered transmitting the cardholder data even if the application is provided by a third party.
Outsourcing all your credit processing, storing and transmission does not exempt you from compliance either – you still need to validate the processes you have around paper receipts with cardholder data, the reports you get from your service provider and agreements you have signed with them.
Separate from the mandate to comply with the PCI Standard, is the mandate to validate compliance. Your business processes determines what you have to do to demonstrate or validate compliance and therefore the SAQ validation type that you complete. You may only have to answer a few questions or over 200 questions depending on the SAQ version that is appropriate for your organization.
It is important to work with your PCI consultant and your Acquirer to determine the SAQ type that is applicable to your organization.
]]>