5 steps to optimise PCI DSS compliance across the supply chain
Kurt Mueffelmann, CEO at IT security firm Cryptzone, explains how you can optimise Payment Card Industry Data Security Standard compliance (PCI DSS)
One of the key themes of the newly enacted Payment Card Industry Data Security Standard Requirements (PCI DSS) v3.0 is security as a shared responsibility.
If a business works with external partners that require access to cardholder data, the Payment Card Industry (PCI) Security Standards Council wants to clearly understand who is responsible for what. Organisations are required to not only optimise compliance within their own networks, but across the supply chain too.
Data breaches
Looking back at some of 2014’s biggest data breaches, this makes sense. Many of the retailers whose payment card data was compromised last year were hacked using login credentials stolen from their suppliers. For example, restaurant chain Jimmy John’s had credit and debit card data compromised after an intruder stole login credentials from the company’s point-of-sale vendor and used these credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and Sept. 5, 2014.
Optimising compliance across the supply chain is no simple task. Lots of organisations have large supplier networks and minimal visibility into those partners’ internal policies and procedures. Ensuring that they’re all following PCI DSS guidelines is an enormous undertaking.
However, it could be argued that organisations shouldn’t aim to cross off every requirement in the PCI specification for themselves and for their partners, but rather they focus on addressing the central problem of actually keeping cardholder data safe. In fact, one of the other key themes of PCI DSS v3.0 is increased flexibility – security comes first, not compliance. It is possible to secure payment card data in a way that trickles down through the supply chain.
Here, Kurt Mueffelmann, CEO at Cryptzone, gives his top five steps on how to make this best-practice approach a reality:
1. Understand the problem
Disappointingly, the current PCI DSS specification still focuses very much on entity rather than problem. It describes the qualities of a compliant organisation’s environment, not the actions that make payment card data secure.
Accordingly, step one to optimise compliance across the supply chain is for an organisation to understand the central problem and tackle it in a holistic way, rather than the check box approach. It doesn’t matter if a business actually has a supplier network or not – its partner’s weaknesses are no more or less important than its own. It’s your brand that will be remembered if payment card data is breached!
Once a business has established the challenges that securing its payment card data entails, it can begin to solve the problem by gaining better visibility into that data across its own and suppliers’ networks. The PCI DSS v3.0 specification states that organisations must maintain a ‘current diagram that shows all cardholder data flows across systems and networks’. Logically, this should be extended to apply to external partners as well – after all, they’re in scope too.
This step requires some legwork. A business’ understanding of its data flows won’t necessarily correspond with reality. It is therefore important to survey users on their working habits and ask suppliers to corroborate the inventory of in-scope systems. Conducting automated scans to document where PCI data exists and determine if it is properly secured can provide useful insight.
3. Streamline for security
Once an organisation has visibility of its cardholder data flow, it can concentrate on simplifying it and reducing the number of potential access points. The mnemonic PEST might help here. A business should seek to limit the persistence of cardholder data in memory, the points of entry to the payment environment, the storage of that data and its transport between different systems.
In terms of the supply chain, organisations ideally should treat external suppliers no differently to how they treat their own employees – neither should be allowed to divert the documented flow of cardholder data. This means keeping data off local storage, and both should use the same distributed access system to minimise the environment’s entry points.
4. Design failure-tolerant infrastructure
Assuming it was ever viable in the first place, complete data breach immunity is unrealistic given a large network of suppliers. Accordingly, a business should design a payment environment that no single failure can compromise. If a hacker circumvents one security control, such as authentication, they should encounter another, such as encryption.
PCI DSS states that access to cardholder data should be limited to those employees and external contractors whose jobs require it. An even higher level of security is possible if the organisation uses context to open and close access points to cardholder data dynamically. For example, a supplier might only be permitted to connect from a trusted machine at a certain time of day. Couple that with an additional layer of security around the data itself via encryption and classification to control how even authorised users can use and distribute the data. With these methods in place, stolen login credentials won’t always be enough ammunition for a hacker to bring about a breach.
5. Run PCI DSS day-to-day
Finally, one of the biggest new additions in PCI DSS v3.0 is the recommendation that organisations make compliance part of their business-as-usual (BAU) activities. Essentially, this presents two options: a business can either burden its employees and suppliers with additional day-to-day obligations, or identify which of its systems and working practices are outdated and can be replaced with alternatives that are compliant from day one.
Adhering to the five steps listed above will assist in making compliance BAU. The more streamlined an organisation’s data flow, the easier it is to audit. The more contextual and granular its security systems, the harder it is for unauthorised users to access data and misuse it, which in turn leads to compliance.
Fundamentally, optimising compliance across the supply chain is about solving the problem of securing payment card data in the most simple and holistic way possible. Sometimes this might mean optimising the organisation around the process. At the end of the day, though, it will be stronger for it.
Are you an expert on mobile payments? Take our quiz to find out!