SlideShare a Scribd company logo

When does a company need to be PCI compliant

Download as DOCX, PDF
D
Divya Kothari
1 of 3
Divya Kothari IMT 553 - Assignment 2 DOES ABC1 NEED TO BE PCI COMPLIANT? Being PCI compliant means taking steps to handle a cardholder’s sensitive data in a secure environment. These requirement are some of the ‘best practices’ that were laid down to ensure that all organizations that deal with credit, debit or prepaid cards,do so in a secure environment. Despite the internal confusion in our company that we are PCI compliant (when in fact we are not), the Sales Department’s ‘Why not?’ brought up aninteresting point – Should we rethink our allegiance to PCI? Given the underlying intent behind laying these standards was fraud prevention which aligns exactly with ABC’s business objective of detecting and minimizing billing fraud, shouldn’t we just go aheadand plan for compliance? Maybe.But before that, let’s just go through a quick cost-benefit analysis once we determine the scope of our framework. ABC is a relatively small but growing company.* Currently, our firm operates from 2 offices in the United States with each office processing up to 40,000 transactions in a year.* It may also be useful to keep in mind that:  Even though the ASP is not collecting information, the Company’s operations that analyze billing details for fraud do fall within the definition of PCI DSS’ mandate that it applies to – “…all other entities that store, process or transmit cardholder data…”2 as well as other standards.*  ABC only identifies billing errors and payment fraud. It does not trace it back to the user/clinic/insurance company, merely flags the portions of the bill in order to keep user data private.  Medical billing and other payment details provided to the company includes some,if not all, de- anonymized cardholder data, more specifically the Primary Account Number paired with one or more of the following information*:  Card expiration date  Card verification value (CVV, 3 or 4 digit authentication number)  Track data (from the card’s magnetic stripe)  PCI only deals with cardholder data. Nowhere do any of its controls require companies to protect other sensitive information. However in our case, information about people’s names, birth dates, Addresses, SSNs, gender, marital status, occupations and other PHI are protected under HIPAA considering ABC has signed a Business Associate Agreement.*  Currently ABC systems are not up to date with latest security protocols for their systems and their risk management framework is still in the nascent stages. Allsystems have firewalls and anti-virus software implemented, but data is encrypted only in patches. The company has two officials in charge of information assurance and security practices with no fixed capital reserve.* COST-BENEFIT ANALYSIS Benefits Costs Increased Security against potential breaches and hacksor other modes leading to loss of confidential data. As more and more card processing (and even The cost of becoming PCI DSS compliant depends on a number of factors including the business type, number of transactions processed annually, 1 Assumingthe companyin questionis namedABC LLP (“ABC”). A fewotherassumptions have been made todetermine thescopeof the issue. All such assumptions have been indicatedby an asterisksymbol. 2 PCI website: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
business in general) takes place online, for hackers this online channel is a viable way to profit.”3 existing IT infrastructure, and current credit/debit card processing and storage practices.4 Improving the security posture and providing a more concrete structure to the risk management framework of ABC. Also creates awareness and adds to a better security culture within employees of the firm. As stated above, the cumulative transaction load is 80,000 per year for the company making it eligible for Level 3 of the Merchant Level categories stipulated in PCI DSS. Since ABC is still a growing company, a PCI compliant certification can tremendously help increase sales if used to promote via marketing channels. Given the backing of the 5 biggest financial institutions, advertising this certificate may be a boost for increasing confidence amongst target vendors. ABC shall have to spend money in order to determine scope and additionally invest in compliance related activities. It includes filling out a Self-Assessment Questionnaire and signing up for a quarterly scan to check vulnerabilities on all outward-facing IP addresses. Being PCI compliant also means ABC shall have to renew its certification every year. Gives an added advantage over competitive billing processorswho are not PCIcompliant. By virtue of being an industry standard, PCI DSS does not have the force of law, which means you can choose whether to be PCI compliant or not. Since there are many companies that are not yet in compliance, it may be a good way to differentiate ourselves from other competitors. Other costs include software and hardware upgrades if information is stored in house such as encryption costs per processing. Piling on to this is the cost of labor and the opportunity cost of pursuing other profit-making endeavors.5 Compliance is a great way to mitigate risks. For instance, risk transference,risk avoidance, etc. In fact, PCI DSS provide a Risk Mitigation plan and template, which is a guided procedure that enables companies locate vulnerable protocols, migration to more advanced protocols, etc.6 A rough estimate of what it may cost to become PCI compliant for ABC:  Self-Assessment Questionnaire ~$50 - $200  Vulnerability scanning ~ $100 - $150 per IP address  Training and policy development ~ $70 per employee  Remediation (software and hardware updates, etc.) ~ (Varies based on where entity is today in relation to compliance and security, but estimated): ~ $100 - $10,000 (Glover, 2015)7 It also creates customer trust that their payment card data is safe, it also gives reassurance to partnersand shareholders, and ensuresthat staffare protected from any potentially sensitive customer information.8 On the flip side, the opportunity cost of not complying with PCI rules may result in data loss leading to remediation and discovery costs, which can be just as costly, if not more so, than the fines, not to forget potential reputational damage.9 A 3 Business.com 31st March2015, “PCI Compliance – What it means toyourDigital Security” Retrievedfrom: http://www.business2community.com/tech-gadgets/pci-compliance-means-digital-security-01196045 4 Braintree, 24th June 2008 “What does it cost to become PCI Compliant”. Retrievedfrom: https://www.braintreepayments.com/blog/what-does- it-cost-to-become-pci-compliant/ 5 Refer to footnote 3 6 PCI Security Standards Council,Retrievedfrom: https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf 7 Glover G. 19th August 2015, “Howmuch does PCI ComplianceCost?” Retrievedfrom: http://blog.securitymetrics.com/2015/08/pci- compliance-cost.html 8 Rehman A. et all (2016)“An IntroductiontoCI Compliance”Retrievedfrom: http://www.callcentrehelper.com/an-introduction-to-pci- compliance-83552.htm 9 Refer to footnote 3
report by the National Cyber Security Alliance states that if hackers successfully breach a small business’ data, business has a 60% chance of closing its doors in the following six months.10 RECOMMENDATIONS Clearly, this is not as straightforward as it initially seemed. To add to this confusion, going back to the intent of laying down these standards,it must also be kept in mind that PCI DSS does not intend to protect your organization. Its actual aim is to protect the payment networks and the payment ecosystem. And while benefits of implementing these standards are fairly high, so are the costs of doing so. At the same time, these “costs associated with PCI compliance are not based on the number of cards you process,but rather the way in which you processthe cardsyou accept.This is because for the most part,the processing method you use is relative to both the risk and the burden of PCI.”11 However,it is clear that whether or not ABC chooses to comply with all PCI standards, it must internally strengthen its core processes. In order to take a final stand for PCI implementation, ABC’s senior management must discuss this with its Sales, Marketing, Operations, Legal and Security teams and take a stand. My recommendation is that irrespective of whetherABCdecides to be PCIcompliant or not, it would be a good idea to conduct a data inventory to determine what is really needed and what is not. Additionally, the firm could analyze the cardholder data environment, basically all the components – vendors, people, and processes – of all systems that store, process, and transmit cardholder data12 . This shall help ABC pin- point the exact locations of strengthening their system’s security if not focus on PCI standards. ABC can also streamline the process for incoming information from different vendors by making it compulsory to provide anonymized or encrypted data thereby reducing costs. Lastly, we must addressthe possibility of FFIEC13 intervention. FFIEC too does not have any legal binding. It is merely empoweredto “prescribe uniform principles, standards,and report forms to promote uniformity in the supervision of financial institutions”14 and PCI is one such regulation recommended. However,in the past, courts have held banks as liable for not complying with FFIEC regulations.15 So does that mean in the event of a dispute in the future, the court may hold ABC liable for not following FFIEC’ suggestions? That is a very subjective question and it is difficult to answer such a prediction. Different judges/courts tend to weigh FFIEC and its advice differently. However, FFIEC is certainly expanding its cybersecurity arm16 however,the focus seemsto be more on ‘large and complex institutions.’17 ABCis yet to achieve that stage. It may be noted that compliance is notequivalenttosecurity.Adhering to PCIstandardsis essentially taking extra precautionary steps to secure your systems and integrity of data within, it does not mean securing absolutely. Furthermore, unfortunately, as businesses grow, it often means that our cardholder data environment grows along with it. Information security policies and processes become more and more important.18 10 Refer to footnote 2 11 Thomas T, 12th January2015, “Small Business andPCI Cost vs.Benefit”Retrievedfrom: https://www.pcicomplianceguide.org/small- business-and-pci-cost-vs-benefit/ 12 Hipsher A., 24th Sept 2015“Determining theScope of the Cardholder Data Environment:Don’t Leave Data Out of the PCI Compliance Assessment” Retrievedfrom: http://www.crowehorwath.com/cybersecurity-watch/cardholder-data-PCI-compliance-assessment/ 13 The Federal Financial Institutions ExaminationCouncil (“FFIEC”) 14 FFIEC website: http://www.ffiec.gov/about.htm 15 Bank Safety & Soundness Advisor, 18th July, 2011; Retrievedfrom: http://www.dwt.com/files/Uploads/Documents/News/07- 11_Lorentz_BSSA.pdf (PDF) 16 Hoar S. 1st July 2014, “Federal Financial Institutions ExaminationCouncil Launches Cybersecurity Webpage andBegins Cybersecurity Assessments” Privsec, Retrievedfrom: http://www.privsecblog.com/2014/07/articles/cyber-national-security/federal-financial-institutions- examination-council-launches-cybersecurity-webpage-and-begins-cybersecurity-assessments/ 17 Curry, Thomas J. (8 May 2014). "Remarks by Thomas J. Curry, Comptroller ofthe Currency, Before RMA's Governance, Compliance, and Operational Risk Conference, Cambridge, Massachusetts" (PDF). Office ofthe Comptroller ofthe Currency. 18 Hmark, 6thDecember 2012,“Left out in the cold” Retrievedfrom: http://blog.propay.com/index.php/tag/pci/

Recommended

Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 

Recommended

Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSSAnton Chuvakin
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final projectKelly Giambra
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?EMC
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayBluePayProcessing
 
Verizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgVerizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgCMR WORLD TECH
 
Is your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notIs your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notCheapSSLsecurity
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Bridger Insight brochure
Bridger Insight brochureBridger Insight brochure
Bridger Insight brochureLexisNexisDiligence
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019 Mutual Trust Bank Ltd.
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheyPeter Tran
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.CA Priyadarshan Behera
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliancepcidss14s
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsFit Small Business
 
Pci compliance
Pci compliancePci compliance
Pci compliancepcihghg23
 
Corp govissiwrcc2010
Corp govissiwrcc2010Corp govissiwrcc2010
Corp govissiwrcc2010Credit Management Association
 
жумаш айжан+услуги+идея
жумаш айжан+услуги+идеяжумаш айжан+услуги+идея
жумаш айжан+услуги+идеяАйжан Жумаш
 
1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptx1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptxDivya Kothari
 
eNest_Portfolio
eNest_PortfolioeNest_Portfolio
eNest_PortfolioJagdeep Chawla
 
Trabajo final robotica
Trabajo final roboticaTrabajo final robotica
Trabajo final roboticaYorle Arias
 

More Related Content

What's hot

Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final projectKelly Giambra
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?EMC
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayBluePayProcessing
 
Verizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgVerizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgCMR WORLD TECH
 
Is your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notIs your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notCheapSSLsecurity
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheyPeter Tran
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliancepcidss14s
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsFit Small Business
 
Pci compliance
Pci compliancePci compliance
Pci compliancepcihghg23
 

What's hot (18)

Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePay
 
Verizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgVerizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xg
 
Is your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notIs your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if not
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Bridger Insight brochure
Bridger Insight brochureBridger Insight brochure
Bridger Insight brochure
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_Richey
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
 
Pci compliance
Pci compliancePci compliance
Pci compliance
 
Corp govissiwrcc2010
Corp govissiwrcc2010Corp govissiwrcc2010
Corp govissiwrcc2010
 

Viewers also liked

жумаш айжан+услуги+идея
жумаш айжан+услуги+идеяжумаш айжан+услуги+идея
жумаш айжан+услуги+идеяАйжан Жумаш
 
1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptx1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptxDivya Kothari
 
Trabajo final robotica
Trabajo final roboticaTrabajo final robotica
Trabajo final roboticaYorle Arias
 
земля в солнечной системе
земля в солнечной системеземля в солнечной системе
земля в солнечной системеyarkovaleksandr
 
дидактический материал
дидактический материал дидактический материал
дидактический материал yarkovaleksandr
 
Machote programacion yorleny urena
Machote programacion yorleny urenaMachote programacion yorleny urena
Machote programacion yorleny urenaYorle Arias
 
Comuna balesti
Comuna balestiComuna balesti
Comuna balestirrapl
 
窮得只剩下錢1
窮得只剩下錢1窮得只剩下錢1
窮得只剩下錢1bbbilly
 
C. SpâNu Fabry.Cong.Balcanic.2009
C. SpâNu Fabry.Cong.Balcanic.2009C. SpâNu Fabry.Cong.Balcanic.2009
C. SpâNu Fabry.Cong.Balcanic.2009Mihaiela Fazacas
 
Winning the Online Marketplace IV - 'Building a Sustainable Growth Engine'
Winning the Online Marketplace IV - 'Building a Sustainable Growth Engine'Winning the Online Marketplace IV - 'Building a Sustainable Growth Engine'
Winning the Online Marketplace IV - 'Building a Sustainable Growth Engine'Raghav Bahl
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
Nitesh Mishra Short Cut Key
Nitesh Mishra Short Cut KeyNitesh Mishra Short Cut Key
Nitesh Mishra Short Cut KeyNitesh Mishra
 
SCRISOARE DE RECOMANDARE_Prof Irina Petrescu, ASE
SCRISOARE DE RECOMANDARE_Prof Irina Petrescu, ASESCRISOARE DE RECOMANDARE_Prof Irina Petrescu, ASE
SCRISOARE DE RECOMANDARE_Prof Irina Petrescu, ASELupu Andreea
 
Ghid de buna practica competenta digitala
Ghid de buna practica competenta digitalaGhid de buna practica competenta digitala
Ghid de buna practica competenta digitalaIcesicon
 

Viewers also liked (20)

жумаш айжан+услуги+идея
жумаш айжан+услуги+идеяжумаш айжан+услуги+идея
жумаш айжан+услуги+идея
 
1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptx1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptx
 
eNest_Portfolio
eNest_PortfolioeNest_Portfolio
eNest_Portfolio
 
Trabajo final robotica
Trabajo final roboticaTrabajo final robotica
Trabajo final robotica
 
земля в солнечной системе
земля в солнечной системеземля в солнечной системе
земля в солнечной системе
 
дидактический материал
дидактический материал дидактический материал
дидактический материал
 
El gasolinazo en méxico
El gasolinazo en méxicoEl gasolinazo en méxico
El gasolinazo en méxico
 
Machote programacion yorleny urena
Machote programacion yorleny urenaMachote programacion yorleny urena
Machote programacion yorleny urena
 
Comuna balesti
Comuna balestiComuna balesti
Comuna balesti
 
窮得只剩下錢1
窮得只剩下錢1窮得只剩下錢1
窮得只剩下錢1
 
C. SpâNu Fabry.Cong.Balcanic.2009
C. SpâNu Fabry.Cong.Balcanic.2009C. SpâNu Fabry.Cong.Balcanic.2009
C. SpâNu Fabry.Cong.Balcanic.2009
 
Mamifere
MamifereMamifere
Mamifere
 
My cv
My cvMy cv
My cv
 
Winning the Online Marketplace IV - 'Building a Sustainable Growth Engine'
Winning the Online Marketplace IV - 'Building a Sustainable Growth Engine'Winning the Online Marketplace IV - 'Building a Sustainable Growth Engine'
Winning the Online Marketplace IV - 'Building a Sustainable Growth Engine'
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. Framework
 
Nitesh Mishra Short Cut Key
Nitesh Mishra Short Cut KeyNitesh Mishra Short Cut Key
Nitesh Mishra Short Cut Key
 
SCRISOARE DE RECOMANDARE_Prof Irina Petrescu, ASE
SCRISOARE DE RECOMANDARE_Prof Irina Petrescu, ASESCRISOARE DE RECOMANDARE_Prof Irina Petrescu, ASE
SCRISOARE DE RECOMANDARE_Prof Irina Petrescu, ASE
 
Scrisoare de recomandare supervisor (1)
Scrisoare de recomandare supervisor (1)Scrisoare de recomandare supervisor (1)
Scrisoare de recomandare supervisor (1)
 
El grupo de discusión
El grupo de discusiónEl grupo de discusión
El grupo de discusión
 
Ghid de buna practica competenta digitala
Ghid de buna practica competenta digitalaGhid de buna practica competenta digitala
Ghid de buna practica competenta digitala
 

Similar to When does a company need to be PCI compliant

5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS ComplianceTripwire
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...The Harvey Company Insurance Services
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Log Management for PCI Compliance [OLD]
Log Management for PCI Compliance [OLD]Log Management for PCI Compliance [OLD]
Log Management for PCI Compliance [OLD]Anton Chuvakin
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment SecurityPaymentAsia
 

Similar to When does a company need to be PCI compliant (16)

5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
 
PCI Compliance Process
PCI Compliance ProcessPCI Compliance Process
PCI Compliance Process
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Log Management for PCI Compliance [OLD]
Log Management for PCI Compliance [OLD]Log Management for PCI Compliance [OLD]
Log Management for PCI Compliance [OLD]
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment Security
 

More from Divya Kothari

The American Health Care System - Long Paper
The American Health Care System - Long PaperThe American Health Care System - Long Paper
The American Health Care System - Long PaperDivya Kothari
 
Effect of Multitasking on GPA - Research Paper
Effect of Multitasking on GPA - Research PaperEffect of Multitasking on GPA - Research Paper
Effect of Multitasking on GPA - Research PaperDivya Kothari
 
Intelligence Intelligence (Uber)
Intelligence Intelligence (Uber)Intelligence Intelligence (Uber)
Intelligence Intelligence (Uber)Divya Kothari
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportDivya Kothari
 
Homer Pithawala_Referral
Homer Pithawala_ReferralHomer Pithawala_Referral
Homer Pithawala_ReferralDivya Kothari
 
Umesh Aswar_Referral
Umesh Aswar_ReferralUmesh Aswar_Referral
Umesh Aswar_ReferralDivya Kothari
 

More from Divya Kothari (9)

The American Health Care System - Long Paper
The American Health Care System - Long PaperThe American Health Care System - Long Paper
The American Health Care System - Long Paper
 
Effect of Multitasking on GPA - Research Paper
Effect of Multitasking on GPA - Research PaperEffect of Multitasking on GPA - Research Paper
Effect of Multitasking on GPA - Research Paper
 
Intelligence Intelligence (Uber)
Intelligence Intelligence (Uber)Intelligence Intelligence (Uber)
Intelligence Intelligence (Uber)
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
 
Homer Pithawala_Referral
Homer Pithawala_ReferralHomer Pithawala_Referral
Homer Pithawala_Referral
 
Umesh Aswar_Referral
Umesh Aswar_ReferralUmesh Aswar_Referral
Umesh Aswar_Referral
 
Recognition_Letter
Recognition_LetterRecognition_Letter
Recognition_Letter
 
The Vyapam Case
The Vyapam CaseThe Vyapam Case
The Vyapam Case
 

When does a company need to be PCI compliant

  • 1. Divya Kothari IMT 553 - Assignment 2 DOES ABC1 NEED TO BE PCI COMPLIANT? Being PCI compliant means taking steps to handle a cardholder’s sensitive data in a secure environment. These requirement are some of the ‘best practices’ that were laid down to ensure that all organizations that deal with credit, debit or prepaid cards,do so in a secure environment. Despite the internal confusion in our company that we are PCI compliant (when in fact we are not), the Sales Department’s ‘Why not?’ brought up aninteresting point – Should we rethink our allegiance to PCI? Given the underlying intent behind laying these standards was fraud prevention which aligns exactly with ABC’s business objective of detecting and minimizing billing fraud, shouldn’t we just go aheadand plan for compliance? Maybe.But before that, let’s just go through a quick cost-benefit analysis once we determine the scope of our framework. ABC is a relatively small but growing company.* Currently, our firm operates from 2 offices in the United States with each office processing up to 40,000 transactions in a year.* It may also be useful to keep in mind that:  Even though the ASP is not collecting information, the Company’s operations that analyze billing details for fraud do fall within the definition of PCI DSS’ mandate that it applies to – “…all other entities that store, process or transmit cardholder data…”2 as well as other standards.*  ABC only identifies billing errors and payment fraud. It does not trace it back to the user/clinic/insurance company, merely flags the portions of the bill in order to keep user data private.  Medical billing and other payment details provided to the company includes some,if not all, de- anonymized cardholder data, more specifically the Primary Account Number paired with one or more of the following information*:  Card expiration date  Card verification value (CVV, 3 or 4 digit authentication number)  Track data (from the card’s magnetic stripe)  PCI only deals with cardholder data. Nowhere do any of its controls require companies to protect other sensitive information. However in our case, information about people’s names, birth dates, Addresses, SSNs, gender, marital status, occupations and other PHI are protected under HIPAA considering ABC has signed a Business Associate Agreement.*  Currently ABC systems are not up to date with latest security protocols for their systems and their risk management framework is still in the nascent stages. Allsystems have firewalls and anti-virus software implemented, but data is encrypted only in patches. The company has two officials in charge of information assurance and security practices with no fixed capital reserve.* COST-BENEFIT ANALYSIS Benefits Costs Increased Security against potential breaches and hacksor other modes leading to loss of confidential data. As more and more card processing (and even The cost of becoming PCI DSS compliant depends on a number of factors including the business type, number of transactions processed annually, 1 Assumingthe companyin questionis namedABC LLP (“ABC”). A fewotherassumptions have been made todetermine thescopeof the issue. All such assumptions have been indicatedby an asterisksymbol. 2 PCI website: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
  • 2. business in general) takes place online, for hackers this online channel is a viable way to profit.”3 existing IT infrastructure, and current credit/debit card processing and storage practices.4 Improving the security posture and providing a more concrete structure to the risk management framework of ABC. Also creates awareness and adds to a better security culture within employees of the firm. As stated above, the cumulative transaction load is 80,000 per year for the company making it eligible for Level 3 of the Merchant Level categories stipulated in PCI DSS. Since ABC is still a growing company, a PCI compliant certification can tremendously help increase sales if used to promote via marketing channels. Given the backing of the 5 biggest financial institutions, advertising this certificate may be a boost for increasing confidence amongst target vendors. ABC shall have to spend money in order to determine scope and additionally invest in compliance related activities. It includes filling out a Self-Assessment Questionnaire and signing up for a quarterly scan to check vulnerabilities on all outward-facing IP addresses. Being PCI compliant also means ABC shall have to renew its certification every year. Gives an added advantage over competitive billing processorswho are not PCIcompliant. By virtue of being an industry standard, PCI DSS does not have the force of law, which means you can choose whether to be PCI compliant or not. Since there are many companies that are not yet in compliance, it may be a good way to differentiate ourselves from other competitors. Other costs include software and hardware upgrades if information is stored in house such as encryption costs per processing. Piling on to this is the cost of labor and the opportunity cost of pursuing other profit-making endeavors.5 Compliance is a great way to mitigate risks. For instance, risk transference,risk avoidance, etc. In fact, PCI DSS provide a Risk Mitigation plan and template, which is a guided procedure that enables companies locate vulnerable protocols, migration to more advanced protocols, etc.6 A rough estimate of what it may cost to become PCI compliant for ABC:  Self-Assessment Questionnaire ~$50 - $200  Vulnerability scanning ~ $100 - $150 per IP address  Training and policy development ~ $70 per employee  Remediation (software and hardware updates, etc.) ~ (Varies based on where entity is today in relation to compliance and security, but estimated): ~ $100 - $10,000 (Glover, 2015)7 It also creates customer trust that their payment card data is safe, it also gives reassurance to partnersand shareholders, and ensuresthat staffare protected from any potentially sensitive customer information.8 On the flip side, the opportunity cost of not complying with PCI rules may result in data loss leading to remediation and discovery costs, which can be just as costly, if not more so, than the fines, not to forget potential reputational damage.9 A 3 Business.com 31st March2015, “PCI Compliance – What it means toyourDigital Security” Retrievedfrom: http://www.business2community.com/tech-gadgets/pci-compliance-means-digital-security-01196045 4 Braintree, 24th June 2008 “What does it cost to become PCI Compliant”. Retrievedfrom: https://www.braintreepayments.com/blog/what-does- it-cost-to-become-pci-compliant/ 5 Refer to footnote 3 6 PCI Security Standards Council,Retrievedfrom: https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf 7 Glover G. 19th August 2015, “Howmuch does PCI ComplianceCost?” Retrievedfrom: http://blog.securitymetrics.com/2015/08/pci- compliance-cost.html 8 Rehman A. et all (2016)“An IntroductiontoCI Compliance”Retrievedfrom: http://www.callcentrehelper.com/an-introduction-to-pci- compliance-83552.htm 9 Refer to footnote 3
  • 3. report by the National Cyber Security Alliance states that if hackers successfully breach a small business’ data, business has a 60% chance of closing its doors in the following six months.10 RECOMMENDATIONS Clearly, this is not as straightforward as it initially seemed. To add to this confusion, going back to the intent of laying down these standards,it must also be kept in mind that PCI DSS does not intend to protect your organization. Its actual aim is to protect the payment networks and the payment ecosystem. And while benefits of implementing these standards are fairly high, so are the costs of doing so. At the same time, these “costs associated with PCI compliance are not based on the number of cards you process,but rather the way in which you processthe cardsyou accept.This is because for the most part,the processing method you use is relative to both the risk and the burden of PCI.”11 However,it is clear that whether or not ABC chooses to comply with all PCI standards, it must internally strengthen its core processes. In order to take a final stand for PCI implementation, ABC’s senior management must discuss this with its Sales, Marketing, Operations, Legal and Security teams and take a stand. My recommendation is that irrespective of whetherABCdecides to be PCIcompliant or not, it would be a good idea to conduct a data inventory to determine what is really needed and what is not. Additionally, the firm could analyze the cardholder data environment, basically all the components – vendors, people, and processes – of all systems that store, process, and transmit cardholder data12 . This shall help ABC pin- point the exact locations of strengthening their system’s security if not focus on PCI standards. ABC can also streamline the process for incoming information from different vendors by making it compulsory to provide anonymized or encrypted data thereby reducing costs. Lastly, we must addressthe possibility of FFIEC13 intervention. FFIEC too does not have any legal binding. It is merely empoweredto “prescribe uniform principles, standards,and report forms to promote uniformity in the supervision of financial institutions”14 and PCI is one such regulation recommended. However,in the past, courts have held banks as liable for not complying with FFIEC regulations.15 So does that mean in the event of a dispute in the future, the court may hold ABC liable for not following FFIEC’ suggestions? That is a very subjective question and it is difficult to answer such a prediction. Different judges/courts tend to weigh FFIEC and its advice differently. However, FFIEC is certainly expanding its cybersecurity arm16 however,the focus seemsto be more on ‘large and complex institutions.’17 ABCis yet to achieve that stage. It may be noted that compliance is notequivalenttosecurity.Adhering to PCIstandardsis essentially taking extra precautionary steps to secure your systems and integrity of data within, it does not mean securing absolutely. Furthermore, unfortunately, as businesses grow, it often means that our cardholder data environment grows along with it. Information security policies and processes become more and more important.18 10 Refer to footnote 2 11 Thomas T, 12th January2015, “Small Business andPCI Cost vs.Benefit”Retrievedfrom: https://www.pcicomplianceguide.org/small- business-and-pci-cost-vs-benefit/ 12 Hipsher A., 24th Sept 2015“Determining theScope of the Cardholder Data Environment:Don’t Leave Data Out of the PCI Compliance Assessment” Retrievedfrom: http://www.crowehorwath.com/cybersecurity-watch/cardholder-data-PCI-compliance-assessment/ 13 The Federal Financial Institutions ExaminationCouncil (“FFIEC”) 14 FFIEC website: http://www.ffiec.gov/about.htm 15 Bank Safety & Soundness Advisor, 18th July, 2011; Retrievedfrom: http://www.dwt.com/files/Uploads/Documents/News/07- 11_Lorentz_BSSA.pdf (PDF) 16 Hoar S. 1st July 2014, “Federal Financial Institutions ExaminationCouncil Launches Cybersecurity Webpage andBegins Cybersecurity Assessments” Privsec, Retrievedfrom: http://www.privsecblog.com/2014/07/articles/cyber-national-security/federal-financial-institutions- examination-council-launches-cybersecurity-webpage-and-begins-cybersecurity-assessments/ 17 Curry, Thomas J. (8 May 2014). "Remarks by Thomas J. Curry, Comptroller ofthe Currency, Before RMA's Governance, Compliance, and Operational Risk Conference, Cambridge, Massachusetts" (PDF). Office ofthe Comptroller ofthe Currency. 18 Hmark, 6thDecember 2012,“Left out in the cold” Retrievedfrom: http://blog.propay.com/index.php/tag/pci/