1. Divya Kothari
IMT 553 - Assignment 2
DOES ABC1
NEED TO BE PCI COMPLIANT?
Being PCI compliant means taking steps to handle a cardholder’s sensitive data in a secure environment.
These requirement are some of the ‘best practices’ that were laid down to ensure that all organizations that
deal with credit, debit or prepaid cards,do so in a secure environment. Despite the internal confusion in our
company that we are PCI compliant (when in fact we are not), the Sales Department’s ‘Why not?’ brought
up aninteresting point – Should we rethink our allegiance to PCI? Given the underlying intent behind laying
these standards was fraud prevention which aligns exactly with ABC’s business objective of detecting and
minimizing billing fraud, shouldn’t we just go aheadand plan for compliance? Maybe.But before that, let’s
just go through a quick cost-benefit analysis once we determine the scope of our framework.
ABC is a relatively small but growing company.* Currently, our firm operates from 2 offices in the United
States with each office processing up to 40,000 transactions in a year.* It may also be useful to keep in
mind that:
Even though the ASP is not collecting information, the Company’s operations that analyze billing
details for fraud do fall within the definition of PCI DSS’ mandate that it applies to – “…all other
entities that store, process or transmit cardholder data…”2
as well as other standards.*
ABC only identifies billing errors and payment fraud. It does not trace it back to the
user/clinic/insurance company, merely flags the portions of the bill in order to keep user data
private.
Medical billing and other payment details provided to the company includes some,if not all, de-
anonymized cardholder data, more specifically the Primary Account Number paired with one or
more of the following information*:
Card expiration date
Card verification value (CVV, 3 or 4 digit authentication number)
Track data (from the card’s magnetic stripe)
PCI only deals with cardholder data. Nowhere do any of its controls require companies to protect
other sensitive information. However in our case, information about people’s names, birth dates,
Addresses, SSNs, gender, marital status, occupations and other PHI are protected under HIPAA
considering ABC has signed a Business Associate Agreement.*
Currently ABC systems are not up to date with latest security protocols for their systems and their
risk management framework is still in the nascent stages. Allsystems have firewalls and anti-virus
software implemented, but data is encrypted only in patches. The company has two officials in
charge of information assurance and security practices with no fixed capital reserve.*
COST-BENEFIT ANALYSIS
Benefits Costs
Increased Security against potential breaches and
hacksor other modes leading to loss of confidential
data. As more and more card processing (and even
The cost of becoming PCI DSS compliant depends
on a number of factors including the business type,
number of transactions processed annually,
1
Assumingthe companyin questionis namedABC LLP (“ABC”). A fewotherassumptions have been made todetermine thescopeof the issue.
All such assumptions have been indicatedby an asterisksymbol.
2 PCI website: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
2. business in general) takes place online, for hackers
this online channel is a viable way to profit.”3
existing IT infrastructure, and current credit/debit
card processing and storage practices.4
Improving the security posture and providing a
more concrete structure to the risk management
framework of ABC. Also creates awareness and
adds to a better security culture within employees
of the firm.
As stated above, the cumulative transaction load is
80,000 per year for the company making it eligible
for Level 3 of the Merchant Level categories
stipulated in PCI DSS.
Since ABC is still a growing company, a PCI
compliant certification can tremendously help
increase sales if used to promote via marketing
channels. Given the backing of the 5 biggest
financial institutions, advertising this certificate
may be a boost for increasing confidence amongst
target vendors.
ABC shall have to spend money in order to
determine scope and additionally invest in
compliance related activities. It includes filling out
a Self-Assessment Questionnaire and signing up
for a quarterly scan to check vulnerabilities on all
outward-facing IP addresses. Being PCI compliant
also means ABC shall have to renew its
certification every year.
Gives an added advantage over competitive billing
processorswho are not PCIcompliant. By virtue of
being an industry standard, PCI DSS does not have
the force of law, which means you can choose
whether to be PCI compliant or not. Since there are
many companies that are not yet in compliance, it
may be a good way to differentiate ourselves from
other competitors.
Other costs include software and hardware
upgrades if information is stored in house such as
encryption costs per processing. Piling on to this
is the cost of labor and the opportunity cost of
pursuing other profit-making endeavors.5
Compliance is a great way to mitigate risks. For
instance, risk transference,risk avoidance, etc. In
fact, PCI DSS provide a Risk Mitigation plan and
template, which is a guided procedure that enables
companies locate vulnerable protocols, migration
to more advanced protocols, etc.6
A rough estimate of what it may cost to become
PCI compliant for ABC:
Self-Assessment Questionnaire ~$50 -
$200
Vulnerability scanning ~ $100 - $150 per
IP address
Training and policy development ~ $70
per employee
Remediation (software and hardware
updates, etc.) ~ (Varies based on where
entity is today in relation to compliance
and security, but estimated): ~ $100 -
$10,000 (Glover, 2015)7
It also creates customer trust that their payment
card data is safe, it also gives reassurance to
partnersand shareholders, and ensuresthat staffare
protected from any potentially sensitive customer
information.8
On the flip side, the opportunity cost of not
complying with PCI rules may result in data loss
leading to remediation and discovery costs, which
can be just as costly, if not more so, than the fines,
not to forget potential reputational damage.9
A
3
Business.com 31st
March2015, “PCI Compliance – What it means toyourDigital Security” Retrievedfrom:
http://www.business2community.com/tech-gadgets/pci-compliance-means-digital-security-01196045
4
Braintree, 24th
June 2008 “What does it cost to become PCI Compliant”. Retrievedfrom: https://www.braintreepayments.com/blog/what-does-
it-cost-to-become-pci-compliant/
5
Refer to footnote 3
6
PCI Security Standards Council,Retrievedfrom:
https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf
7
Glover G. 19th
August 2015, “Howmuch does PCI ComplianceCost?” Retrievedfrom: http://blog.securitymetrics.com/2015/08/pci-
compliance-cost.html
8
Rehman A. et all (2016)“An IntroductiontoCI Compliance”Retrievedfrom: http://www.callcentrehelper.com/an-introduction-to-pci-
compliance-83552.htm
9
Refer to footnote 3
3. report by the National Cyber Security Alliance
states that if hackers successfully breach a small
business’ data, business has a 60% chance of
closing its doors in the following six months.10
RECOMMENDATIONS
Clearly, this is not as straightforward as it initially seemed. To add to this confusion, going back to the
intent of laying down these standards,it must also be kept in mind that PCI DSS does not intend to protect
your organization. Its actual aim is to protect the payment networks and the payment ecosystem. And while
benefits of implementing these standards are fairly high, so are the costs of doing so. At the same time,
these “costs associated with PCI compliance are not based on the number of cards you process,but rather
the way in which you processthe cardsyou accept.This is because for the most part,the processing method
you use is relative to both the risk and the burden of PCI.”11
However,it is clear that whether or not ABC chooses to comply with all PCI standards, it must internally
strengthen its core processes. In order to take a final stand for PCI implementation, ABC’s senior
management must discuss this with its Sales, Marketing, Operations, Legal and Security teams and take a
stand. My recommendation is that irrespective of whetherABCdecides to be PCIcompliant or not, it would
be a good idea to conduct a data inventory to determine what is really needed and what is not. Additionally,
the firm could analyze the cardholder data environment, basically all the components – vendors, people,
and processes – of all systems that store, process, and transmit cardholder data12
. This shall help ABC pin-
point the exact locations of strengthening their system’s security if not focus on PCI standards. ABC can
also streamline the process for incoming information from different vendors by making it compulsory to
provide anonymized or encrypted data thereby reducing costs.
Lastly, we must addressthe possibility of FFIEC13
intervention. FFIEC too does not have any legal binding.
It is merely empoweredto “prescribe uniform principles, standards,and report forms to promote uniformity
in the supervision of financial institutions”14
and PCI is one such regulation recommended. However,in the
past, courts have held banks as liable for not complying with FFIEC regulations.15
So does that mean in the
event of a dispute in the future, the court may hold ABC liable for not following FFIEC’ suggestions? That
is a very subjective question and it is difficult to answer such a prediction. Different judges/courts tend to
weigh FFIEC and its advice differently. However, FFIEC is certainly expanding its cybersecurity arm16
however,the focus seemsto be more on ‘large and complex institutions.’17
ABCis yet to achieve that stage.
It may be noted that compliance is notequivalenttosecurity.Adhering to PCIstandardsis essentially taking
extra precautionary steps to secure your systems and integrity of data within, it does not mean securing
absolutely. Furthermore, unfortunately, as businesses grow, it often means that our cardholder data
environment grows along with it. Information security policies and processes become more and more
important.18
10
Refer to footnote 2
11
Thomas T, 12th January2015, “Small Business andPCI Cost vs.Benefit”Retrievedfrom: https://www.pcicomplianceguide.org/small-
business-and-pci-cost-vs-benefit/
12
Hipsher A., 24th
Sept 2015“Determining theScope of the Cardholder Data Environment:Don’t Leave Data Out of the PCI Compliance
Assessment” Retrievedfrom: http://www.crowehorwath.com/cybersecurity-watch/cardholder-data-PCI-compliance-assessment/
13
The Federal Financial Institutions ExaminationCouncil (“FFIEC”)
14
FFIEC website: http://www.ffiec.gov/about.htm
15
Bank Safety & Soundness Advisor, 18th
July, 2011; Retrievedfrom: http://www.dwt.com/files/Uploads/Documents/News/07-
11_Lorentz_BSSA.pdf (PDF)
16
Hoar S. 1st July 2014, “Federal Financial Institutions ExaminationCouncil Launches Cybersecurity Webpage andBegins Cybersecurity
Assessments” Privsec, Retrievedfrom: http://www.privsecblog.com/2014/07/articles/cyber-national-security/federal-financial-institutions-
examination-council-launches-cybersecurity-webpage-and-begins-cybersecurity-assessments/
17
Curry, Thomas J. (8 May 2014). "Remarks by Thomas J. Curry, Comptroller ofthe Currency, Before RMA's Governance, Compliance, and
Operational Risk Conference, Cambridge, Massachusetts" (PDF). Office ofthe Comptroller ofthe Currency.
18
Hmark, 6thDecember 2012,“Left out in the cold” Retrievedfrom: http://blog.propay.com/index.php/tag/pci/