Time to get off the fence?

Transcription

1 WHITE PAPER Thought leadership for the retail sector Time to get off the fence? Defining a cost-effective way to get and retain PCI DSS certification Author: Kevin Burns, PCI and Payments Consultant, BT Expedite. Expedite & Fresca Multichannel Retail Specialists

2 Contents Executive summary...1 What direction is the Payment Card Industry Data Security Standard (PCI DSS) going?...2 How to get off the fence without getting splinters...3 Considerations for your next step...4 Can Point to Point Encryption (P2PE) reduce scope?...5 How P2PE can reduce costs...7 Conclusion...9 About BT Expedite & Fresca...10 About the author...10

3 Executive summary There are a lot of different opinions about how the recession has affected retail, but we can all agree that it s been a tough couple of years. So to be asked to comply with a set of regulations around card payments and keep pace with its evolving demands is likely to be low on your list of priorities. What is clear is that the Payment Card Industry Data Security Standard (PCI DSS) is here to stay and as such you need to get it done, keep on top of it assuming you got there in the first place or get a great defence in place. It is also clear that the costs are high, as are the stakes. The results of the latest Ponemon Institute report on The True Cost of Compliance* are just as stark as they have been in previous years. They show the price of compliance in retail averages $9,240,000 for larger merchants. While this figure will include controls and regulatory obligations outside of the PCI DSS, it still highlights the level of commitment retailers face when addressing security and compliance. Similarly the report findings show that PCI DSS is both the highest priority and perceived as the most difficult to achieve. But more worrying, is that the cost of non-compliance is put as 2.65 times that of compliance. This report also reveals that the gap between the haves and have-nots in terms of compliance in retail is a huge 76%, which may well explain why retail is always one of the largest sectors for data breaches. But it s not all bad news. You can help yourself when it comes to both PCI DSS and addressing the costs to your business by: limiting the scope of your payment systems reducing interaction with other systems and processes redefining business processes which call upon card data to remove any dependencies looking for s which help to simplify the overall compliance. You should concentrate your compliance efforts on these areas to reduce the impact of PCI DSS on your business now and in the future. *The True Cost of Compliance, Ponemon Institute report, commissioned by Tripwire Inc., January of 10

4 What direction is PCI DSS going? The initial version of the standard was tough and difficult to understand, especially outside the US where it was often out of kilter with the way in which payments were handled. This affected European retailers in particular. The revisions that came in versions 1.1 and 1.2 of the PCI DSS helped clarify what was expected and indicated how to revise the retail landscape in order to move towards compliance, specifically to focus on the need to retain card data and its use within retail environments. There was an acknowledgement that it was still pretty tough so we got the prioritised approach, published by the PCI SSC in This was a great step forward and helped many to get over their initial preconceptions, due largely to the PCI DSS being a 100% pass or fail standard. Eating the elephant whole was never going to be possible. Indeed, since version 1.0 we ve been advising customers to take a piecemeal approach. Published in October 2010, version 2.0 of the standard included some further clarification though little real change. Around the same time we also saw papers on Chip and PIN technology (EMV) and Point to Point Encryption (P2PE) published by special interest groups But what was really needed, was clarification on whether or not the latest technologies could help retailers reduce the scope of their business in terms of compliance. So what s new and what can we expect in the short to medium term with PCI DSS? We have some time to wait for a new version of the standard, but in the meantime we can expect further clarification on P2PE and the role of EMV in simplifying compliance. The latter will need more than the current VISA Europe paper as other card schemes will also need to get on board. We also now have clarification on call centres and payments (Protecting Telephone-based Payment Card Data available from the PCI SSC website) which even includes the words out of scope for the first time. What is PCI DSS? The Payment Card Industry Data Security Standard has been set out by the major payment card schemes (including VISA, MasterCard and American Express) to increase controls around cardholder data to reduce fraud and help protect customers. For more information, visit 2 of 10

5 How to get off the fence without getting splinters First and foremost, it s important to be clear that there is no single in the market which can provide full PCI DSS compliance for a retailer. Any that claims this should be carefully assessed, as it will almost always only relate to a specific element or elements within the PCI DSS. And the may bear no resemblance to your landscape, data use and storage or your operating environment. Now think about the scope of PCI DSS within your retailer environment. Understanding how to reduce your scope before you take on PCI DSS will ensure that you focus on gaining compliance where it matters, rather than stretching valuable resources across your whole environment. So, for example: Can you reduce the scope by changing interfaces? We believe so, which is why we ve been redesigning our integration layers to ensure that Point of Sale environments no longer have full Primary Account Number (PAN) as a key to the transaction. Is it possible to remove data from legacy systems without affecting the business? We ve investigated the use of truncated card data combined with tokenisation or hash values and concluded that the same level of information can be derived. Could you work with truncated data instead of using full details? Again we believe so, which is why this now forms part of our implementations by default. We recommend limiting the scope to the payment applications. This can be achieved by implementing Point to Point Encryption (P2PE) where the encryption application is hosted on the PIN entry device (PED) and the encrypted data is only stored on the PED or on the payment application servers (where settlement is processed as an overnight batch rather than online per transaction). Better still, look at a business case for managed payments where the central hosted element of the payment is located outside your environment as this will further reduce the PCI DSS scope. The PCI Security Standards Council is due to update its October 2010 clarification with further information on P2PE and scope. It is anticipated, however, that this will focus on the technologies appropriate for P2PE more than scope reduction (or simplification, as they put it). With this in mind we ve done our homework, and discussions with Qualified Security Assessors (QSAs), acquirers and schemes have so far all provided positive feedback for this approach. So, if the retailer cannot access keys (for encryption/decryption), the is Payment Application Data Security Standard (PA-DSS) and PCI DSS certified in its own right, and it s implemented to the standard by which these certifications were gained, then the scope for the retailer will be dramatically reduced. That said, it s important to consider the total needs of your business, so you need to think about what to pull into your analysis. 3 of 10

6 Considerations for your next step 1. You need to start a PED replacement programme soon. It s seven years since EMV and Chip and PIN started rolling out across the UK, so this is not simply a PCI related consideration, it is a general business requirement. Remember, not all PEDs will work with all payment s and some payment s are tied to a very limited PED range. 2. You ll then need to review your business requirements for the next five to seven years in terms of payments. Chip and PIN is here to stay but what s coming next? Clearly contactless is going to have an impact, but think beyond just contactless Credit and Debit cards think about contactless payment through Smart Phones. Also, think wider than just Visa and MasterCard. Electronic gift s, loyalty and other payment methods which do not rely upon a traditional plastic card are all gaining ground. Consider also the likely need for any fraud concerns and whether you could benefit from additional value added services such as Tax Free. 3. Now review the use of card data in your current environment. Think about whether the business uses cards in loss prevention, loyalty and CRM, and whether there is a business need to retain existing processes which assume card data is present. If so, Tokenisation will be a requirement. Don t think of this as an alternative to encryption, it s not. It is a method to keep a unique identifier which previously would have been the PAN. E-commerce retailers will already have this today in order to manage the payment from initial authorisation to authorisation through to settlement on fulfilment. 4. This leads to the next decision do I want or do I need to have a multi-channel payment? Or can each channel remain independent? 5. Finally, remember that any managed is a long-term commitment, typically three to five years. It s critical that you select a partner you can trust and one with a proven track record. It s also important to involve your QSA and acquirer in the selection process so that they endorse the move and the associated simplification of your PCI DSS environment before you make that commitment. 4 of 10

7 Can P2PE reduce scope? A P2PE has a number of benefits that help meet 12 key PCI DSS requirements: 1. Network security All data will be encrypted on the PED prior to publication on the network via the point of sale (PoS). In addition SSL can be used to secure the data packets on the network. Therefore network compliance needs are dramatically simplified. The requirement could be as simple as connecting your WAN to the 3rd party data centre. 2. Remove default passwords This is greatly simplified as the only user accounts in the merchant environment which come within the scope of PCI DSS will be for systems outside of the payment process. What you choose to do in these areas should be best practice and should not be governed by PCI DSS. 3. Protect stored card holder data All data which is in scope for PCI DSS, whether in-flight or at rest, will be encrypted at the start of the transaction in the PED in most P2PE s. Access to decrypt data will be subject to strong security and only provided on a need to know basis where the individuals have specific user accounts set up and appropriate access controls are in place. These controls should be provided through the managed payment PCI DSS data centre. 4. Encrypt transmission data All data should be encrypted from the point of interaction (the PED) using a PA DSS certified application on a PCI PTS device. Additional network encryption may also occur from stores to the managed data centre using SSL. Any transactions which occur offline should also be encrypted and stored on the PED, this should simplify the need to keep PoS environments fully managed and maintained. Furthermore the data at rest within the data centre should be held encrypted until it is necessary to submit the data to the acquirer for settlement. 5. Anti-virus and malware Best business practice dictates that a strong branded should be used, however the P2PE should simplify your requirements as the PoS will no longer have any card data that falls within scope of PCI DSS stored or transmitted through it. 6. Develop and maintain secure systems The should be level one PCI DSS service provider certified. As such, this reduces the burden on the merchant. All applications which involve the processing or storage of card data should be certified under PA DSS, again simplifying the merchants obligations. Your choice of payment terminals should ensure that they have the necessary PCI PTS certification. The should be built with PCI DSS compliance in mind to simplify the implications for merchants. 5 of 10

8 7. Restrict access All access should be limited and subject to security. The topology should prevent the merchant from being classified as the key custodian, therefore ensuring that your compliance requirements are simplified. Access from service providers should be secured using PCI DSS best practice controls. The PED application should not allow access to card data and should be certified PA DSS. The PED is tamper proof and should be monitored so that potential malicious activities are prevented and dealt with proactively. Access to the data centres should be controlled, ie by invitation only. Remote access to any data should be via a secure web portal or secure application. All relevant networks should be scanned in line with PCI DSS recommendations. 8. Unique identification The PA DSS application which is loaded onto the PED should not allow user access to the underlying operating environment. The base environment should have no concept of user accounts and therefore no maintenance is necessary. The application will only allow the operation of card payments to occur and the PCI-PTS PED has a secure memory and is tamper proof. Even when fully integrated with your PoS, the PA-DSS application should not expose full PAN, sensitive authentication data nor any other details which may compromise card data security. This will simplify your PCI DSS compliance. Access to card data should be limited, where user accounts are managed in line with PCI DSS. The service provider certification should simplify your compliance. 9. Restrict physical access Data centre access is by invitation only. Restrictions for the merchant should be greatly simplified and limited to any device used by any trusted persons who can access the data using the portal function. The use of PED tethers or similar devices in store should ensure the physical security of the PEDs is in line with PCI DSS expectations. 10. Test and monitor access Network scans at least every quarter, in line with PCI DSS, should be maintained, but the need for Penetration (PEN) testing may no longer be applicable given the PCI DSS and PA-DSS certification which a good P2PE should provide. 11. Test Security Systems and Processes Service providers should confirm their approach and look for additional good practice in terms of ISO related certification. This demonstrates a commitment to investment in good practices and a commitment to acting responsibly with your data. 12. Maintain Policy that Addresses Information Security The should dramatically reduce the burden on you as the card data which relates to the store environment will only reside within the PED and/or the managed data centre. The retention of the data on the PED should be kept to the minimum, which in effect is the time taken to get the device online to the data centre. You should develop a policy for this, as this is best practice, and you should also ensure that you keep employees up to date on dealing with card data responsibly. 6 of 10

9 How P2PE can help reduce costs The following table is index-based. All figures are calculated on the basis that 1.00 = the total year one cost of an in-house. Solution area PCI readiness project PCI readiness project Managed service fee Anti-Virus/ Anti-Malware (AV/AM) Patch management Network changes Key management Two factor authentication Internal resourcing (initial) In-house Description/comment Project to deliver upgrades to include PA-DSS version(s) of software Changes to infrastructure/pos build updates etc. Not applicable for as is Cost Index Level 2 merchant (mid-tier two retailer) In-house Managed service Managed service Description/comment Project to implement new managed payment (service setup costs and rollout management costs) Changes to infrastructure / PoS build updates etc Monthly fees to cover the ongoing service delivery of the managed payment Per client licence Not required as PoS does not encrypt data (already encrypted on PED). Note: this is not best practise Solution implementation and ongoing (monthly) management and maintenance Not required as PoS does not encrypt data (already encrypted on PED). Note: this is not best practice IDS/IPS implementation Not required as DMZ not needed (data centre is in managed environment) Cost of resources to build key management routines and to implement changes accordingly Implementation of to ensure remote access security is in place Included within managed service costs Not required as PoS does not encrypt data (already encrypted on PED) and no data stored on merchant corporate network Up to 2 FTE for 9 months Estimated requirement 0.5 FTE for 9 months (probably less) 7 of 10

10 Solution area Log management File integrity In-house Description/comment Storage of logs and alerting Validation that logs are not interfered with Cost Index Level 2 merchant (mid-tier two retailer) In-house Managed service Managed service Description/comment Not necessary as merchant has no access to card data storage in data centre or to keys to decrypt offline transactions at PoS Not necessary as merchant has no access to card data storage in data centre or to keys to decrypt offline transactions at PoS Total year one Total year one Total ongoing Maintenance on above (assuming 20% maintenance) + ongoing FTE internal resource effort + ongoing service costs Managed service fees + internal resource Total cost over 5 years Total cost over 5 years This analysis excludes any PED replacement programme as this cost will impact most retailers in the UK in the next 18 months to two years. What the analysis does show is that for midtier retailers, the move to a managed payment may be more cost-effective than continuing to build and support in-house s, by as much as 40 per cent in year one and 55 per cent over five years. Our analysis for larger (tier one) retailers suggests that they won t realise the same cost benefits. This is because the costs associated with in-house infrastructure changes have economies of scale. Conversely there are typically no economies of scale associated with a higher number of PEDs and/or transactions in terms of the ongoing managed service fee. This doesn t mean that implementing P2PE is not appropriate for tier one retailers. There is still much to gain from P2PE as the ongoing overheads of maintaining the environment are reduced as a result of simplifying the merchant s PCI DSS response. Additionally, any P2PE should provide further advantages in terms of data security, so P2PE could be implemented as a basis for ongoing in-house card payment processing. From a tier one perspective, the real advantage of a managed service with P2PE is reduced risk; specifically access to data, internal skills and resourcing and maintenance of environments. 8 of 10

11 Conclusion Put simply, there is a case to move to P2PE without waiting for the PCI SSC guidance, provided you do your homework. The market has a number of maturing s available today which will provide the scope reduction that most retailers seek. Tie the change into your PED replacement programme to ensure there s some economy of scale for the change programme. The financial case stacks up better for smaller retailers when a managed service is selected. This is because many of the tools needed to gain and retain PCI DSS require skills to implement, monitor, manage and maintain. There are also significant licence and maintenance fees associated with them. In addition there is a need to be agile in small IT teams. At least two of the team will need to keep an eye on the various monitors and alerts which PCI DSS management dictates and to understand the controls which have been put in place. For larger retailers the cost of any managed service is likely to be a harder sell from a financial perspective; but there is still a case to be made based upon IT skills requirements, risk mitigation and ease of ongoing support and PCI DSS certification. You may not see any return on your investment against PCI DSS but, from our analysis, moving to a managed service which uses P2PE is the most effective way to de-risk and reduce scope, and, as it s a long-term relationship, finding a trusted partner is key. 9 of 10

12 About BT Expedite & Fresca BT Expedite and BT Fresca together make up the retail s division of BT. Our set spans every area of retailing; planning, sourcing, merchandising, store s, sales analytics and CRM, plus network infrastructure, hardware, training and professional service expertise. We have a proven track record in managed services and strong, established supplier partnerships. As well as this, you ll be able to rely on our: retail, payments and compliance expertise extensive experience in estate management secure infrastructure, with PCI DSS certification and associated certification for Payment Card Industry PIN Transaction Security (PCI-PTS) and Payment Application Data Security Standard (PA-DSS) best of breed encryption methodology. About the author Kevin Burns has over 15 years experience in retail IT, including time as a retailer. He s been with BT Expedite from the very beginning, becoming Solution Architect in 2008 with a focus on PCI and Payment Solutions. Prior to this he was a consultant, a role which built upon his experience as the Head of Store Implementations and Technical Consulting Manager. In his current role, Kevin works closely with many of the payment application providers and hardware vendors to ensure that BT Expedite keeps up to date with the latest technology enhancements and compliance requirements. He uses this expertise to help customers define and implement payment s which address both business requirements and the PCI DSS. Kevin graduated from Liverpool John Moores University with a BSc (Hons) in Technology Management. 10 of 10

13 To find out more about our payment services and how we can make meeting PCI standards easier for you, contact us on or visit 11 of 10

14 Offices worldwide The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc s respective standard conditions of contract. Nothing in this publication forms any part of any contract. British Telecommunications plc Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No: Designed by Westhill.co.uk PHME 62896