From disaster recovery to data security: Sungard AS goes big on PCI
In its role as a security compliance and disaster recovery firm, Sungard Availability Services has seen merchants warming up to the Payment Card Industry data security standards.
Merchants have long objected to the PCI standard as something that financially burdens them with securing a payment system that they did not invent. If companies choose not to comply — or chose to comply but were found to have fallen short — they risk hefty fines for opening the door to data thieves.
That said, flat-out resistance to PCI compliance has been waning over the past two years, as more merchants are seeing the value of improving their security, said Shawn Burke, global chief security officer for Wayne, Pa.-based Sungard AS.
"For a long time, Sungard AS offered disaster coverage; it was typically helping network recovery from hurricanes and natural disasters," Burke said. "But now it is all about protection from security breaches, and that is very much in the spotlight."
FIS acquired Sungard Data Systems in 2015, but Sungard AS remained its own company. Sungard AS has moved much of its focus to helping companies stay PCI compliant and providing services through its own cloud-based, virtual-systems platform and a public cloud through Amazon Web Services.
Regardless of a growing cybersecurity and malware threat that necessitates far more attention to PCI compliance, merchants have historically stumbled when trying to stay abreast of PCI standards. They may become compliant, but with a quickly changing threat landscape often cannot stay that way.
Almost half of companies globally are not meeting PCI standards, and many continue to struggle to keep up with the standards, according to the 2018 Verizon Payment Security report.
"The great thing about PCI is that the council itself recognizes the ever-changing threat landscape and continues to evolve the requirements," Burke said. "In that regard, they are not watered down."
When the PCI Security Standards Council set its first compliance dates in 2004 and 2005, it operated through various working groups that helped develop standards. Those groups could take as long as a year to research and assess the need for various standards or changes.
In the digital age, that has changed, and PCI can alert the security industry and establish new standards or provide recommendations and guidelines as new cyber challenges arise.
With that backdrop, Sungard AS sees many companies struggling with the complexity of data security and the in-house competency and organization needed to stay on top of network safeguards, Burke said.
Because its cloud-based platforms are PCI certified, Sungard AS says it can reduce the complexity and cost of the certification process for its customers in that they would only need to certify their applications.
In making the PCI-compliant Amazon Web Services model of security available to its customers, Sungard AS brings other certified network and firewall configurations to the table that can save many steps for the client and keep them abreast of any changes in standards.
"The difficulty in maintaining PCI compliance comes from the sheer breadth of factors that merchants need to actively manage, many of which can change in an instant," said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research. "Vigilance is the name of the game."
But Sungard AS or any other company seeking to help merchants fully understand PCI compliance will run into some obstacles, Pascual said.
"Unfortunately, it comes at a cost that I don't believe many merchants are willing to bear," Pascual added. "Constantly monitoring, assessing, and enforcing internal compliance is part and parcel for banks, but there is a much longer tail of smaller merchants — and enforcement among banks is much more stringent."
Some of that sort of resistance falls under the "competency" category for Sungard AS. Essentially, the company believes those who argue and push back against PCI-DSS would be far better served when leveraging and embracing the standards.
"It really starts with not being arrogant and instead accepting the PCI advice and guidance," Burke said. "There is a lot of great advice out there, and specific examples on how PCI can be implemented in your business-as-usual processes while integrating it with the overall security strategy."
This all means attention to detail as well. Sungard AS ensures a company has security standards in place around the infrastructure, network layer, application layer and in any documentation that is stored.
The new General Data Protection Regulation in Europe is already helping merchants understand a key facet of PCI compliance — knowing where data is stored, how it moves along the network and how long it is held in certain places. In the U.S., California has introduced a state law regarding data protection to reflect the spirit and transparency of GDPR.
"GDPR makes you know where your data is and that is so helpful," Burke said. "It makes it easier to stand back and assess all of the controls when you know where the personal data is stored and where the cardholder data is stored."
As much as anything else, a company has to want to make data security a top priority and establish a climate that reflects that, Burke added.
"A key thing is leadership in management as well," Burke said. "A lot of companies get it wrong right out of the gate because they don't understand the scope and can't interpret the requirements and communicate it properly across all employees."
Without such a culture, some employees in the company act surprised when a security breach occurs and determining what could have prevented it, Burke added. "They will say, 'I didn't know I was supposed to do that.' "