The PCI Councils directions for Payment Card Industry Data Security Standards are expanding as mobile commerce grows and when combined with local differences in diverse markets, the new guidance statements can be a compliance challenge for issuers that operate in multiple nations.
The use of compliance-as-a-service, or CaaS, to provide managed monitoring and compliance updates to keep up with changes is an emerging option for large card issuers. Societe Generale is deploying CaaS to aid PCI compliance for nearly three dozen subsidiaries scattered throughout 30 countries.
A bank such as Societe Generale would have a range of subsidiaries across the globe, and managing the process of compliance can turn into a challenge when approaching the granular level required, says Kishor Vaswani, CEO of ControlCase, which provides hosted PCI compliance tools to Societe Generale and other payments industry participants.
PCIs guidance is in a near-constant state of change to address how new developments of payments technology, like Near Field Communication, impact data security and protection. For example, posts on the PCI DSS compliance blog covered myriad topics in January, including Secure Reading and Exchange of Data (SRED refers to the point of interaction where credit card holder data is captured, a key part of protecting mobile and other digital payments); dealing with legacy cardholder data when upgrading processing systems; ensuring customer privacy during PIN entry, as well as tips on securing point of interaction devices. The blog also covered new guidance for technology thats delivered over the cloud, a low-cost option for many emerging mobile payments solutions.
For multinationals, PCI certification can be costly. The PCI standard applies to all organization which hold, process or exchange cardholder information from any card branded with the log of one of the card brands, says Philip Philliou, a payments consultant.
While the PCI Standards Council argues that its new standards can reduce data breach exposure and costs from breaches, they can also complicate compliance.
Similar to software-as-a-service, where developers provide hosted technologies that are access from Web browsers or dedicated smart client applications, CaaS is a mix of onsite and offsite managed services and software downloads that address different components of PCI compliance work.
The services also include approved scanning vendor, or ASV, scansa check of a companys network for vulnerabilities that could impact PCI complianceas well as certifications, file integrity monitoring, penetration testing, internal vulnerability assessments and checks to ensure compliance with internal policies and procedures.
The technology is designed to reduce the cost of ownership and IT resources that a card issuer needs to perform compliance checks on multiple vendors across multiple countries and ultimately, provide PCI compliance assurance to its merchants and reduced PCI scopethe partial relief from annual PCI audits that can be obtained by demonstrating adherence to certain data protection and security standards.
An example would be the PCI compliance questionnaires that go out to subsidiaries [to distribute to vendors]. There are 300 or 400 different requirements that may need to be checked across different subsidiaries. Were able to monitor and change those forms as required, Vaswani says.
Other providers of PCI compliance services include eGestalt, which sells SecureGRC, a cloud-based system that provides tracking and management of external vendors and digital questionnaire displays to avoid manual entry.
Also, merchant processors such as First Data, Global Payments (which is itself recovering from a recent data breach), EPX and Elavon can provide encryption and tokenization with every transaction, Philliou says. The merchant processor will go a long way in helping the multinational reduce PCI cost, he says.