PCI turns its attention to bigger breach targets

Register now

The Payment Card Industry data security standard applies to organizations of all sizes, but has often been seen as an intro to data security for small-business owners who know more about cooking burgers than securing data.

But of course, it's not the corner burger shop that makes the most headlines when it suffers a breach. The PCI council knows that fraudsters put considerable effort into attacking the data gold mines possessed by large organizations.

To address that, the PCI council has published an information guide for large organizations to help them more easily assess and maintain PCI compliance and stay aware of common attack points for criminals.

The document was produced through the 2019 Special Interest Group, whose members share best practices gleaned from experience in managing data security standards compliance assessments.

"Collaboration is central to the council's mission," Lance Johnson, executive director of the PCI council, said in a statement to the media. "This collaboration happens when the payments industry is involved in participating in the work we are doing … it takes organizations around the world lending their input and perspectives to the standards development process."

As organizations get larger, they become more interconnected and complex, with multiple relationships with internal business departments and third parties. At times, organizations struggle to keep up with the pace of their own change — and PCI DSS assessors have seen that up close.

The information guide provides steps to control security measures during that type of expansion, as well as offering suggestions on a range of business considerations. Those would include the roles, responsibilities and ownership of PCI DSS functions; sustaining compliance; mergers and acquisitions guidelines; managing acquirers and payment channels; education and awareness among staff; systems management related to PCI DSS compliance; multiple audits and assessments; and understanding the laws and regulations.

"It's easy to get lost in the forest when dealing with compliance of a large, complex organization," said Gary Glover, vice president of assessments for Security Metrics and a special interest group contributor.

The guide provides common ground to start from and addresses some of the business situations that are common to large organization compliance efforts, Glover added.

"Not everyone can be an expert on everything," he said. "Working in a special interest group exposes you to a group of professionals with a variety of backgrounds to produce a document that provides direction in so many areas."

In acknowledging that different business organizations of various sizes may view the word "large" as somewhat subjective, PCI also offers its views on how a large organization can be defined.

Factors to consider would include the number of physical locations, payment channels, payment points of interaction, employees and devices across the company; the overall number of continents, countries, cities and locations in which the company conducts business; the number and complexity of online or internet-based services; and having a large volume or high value of payment card transactions.

"Large organizations have many challenges, but the primary challenge is a people one," said Lacey Johnson, senior technical program manager at Akamai Technologies and a special interest group contributor.

In Johnson's view, a few key questions have to be answered: "How do you determine ownership and who is responsible for what part of the PCI story? Also, what do they need to know about payment card security and what don't they need to know?"

For reprint and licensing requests for this article, click here.
Data breaches Payment fraud PCI Risk management Merchant