Why compliance you might ask?
Why do we need compliance,what good does compliance do?
I’ll define “compliance” in terms of obeying a request, a law, or, in particular, a standard. Obviously there are usually penalties if you are not compliant.
- If you do not comply with someone’s request, that person might be angry with you;
- If you do not comply with the speed limit sign, a policeman might observe your non-compliance and either write you a ticket to pay a fine or maybe remove you from your car and haul you off to jail;
- If you do not comply with a standard, depending on which standard, there are a variety of penalties, ranging from fines, mandated actions, delisting your company from the stock exchange and/or imprisoning your corporate officers.
I am a Certified Information Systems Auditor (a “CISA”, certified by ISACA, see http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/default.aspx) so I am most interested in the 3rd example. In the next few posts I’ll comment on three fairly well known technology-related compliance standards, why we need them, and how they work:
- Payment Card Industry Data Security Standard (“PCI-DSS”).
- Sarbanes–Oxley Act of 2002 (“SOX”)
- Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the American Recovery and Reinvestment Act of 2009 (“ARRA”)
PCI-DSS: Securing Your Wallet
If you have a credit card or a debit card, it probably has one of the following companies’ symbols on it: American Express, Discover, JCB International, MasterCard or Visa. If so, then every time and every place you use that card, the merchant accepting the card must comply with the Payment Card Industry Security Standards Council, most often by proving compliance to the Payment Card Industry Data Security Standard (“PCI-DSS”, usually pronounced by saying each letter).
The purpose of PCI-DSS is to enforce a minimum set of security controls to ensure the safety and secrecy of your payment card (credit or debit card) information. While we occasionally hear of payment card breaches, either at the personal level where someone has their payment card information stolen or fraudulently used, or occasionally at a company level where many people’s payment card information has been stolen, just think about how many times a month, and at how many places a month, you have used your payment card. Now compare that to how often you have heard of a payment card breach. I suspect you may have heard of about one payment card breach a year, verses the probably thirty times a month that you use a payment card, and times the hundreds of thousands of people also using their payment card similarly. My point is that the payment card breach occurrence is very low when compared to the exposure opportunities. Ever wonder why that is?
Have you ever used a credit card (or a debit card) on the web to pay for something? Most people have, typically for something on Amazon or by using PayPal to pay for something. Sometimes we pay for things directly through companies’ websites. Did you ever wonder how your payment card’s information is kept secure in your browser and then behind the scenes as your payment is processed? Compliance to PCI-DSS is the answer.
The Payment Card Industry Security Standards Council provides the over two hundred and fifty (250) details and specifications of the PCI-DSS, but does not enforce it. Enforcement is handled by the card-issuing company that has required compliance by the merchant to PCI-DSS as a condition for the merchant accepting customer payments via the card-issuing company’s payment cards. The enforcement is pretty simple: either comply with PCI-DSS or do not transact business using the card-issuing company’s payment cards. If there is a breach, then the bottom line is also pretty simple: either stop transacting business using the card-issuing company’s payment cards (and what merchant today can tell customers to pay only by cash or check?) or the merchant has to comply with all the card-issuing company’s demands. These demands sometimes include large monetary fines and other expenses, such as buying credit watch service for all the affected customers and paying for a 3rd party to review the merchant’s PCI-DSS compliance (which of course has to be a satisfactory review or else stop accepting the card-issuing company’s payment cards).
Payment card use is ubiquitous in society today, and widespread use of these systems across almost everything we do and purchase makes them vulnerable to security breach. PCI-DSS compliance protects your credit card (and debit card and gift card) and your peace of mind.
This is the first of a three-part series on compliance presented by John Kulas, a software security analyst for Bridge360. John is a Certified Information Systems Auditor with over a dozen years experience across at least a dozen companies. His technical background includes 23 years at IBM. Today, he assists Bridge360 client Xerox/ACS in meeting compliance standards, and enjoys helping non-technical business people understand compliance requirements.