Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators:
Trends and Implications
Vesta Corporation
About This Paper
There have been numerous data breaches both announced and unannounced over the past 24 months and, in response, Vesta invited 16 wireless operators in the U.S. and Europe to participate in a survey addressing the relationship between mobile operators and PCI DSS compliance for electronic payments.
Through the responses of these Tier 1 and Tier 2 telecom providers, Vesta’s research reveals how PCI DSS compliance most impacts operators, how operators are managing compliance, and best practice solutions for maintaining PCI standards at the lowest possible cost.
Executive Summary
OVERVIEW
• Consumers continue to shift from the use of cash and checks to electronic payment methods. Today, less than 37% of all payments are made using cash or check.
• Following this trend, mobile subscribers are embracing electronic payment channels that allow them to pay for monthly bills, top-ups, handsets, accessories and content with a debit or credit card.
• The PCI Data Security Standards (PCI DSS) exists to maintain the security of card data used in electronic transactions, and has some unique implications for mobile operators.
• While electronic payments allow operators to accelerate receipts and increase convenience for subscribers, these channels require the implementation of processes that ensure the security of card- holder data that is transferred or stored. There is such a thing as bad PR and it occurs when your name is associated with a data breach.
• This whitepaper was created to help mobile operators understand the impact of PCI on their business.
Included within are the results of a survey on how operators in the US and Europe are addressing PCI- DSS compliance.
FINDINGS
According to the survey:
• 25% of respondents are not currently PCI compliant.
• Over one-third of respondents did not know that penalties could be levied by the card associations for non-compliance.
• The average cost of initial PCI compliance was approximately $700,000 USD.
• The average annual cost of maintaining PCI compliance was over $1,390,000 USD.
• The greatest risk of non-compliance was the loss of consumer confidence for an operator.
CONCLUSION
As the importance of cardholder security continues to increase, PCI compliance must become an integral element of all operator operations to protect sensitive cardholder data and maintain consumer confidence in their brand. The survey data shows that there is room for improvement in the adoption and education of PCI-DSS in the operator community. In addition, given the high cost for operators to obtain and maintain PCI compliance, there is an opportunity for operators to look at alternate approaches, such as outsourcing, to address PCI.
Introduction
Around the world, consumer migration from traditional cash and check payments to electronic payment methods (credit or debit or bank transfer) continues to grow. A 2009 survey discovered that less than 37%
of all payments are now made using cash or check1. While there are many benefits to this shift, there are also significant new issues. As customers adopt electronic channels, there is an expectation of security for the cardholder’s identity and payment information. With all the recent data thefts and security breaches, this expectation is becoming a significant issue.
To ensure the protection of consumer information, the Payment Card Industry (PCI) has developed a set of data security standards (DSS) that merchants and financial service providers must maintain in order to be able to process debit and credit cards. While PCI does not manage compliance programs or impose conse- quences for non-compliance, individual card associations may initiate financial or operational consequences to businesses that are not compliant. The framework for compliance is founded in merit — providing a robust card data security system that emphasizes the need to prevent security incidents from occurring.
Should there be a failure, PCI best practices facilitate the detection and appropriate actions necessary to resolve any such incidents as quickly as possible.
Understanding PCI Compliance
In its most basic form, PCI compliance can be broken down into three steps. Those accepting payment cards must:
1. Assess: Identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and analyze these for vulnerabilities that could expose cardholder data.
2. Remediate: Fix vulnerabilities and do not store cardholder data unless absolutely necessary.
3. Report: Compile and submit remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands used by the operator.
Merchants can validate compliance with the PCI DSS internally or externally depending on the volume of data handled.
1 2009 Consumer Payment Choice Survey, Federal Reserve Bank of Boston
ACHIEVING COMPLIANCE
PCI DSS requires 12 points of compliance across six areas as outlined in the table below. All merchants who use card data in their transactions must comply with the PCI DSS on an ongoing basis. As PCI is recognized by all five global payment brands, compliance is crucial to every merchant worldwide. Penalties issued by the card associations for non-compliance can range from infraction fines to suspension or, in the case of persistent offenders, revocation of the ability to accept card payments.
AREA REQUIREMENT
BUILD AND MAINTAIN A SECURE NETWORK
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
PROTECT CARDHOLDER DATA
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
IMPLEMENT STRONG ACCESS CONTROL MEASURES
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
REGULARLY MONITOR AND TEST NETWORKS
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
MAINTAIN AN INFORMATION
SECURITY POLICY 12. Maintain a policy that addresses information security.
Source PCI Security Standards Council
THE EVOLUTION OF THE PCI STANDARD
The PCI standard continues to evolve with the introduction of Version 2.0 on January 1, 2011. Significant changes in v2.0 include the extent to which PCI DSS applies to virtualization, and states that each vulner- ability must be evaluated against a risk assessment and acted upon accordingly.
Assessments can be made against versions 1.2 or 2.0 through December 31, 2011. Thereafter, all assessments must be made against version 2.0.
Mobile Operators and PCI Compliance
While many of the challenges that face other merchants accepting payment cards also apply to mobile operators, there are some unique implications as well. Operators typically offer a wide assortment of payment channels that are more complex than typical merchants. Whether an operator accepts payments through the Web, IVR, live agent, SMS or handset application, each input channel has unique requirements and must be fully PCI compliant. This can be even more complex in the live agent environment as there are PCI requirements not just for the agent and the input screens, but also for recorded calls where payment information is captured during the course of a call (standard practice for many operators).
Operator-issued smart phone applications that enable payment and self-care functions are becoming increasingly common, and they present another unique challenge for operators. Because the software behind these apps resides on a device (as opposed to being powered by a pure server-side solution), handset applications are required to be certified by PA DSS (the Payment Application Data Security Standard) — a specific set of guidelines developed by the PCI. This process was originally developed for software embedded in point-of-sale terminals, and the certification process can be costly and time consuming. In addition, the PA-DSS process may need to be repeated if changes are made to the application over time.
Ideally, every operator would be 100% PCI compliant regardless of channel. However, given the resource restraints faced by many operators today, payment data security may not immediately be considered a top priority. And since achieving initial PCI compliance can take between three months and two years, the prospect of implementing a PCI program can be daunting and expensive.
Survey Results – The PCI DSS Landscape
How are operators addressing PCI compliance? What are the financial and head count impacts of becoming and maintaining compliance? Vesta’s survey of mobile operators in the US and Europe revealed insight into how the industry is navigating through PCI compliance and the PCI DSS landscape.
RESOURCES AND COSTS Our survey revealed:
• 25% stated that their firm was not currently PCI compliant.
• Over one-third of respondents did not know that penalties could be levied by the card associations for non-compliance.
• Over 50% were spending over $1,390,000 USD annually in PCI compliance maintenance costs.
• 69% of respondents stated that more than three people in their organization work full time on maintaining PCI compliance.
• 56% felt that the greatest impact of a security lapse or data breach to their business would be a loss of customer confidence.
• Over a third of these maintain an internal security group for PCI compliance.
• Under a quarter of respondents maintain PCI DSS via cross functional teams that receive direction on a group level with local implementation.
• All respondents regard the touchpoints of live agent, Web and retail as very important to the success of their organization’s PCI compliance.
Our research also indicates that operator resources are being diverted from other projects to meet the demands of PCI DSS. Indeed, from software design and hardware and network architecture to public policy and customer marketing activity, there is no area of a mobile operator’s business that is not affected by PCI DSS.
Options for PCI Compliance
As electronic payment channels continue to evolve, PCI compliance will become even more crucial to the success of operators. PCI DSS should be viewed not only as a mandatory demand by the card associations but as a significant asset in the sales and marketing process — differentiating an operator by responding to consumer demand for heightened data security. Operators have several options for maintaining PCI compliance and/or reducing their PCI scope: via internal development and auditing, payment tokenization and full payment outsourcing.
56%
13%
25% 6%
Should a breach occur, what do you see as the greatest risk factor for your company?Loss of customer confidence Lost sales and revenue
Terminate payment card acceptance Other
75%
25%
Is your company currently PCI compliant?Yes No
31%
6%
19%
12%
19% 13%
How many people work full time on PCI compliance in your organization?
1-2 3-5 6-8 9-10 11+
NA
INTERNAL DEVELOPMENT AND AUDITING
Most operators interviewed are attempting to solve their PCI issues in-house, relying on significant finan- cial, technical and human resources. While this approach gives the operator more hands-on control over the payment systems and PCI auditing process, our survey results indicate that the cost of compliance can soon become prohibitive to establish and maintain.
PAYMENT TOKENIZATION
An alternate approach to compliance utilizes payment “tokens”. This method meets 80% of the PCI burden while offering a best in class solution that ensures that no data leaks or breaches occur. The system works by exchanging cardholder data entered into a customer database for a unique token that is linked to the customer’s card information. The token is then stored in the merchant’s receiving system while the actual cardholder data is stored with a third party vendor. All information is encrypted to further ensure security.
This solution frees an operator from the need to implement encryption or achieve compliance — at a frac- tion of the cost of a custom PCI solution. Most tokenization models are multi-channel and can be deployed across live operator, Web, IVR and retail point of sale touch points.
FULL PAYMENTS OUTSOURCING
Operators can also fully eliminate the risk and costs associated with PCI compliance by outsourcing the entire payment process to a third party payments company. These companies manage the entire payment experience from start to finish, including hosting the customer input channels and applications, managing fraud, processing payments and settling to the operator billing platform and financial institutions. This ap- proach allows the operator to become compliant much faster, and completely eliminates PCI scope for the operator. In addition, the responsibility to conform to ever -changing PCI standards rests with the vendor, not the operator.
Conclusion
It is critical for operators that are not yet PCI compliant to take the appropriate measures to ensure the security of their customer’s sensitive cardholder data and achieve PCI compliance. Regardless of the option they choose, becoming PCI compliant will ensure the best customer experience, eliminate the risk of fines and protect their brand and customer confidence. For operators who have already achieved compliance through an in-house solution, outsourcing should be considered as a means to free up the costs associated with this resource-intensive endeavour.
About Vesta
Headquartered in Portland, Oregon, with operations in Europe and China, Vesta has been a pioneer and worldwide leader in electronic payment solutions since 1995. Vesta offers a full suite of payment services that can reduce and eliminate PCI scope and costs for wireless operators. Vesta has established long-term, successful relationships with leading telecommunications and financial companies including AT&T, Boost Mobile, Bank of China, Bank of Ireland, Chase Paymentech, China Mobile, China Telecom, Cricket Commu- nications, Green Dot, Metavante, NetSpend, O2, Sprint, T-Mobile, Verizon, and Vodafone.
For complete information on PCI Security Standards, self assessment information and guidelines, visit www.pcisecuritystandards.org For information on Vesta’s PCI compliance solutions, visit Vesta at www.trustvesta.com or email [email protected]
