Month: May 2016

What Is a QSA?

download (13)Since the formation of Payment Card Industry Data Security Standards back in 2004, PCI DSS has setup its requirement for financial service providers and large merchants to use QSAs to carry out onsite assessments and to check on Compliance and security. QSA stands for Qualified Security Assessors; it is a designation awarded to individuals by the PCI Security Standards Council, whom it finds qualifying to execute consulting services and PCI assessments.

Recently, PCI DSS has expanded to take in its guidelines for training QSAs and some other advancement. Still QSAs and the services they provide do vary a lot. With assessors, the thoroughness, methodologies, technical skills and some other areas differ a lot.

The PCI DSS V2.0

The PCI DSS v2.0 released on 30th October includes number of classifications and further areas of guidance for assessments. The standard according to new version states that the first step of any PCI DSS assess is to describe the scope of assessment, by pointing out clear maps (locations and flows) of cardholder information within a system.

A lot of organizations are not aware about every single location where the card holder information is situated in their systems. A QSA must have understanding about application data handling, network architecture, operating system security, storage and database technology, and other business and IT functions in order to carry out those assessments.

Virtualization Technology

A new guidance has also been added in the PCI DSS v2.0 which is its grant of using virtualization technologies and how to assess them. As many organizations are looking to handle cost efficiencies savings through implementation of application and server virtualization, it is a must for the QSAs to know more about this technology and how it differs from the traditional server/client technologies they are using for assessment.

Through virtualization numerous server instances can be developed and run from a single physical system. This has been considered as non compliant by many QSAs in the past. PCI v2.0 Section 2.2.1 permits the use of virtualization; but makes it clear to run only one function on a single virtual server like one machine will run database services, while another will be used for running web services. So it is important for the QSAs to know about virtualization specific controls, virtual network segmentation and the IT controls which come in use with the virtualization platforms.

Choosing a QSA

Once you select a QSA, the relationship might develop into a long one. It is necessary for the organizations to look for a QSA that knows about the same technology that is needed to be audited. In order to hire a QSA, the companies must gather information about business requirements; develop a detailed interview about past experiences (of QSA) and must choose a time for onsite review and planning or meeting. Make sure that the individual QSA you spoke and work with for carrying out collection of data and assessment and who will eventually be coming onsite for managing assessment are the same.

The QSA firm will have great effects on your compliance and security for a long time. Making the right decision regarding QSA selection will turn out in great advantage for both fulfilling the PCI DSS Compliance requirements as well as making your security system for a longer period of time.

 

Is PCI Compliance Expensive?

download (12)There are a couple of reasons on which cost of PCI DSS Compliant depends, which includes the type of your business, annual number of transactions, current IT infrastructure, and the existing credit/debit card network of processing and storing data.

Possible PCI Compliance Fees

According to estimations, the largest merchants of nation, categorized as Level 1 merchants (having more than 6 million transactions a year), spent $125,000 assessing the possible required PCI related work and an addition of $568,000 to meet the PCI requirements.

Reports state that level one 1 merchant, a national retailer having 210 stores, spent about $500,000 to become compliant. Furthermore, Level 2 merchants carrying out annual transactions in between 1 and 6 million may require spending $105,000 for assessment and an addition of $267,000 for compliance.

Level 3 merchants carrying out e commerce transactions between 20,000 to1, 000,000 are supposed to spend $44, 000 for assessing and $81, 000 more for compliance. The level 4 merchants handling e commerce transactions below 20,000 have different prices to pay for being compliant, which depends on the type of business.

Additional Costs

The costs of being PCI Compliant just don’t end here; instead, there are a couple of additional costs. This might include the fee required for software and hardware upgrading, if the data is stored in house. According to calculations an organization having 100,000 credit cards on file is required to give $6 in encryption costs per card. On the other hand, technologies like tokenization can be used by the merchants. In tokenization (in which data storage is remote) there is a per transaction fee in place of upfront cost. In all of these estimates no opportunity and cost labor cost of other profit making endeavors has been included.

Requirements of the Merchants

A merchant accepting, processing or storing credit card data needs to be compliant. It is still essential for small retailers and restaurants using a single POS system or terminal to be PCI Compliant. Both businesses are required to fill out Self Assessment Questionnaire, but the compliance process is much less involved. POS systems used by merchants are required to stay extra careful to make sure that no prohibited card data is being stored improperly and are needed to validate their vendor as PABP compliant (soon to become PA DSS).

Cost for Being Non compliant

Being noncompliant is not an option and every large merchant is required to be PCI Compliant otherwise they will be imposed with huge monthly fines. A merchant being noncompliant has to pay additional interchange cost which will result in higher processing cost. The card brands are most likely to charge fines when a merchant is noncompliant at the time of data breach.

Also, the discovery and face remediation costs can be huge than the fines itself. The cost of data security break can be anywhere from $90 to $305 per customer data breached. Some merchants find PCI DSS requirements quite annoying and get frustrated about it; while some consider it as basic security requirements and think that it should be in place.

 

Should Everyone Become PCI Compliant?

download (11)In PCI Compliance, there is a lot more to your business than your website. If your business is dealing with credit card numbers over phone, or carries out face-to-face transactions, or holds up records of credit card number; then all of this has nothing to do with your website and it is really necessary for your business to meet up with PCI requirements. Well, now a question might come in your mind that does every business needs to be PCI Compliant; the answer to it has already been given above. In this article you will find answers to the question that trouble you with PCI requirements.

Should I Be Worried About PCI Compliance?

A business receiving payments through credit cards from customers needs to be PCI compliant, even if that business gets paid via credit card once in a year. The number of transactions doesn’t matter at all, even if your website is accepting third party services like PayPal or Google Checkout you are required to be PCI Compliant because it is your business that is accepting payments via credit cards and not your website.

What Will Happen If I Am Not PCI Compliant?

If your business is not according to the PCI Compliance requirements and your site’s security happens to get breached; then huge penalties will be imposed on your business ranging from $5,000 to $500,000. The fines are the first thing you will face due to being non compliant and there will be numerous other damages to your business that you will start seeing.

Terminated Merchant File

If your business is not PCI compliant; then you might lose your merchant account, which means that you won’t be able to carry out any credit card payments. Not only this, but you will also be place in the Terminated Merchant File (TMF) of MasterCard/ Visa, which will make ineligible to get another merchant for at least a couple of years. The TMF is actually a BLACKLIST for the merchants from which getting your name removed is nearly impossible.

The Terminated Merchant File is sometimes also known as The Match File, once a merchant gets his added in this file; his name, name of the business, address of home and business all are written in a record. So it is no use to apply again on the name of another family member or business partner because according to documentation, it will be taken as the same business and location (which is already blacklisted).

Card holder Data Environment

Does setting up Firewall Configuration will limit direct public access between internet and any system included in the card holder data environment? Well it depends; the cardholder data includes everything of your website as well as the database. A database server must have its own physical server that should be connected to a VPN.

Even if the data isn’t being stored by your database, it is however giving content to your site which transmits and collects the card holder information that is why it is included in the card holder data environment.

 

The New Role of the CIO – Business Transformation Partner

download (10)It is becoming increasingly necessary for Industries and Organizations to improve Productivity, Reliability and keep pace with the ever increasing demands. Never before has there been such a pressure on Business-the Production and Engineering departments to keep up to these demands.

Business has no other choice but to identify “issues”, adapt “new technologies”, de-bottleneck and implement Engineering/Process IT Innovation drives wherever practical and possible.

Information Technology is not the business, it is an enabler. By enabling the business, the IT strategy, architecture and projects should be dictated by the larger Organization business strategy, architecture and programs. However, we often see a Disconnect between the IT and Business Strategy.

The IT strategy

The CIO or the Chief Information Officer can play the role of a partner and assist the Business team achieve their objectives.

IT is perceived as not providing value to the organization. Why is this?

Typically the CIO and the IT team’s role have been restricted to Implementation, ‘Support’ & ‘Maintenance‘ of Enterprise needs related to IT hardware and Software.

IT teams have in the past procured specific software and hardware, have got tied down by the lock in periods, typically three to four and have eventually got trapped with the obsolete software down the line.

The advent of the Cloud, Platform as a Service, Infrastructure as a Service & Software as a Service has provided the CIO with new possibilities.

Technology trends and landscapes are much more dynamic now and there is an increasing need for CIO’s to look at getting out of the ‘traditional support‘ mode and get more focused on meeting the ever increasing demands from Business.

The Organization now increasingly looks at the CIO for critical support to the Business teams, without which no Transformations would be possible.

A Proactive CIO is the one that sees the cue and takes the lead in these transformational initiatives that can make a big difference to the way the Organization performs.

Most CIO’s of Organizations report to the CFO, I am not sure if this is the right structure. However a smart CIO can take advantage of this structure and ensure that they have the blessings of the CFO to allocate good Budgets to IT and Process and Engineering IT initiatives.

Having said that in today’s recessionary times, these Budget allocations are not easy. A lot is expected to be achieved with a reduced budget and in least time.

Also several IT initiatives related to Business improvements in the past have not been successful, mainly because the CIO and the IT teams has never been considered as a reliable partner to implement and be responsible for such Initiatives and its Implementation.

How can the CIO and his team become a trusted Business partner and how do they first ensure these Budget allocations? How would they get the Management Support and backing?

-A Business Transformation programme

The first phase would necessitate the hiring of a Business Process Improvement Consultant who would on a fast track, identify issues across the Business units, recommend Areas of Improvement.

{We will not get into details here about the way the programme is to be managed}

The Consultant should ideally be asked to recommend a short list of areas of improvement, those which can provide the Organization with the maximum Impact.

-An Innovation drive

There is no point in diluting the efforts of Innovation by identifying far too many areas for innovation and improvement as mentioned earlier.

This should be Targeted and only those Innovations that can meet the new Business needs and challenges must be taken up.

The following would be KEY to the success of these IT Innovation drives.

-Branding Campaign

A precursor to the Innovation project should be a well designed and branded campaign.

This campaigns only objective is to sell this idea within the Business and to ensure that the entire Business team realizes the value of this programme and the Business Outcomes that it is designed to achieve

-THe Right Technology

Identify a tested and proven Technology. It’s a good idea to make site visits to organizations that have implemented these Technologies successfully and get a good feedback

-The Right Leader & Right team

The leader should ideally be CIO who shares the Business & the Organization’s vision. He should be assisted by a Business Leader. The need for small focused teams comprising Leads from IT and Business is absolutely necessary. The right leader needs to assist and lead the team and justify to the Core team, the need for these innovation drives and the resultant Business Outcomes.

-Right Partner to Implement

Identification of the Right partner to implement is another Key need and ideally the selected product or the technology OE is the right agency to recommend the partner.

-The Right Methodology, Framework

It’s very important to ensure the right methodology which ensures consistent internal stakeholder support. How do we manage this?

The idea is to break up these projects in phases and into small projects rather than go with a Big bang approach.

Create small POC’s, demonstrate small success stories.

The best way to show proof of success of typical process Automation or other IT Innovation drives is to get the ‘Business users’ to see and measure success-the best way is to implement a POC, develop a small self service portal, where they are able to key in specific data and see tangible benefits.

Unless the Business Users ‘do not perceive‘ this as an Experiment and a Risk, the project will not meet its objectives.

If this is achieved, not only the Roll Outs of the project is guaranteed but also in the least time and well within the reduced Budgets.

Lessons Learnt

The CIO must make these success stories visible to his Organization at the right times during the project progress. The objective must be to ensure that the rest of the Organization and key stake holders are confident about the success and supports him and the Business teams.

Change is always resisted; people get complacent and comfortable doing things the old way. It’s important for them to experience the Changes Innovation brings and how it lets them achieve their Objectives better and more efficiently.

Smart CIO’s are the ones that are looking to ’outsource’ routine and Typical Support and gearing up to meet the new Business Challenges.

The role of the new age CIO is to lead from the front and move from typical “Supporting” the Business to ”Contributing” to Business through a string of IT and Engineering/Process IT Innovation drives that transforms the Business.