Tuesday, 21 December 2010

PCI DSS 101 - All The Background You Need For Understanding The PCI DSS - Part 2

This is the second of a two part article intended to provide a backgrounder in understanding the PCI DSS. See Part 1 for the following
• What is it, and why is it important?
• The 12 Point PCI DSS
• So who exactly is subject to the PCI DSS?
Sounds like a lot of work and expense - what is the cost justification for the PCI DSS?

Trying to understand the actual cost of payment card fraud is not straightforward - by their very nature, fraudulent transactions are hidden.
Visa Europe report a level of fraud around 6 cents for every €100 spent. It is important to realize that this is the cost of fraud for Visa Europe itself (as opposed to the total cost associated with card fraud which would include lawsuit costs between merchants, acquirers and issuers). All the same, in 2009, those cards were used to make purchases and cash withdrawals to the value of more than €1.3 trillion. Doing the math, this would place an estimate on the cost of fraud to be €780M - just for Europe, and just for Visa.

In order to extrapolate these numbers, based on Visa Inc. Q1 FY 2010 earnings statement, Visa's global network processed payments totaling $4.4 trillion. Assuming Visa held a 38.3% market share of the credit card marketplace and 60.7% of the debit card market, the total value of payment card transactions for the world would be around $8.5 trillion.

If Visa's notional 6 cents for every dollar formula was applied, this would give an estimated value of fraud for the global payment card market of $5.1 billion - although again, this is purely for the card companies themselves.
Compare this figure with other sources that suggest the overall cost of UK Plastic card fraud was nearly £610m in 2008, an increase of more 14% over 2007 (figures published by APACS, the UK Payment Industry). Extrapolating this number at the same 14% per annum increase would give a 2010 figure of over £730M (approx. $1.2 Billion) just for the UK. Figures from the UK Card Association claim card fraud reduced by 20% in their most recent figures, based on January to June 2010 so these figures may be lower than estimated.

Global estimates for the cost of Online fraud - including identity theft and all payment-card abuse and organized crime - reached around $78bn last year (according to research house Global Uncertainties). If you are reading this as a Card Merchant though, the figures that will be more interesting for you are what the potential costs for you are. For Visa members, failure to report any suspected or confirmed loss of transaction data the member will be subject to a penalty of $100,000 per incident, rising to $500,000 depending on the scale and seriousness of the breach. Regarding remediation costs, most estimates cost this at between $90 and $302 per record.

The cost of compliance may also increase by way of making a compromised Tier 2, 3 or 4 merchant subject to Tier 1 merchant PCI DSS requirements, with the more stringent auditing process being required.
The absolute penalty for a payment brand is to disqualify a merchant from being able to process card transactions.

It is worth mentioning that in one of the few publicized breaches, Heartland Payment Systems (corporate.visa.com/media-center/press-releases/press974.jsp) are agreeing to pay $60M in compensation to card issuers that have suffered losses as a result of the criminal breach of Heartland's systems. The loss of customer trust and the corporate shame of being exposed as an organization that has compromised their customers' personal data could ultimately be far more expensive.

What happens in the event of us being breached?
Visa provides the following Steps for 'compromised entities'
1. Immediately contain and limit the exposure. Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information.
2. Alert all necessary parties immediately. Including
• Your internal information security group and incident response team.
• Your merchant bank.
• Visa Fraud Investigations and Incident Management group
• Your local office of the United States Secret Service
3. Provide all compromised Visa, Interlink, and Plus accounts to your merchant bank within 10 business days
4. Within 3 business days of the reported compromise, provide an Incident Report document to your merchant bank

Is PCI-DSS Compliance Required by Law?
The Minnesota Plastic Card Security law doesn't make PCI a legal requirement but it does mandate that companies storing credit card information that subsequently suffer a breach will need to reimburse the card issuer for any costs associated with the breach. In other words, it reinforces a key PCI requirement rather than legislating for it.

Similarly, Nevada has the Security of Personal Information Law and the Nevada Senate Bill 227 in which SB 227 Amendment specifically states a requirement to comply with the PCI-DSS.
Also, The Washington House Bill 1149 (Effective Jul 01, 2010) "recognizes that data breaches of credit and debit card information contribute to identity theft and fraud and can be costly to consumers."
Massachusetts is introducing 201 CMR 17.00 which seemingly borrows heavily from the PCI DSS.
Several other states are making attempts to enforce PCI DSS-aligned legislation such as Texas, California, Illinois and Connecticut.
Beyond these specific examples of PCI DSS-aligned laws the overwhelming majority of US states, Puerto Rico and the Virgin Islands have legislation that requires disclosure of data breaches.

Understanding the PCI DSS and how to implement it for your organization will take time, care and attention but many of the measures required can be automated and simplified using contemporary software technology.

No comments:

Post a Comment