Divya KothariIMT 553 - Assignment 2

DOES ABC1 NEED TO BE PCI COMPLIANT?

Being PCI compliant means taking steps to handle a cardholder’s sensitive data in a secure environment. These requirement are some of the ‘best practices’ that were laid down to ensure that all organizations that deal with credit, debit or prepaid cards, do so in a secure environment. Despite the internal confusion in our company that we are PCI compliant (when in fact we are not), the Sales Department’s ‘Why not?’ brought up an interesting point – Should we rethink our allegiance to PCI? Given the underlying intent behind laying these standards was fraud prevention which aligns exactly with ABC’s business objective of detecting and minimizing billing fraud, shouldn’t we just go ahead and plan for compliance? Maybe. But before that, let’s just go through a quick cost-benefit analysis once we determine the scope of our framework.

ABC is a relatively small but growing company.* Currently, our firm operates from 2 offices in the United States with each office processing up to 40,000 transactions in a year.* It may also be useful to keep in mind that:

Even though the ASP is not collecting information, the Company’s operations that analyze billing details for fraud do fall within the definition of PCI DSS’ mandate that it applies to – “…all other entities that store, process or transmit cardholder data…”2 as well as other standards.*

ABC only identifies billing errors and payment fraud. It does not trace it back to the user/clinic/insurance company, merely flags the portions of the bill in order to keep user data private.

Medical billing and other payment details provided to the company includes some, if not all, de-anonymized cardholder data, more specifically the Primary Account Number paired with one or more of the following information*:

Card expiration date Card verification value (CVV, 3 or 4 digit authentication number) Track data (from the card’s magnetic stripe)

PCI only deals with cardholder data. Nowhere do any of its controls require companies to protect other sensitive information. However in our case, information about people’s names, birth dates, Addresses, SSNs, gender, marital status, occupations and other PHI are protected under HIPAA considering ABC has signed a Business Associate Agreement.*

Currently ABC systems are not up to date with latest security protocols for their systems and their risk management framework is still in the nascent stages. All systems have firewalls and anti-virus software implemented, but data is encrypted only in patches. The company has two officials in charge of information assurance and security practices with no fixed capital reserve.*

COST-BENEFIT ANALYSIS

Benefits CostsIncreased Security against potential breaches and hacks or other modes leading to loss of confidential data.  As more and more card processing (and even business in general) takes place online, for hackers this online channel is a

The cost of becoming PCI DSS compliant depends on a number of factors including the business type, number of transactions processed annually, existing IT infrastructure, and current credit/debit card processing and storage

1 Assuming the company in question is named ABC LLP (“ABC”). A few other assumptions have been made to determine the scope of the issue. All such assumptions have been indicated by an asterisk symbol.2 PCI website: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

viable way to profit.”3 practices.4  Improving the security posture and providing a more concrete structure to the risk management framework of ABC. Also creates awareness and adds to a better security culture within employees of the firm.

As stated above, the cumulative transaction load is 80,000 per year for the company making it eligible for Level 3 of the Merchant Level categories stipulated in PCI DSS.

Since ABC is still a growing company, a PCI compliant certification can tremendously help increase sales if used to promote via marketing channels. Given the backing of the 5 biggest financial institutions, advertising this certificate may be a boost for increasing confidence amongst target vendors.

ABC shall have to spend money in order to determine scope and additionally invest in compliance related activities. It includes filling out a Self-Assessment Questionnaire and signing up for a quarterly scan to check vulnerabilities on all outward-facing IP addresses. Being PCI compliant also means ABC shall have to renew its certification every year.

Gives an added advantage over competitive billing processors who are not PCI compliant. By virtue of being an industry standard, PCI DSS does not have the force of law, which means you can choose whether to be PCI compliant or not. Since there are many companies that are not yet in compliance, it may be a good way to differentiate ourselves from other competitors.

Other costs include software and hardware upgrades if information is stored in house such as encryption costs per processing. Piling on to this is the cost of labor and the opportunity cost of pursuing other profit-making endeavors.5

Compliance is a great way to mitigate risks. For instance, risk transference, risk avoidance, etc. In fact, PCI DSS provide a Risk Mitigation plan and template, which is a guided procedure that enables companies locate vulnerable protocols, migration to more advanced protocols, etc.6

A rough estimate of what it may cost to become PCI compliant for ABC:

Self-Assessment Questionnaire ~$50 - $200

Vulnerability scanning ~ $100 - $150 per IP address

Training and policy development ~ $70 per employee

Remediation (software and hardware updates, etc.) ~ (Varies based on where entity is today in relation to compliance and security, but estimated): ~ $100 - $10,000 (Glover, 2015)7

It also creates customer trust that their payment card data is safe, it also gives reassurance to partners and shareholders, and ensures that staff are protected from any potentially sensitive customer information.8

On the flip side, the opportunity cost of not complying with PCI rules may result in data loss leading to remediation and discovery costs, which can be just as costly, if not more so, than the fines, not to forget potential reputational damage.9 A

3 Business.com 31st March 2015, “PCI Compliance – What it means to your Digital Security” Retrieved from: http://www.business2community.com/tech-gadgets/pci-compliance-means-digital-security-011960454 Braintree, 24th June 2008 “What does it cost to become PCI Compliant”. Retrieved from: https://www.braintreepayments.com/blog/what-does-it-cost-to-become-pci-compliant/5 Refer to footnote 36 PCI Security Standards Council, Retrieved from: https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf7 Glover G. 19th August 2015, “How much does PCI Compliance Cost?” Retrieved from: http://blog.securitymetrics.com/2015/08/pci-compliance-cost.html8 Rehman A. et all (2016) “An Introduction to CI Compliance” Retrieved from: http://www.callcentrehelper.com/an-introduction-to-pci-compliance-83552.htm9 Refer to footnote 3

report by the National Cyber Security Alliance states that if hackers successfully breach a small business’ data, business has a 60% chance of closing its doors in the following six months.10

RECOMMENDATIONS

Clearly, this is not as straightforward as it initially seemed. To add to this confusion, going back to the intent of laying down these standards, it must also be kept in mind that PCI DSS does not intend to protect your organization. Its actual aim is to protect the payment networks and the payment ecosystem. And while benefits of implementing these standards are fairly high, so are the costs of doing so. At the same time, these “costs associated with PCI compliance are not based on the number of cards you process, but rather the way in which you process the cards you accept. This is because for the most part, the processing method you use is relative to both the risk and the burden of PCI.”11 However, it is clear that whether or not ABC chooses to comply with all PCI standards, it must internally strengthen its core processes. In order to take a final stand for PCI implementation, ABC’s senior management must discuss this with its Sales, Marketing, Operations, Legal and Security teams and take a stand. My recommendation is that irrespective of whether ABC decides to be PCI compliant or not, it would be a good idea to conduct a data inventory to determine what is really needed and what is not. Additionally, the firm could analyze the cardholder data environment, basically all the components – vendors, people, and processes – of all systems that store, process, and transmit cardholder data 12. This shall help ABC pin-point the exact locations of strengthening their system’s security if not focus on PCI standards. ABC can also streamline the process for incoming information from different vendors by making it compulsory to provide anonymized or encrypted data thereby reducing costs.

Lastly, we must address the possibility of FFIEC13 intervention. FFIEC too does not have any legal binding. It is merely empowered to “prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions”14 and PCI is one such regulation recommended. However, in the past, courts have held banks as liable for not complying with FFIEC regulations.15 So does that mean in the event of a dispute in the future, the court may hold ABC liable for not following FFIEC’ suggestions? That is a very subjective question and it is difficult to answer such a prediction. Different judges/courts tend to weigh FFIEC and its advice differently. However, FFIEC is certainly expanding its cybersecurity arm16 however, the focus seems to be more on ‘large and complex institutions.’17 ABC is yet to achieve that stage.It may be noted that compliance is not equivalent to security. Adhering to PCI standards is essentially taking extra precautionary steps to secure your systems and integrity of data within, it does not mean securing absolutely. Furthermore, unfortunately, as

10 Refer to footnote 211 Thomas T, 12th January 2015, “Small Business and PCI Cost vs. Benefit” Retrieved from: https://www.pcicomplianceguide.org/small-business-and-pci-cost-vs-benefit/12 Hipsher A., 24th Sept 2015 “Determining the Scope of the Cardholder Data Environment: Don’t Leave Data Out of the PCI Compliance Assessment” Retrieved from: http://www.crowehorwath.com/cybersecurity-watch/cardholder-data-PCI-compliance-assessment/13 The Federal Financial Institutions Examination Council (“FFIEC”)14 FFIEC website: http://www.ffiec.gov/about.htm15 Bank Safety & Soundness Advisor, 18th July, 2011; Retrieved from: http://www.dwt.com/files/Uploads/Documents/News/07-11_Lorentz_BSSA.pdf (PDF)16 Hoar S. 1st July 2014, “Federal Financial Institutions Examination Council Launches Cybersecurity Webpage and Begins Cybersecurity Assessments” Privsec, Retrieved from: http://www.privsecblog.com/2014/07/articles/cyber-national-security/federal-financial-institutions-examination-council-launches-cybersecurity-webpage-and-begins-cybersecurity-assessments/17 Curry, Thomas J. (8 May 2014). "Remarks by Thomas J. Curry, Comptroller of the Currency, Before RMA's Governance, Compliance, and Operational Risk Conference, Cambridge, Massachusetts" (PDF). Office of the Comptroller of the Currency.

businesses grow, it often means that our cardholder data environment grows along with it.  Information security policies and processes become more and more important.18

18 Hmark, 6th December 2012, “Left out in the cold” Retrieved from: http://blog.propay.com/index.php/tag/pci/