2. What is PCI DSS? Is it effective? Impact on the auditing profession Overview
3. “Payment Card Industry Data Security Standard” industry-wide framework for developing a robust payment card data security process aims to protect cardholder data What is PCI DSS?
4. response to the growing misuse of payment card information Payment Card Industry (PCI) Security Standards Council - 5 global payment card companies: American Express, Discover, JCB International, MasterCard, and Visa applies to entities that store, process or transmit cardholder information Retailers, on-line merchants, payment processing companies History and Origins
5. 6 principles, 12 major requirements, many sub-requirements and detailed requirements, and testing procedures 6 objectives: Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Components of PCI DSS:
6. PCI Security Standards Council sets the overall high level requirements each card issuer enforces the standard, sets validation requirements and penalties different merchant / service provider levels, and requirements for each level Eg: Level 1 – merchants with 6M+ transactions annually most stringent requirements ASV scans, QSA audits most recent version - PCI DSS v.2.0 continuously updated to as new threats emerge PCI DSS Logistics
7. Is PCI DSS Effective? Effectiveness of PCI DSS 2011Ponemon Institute & Imperva study: 64% of compliant firms had no breaches over the past two years, vs only 38% of non-compliant firms 2011 Cisco study: 70% feel that their organizations are more secure 87% feel that PCI compliance is necessary 60% are using PCI compliance to drive other security network projects appears that most organizations regard PCI DSS as an effective tool in improving cardholder security
8. Ineffectiveness of PCI DSS PCI DSS compliant firms still experience security breaches Eg: Hannaford Bros, breach in 2008: theft of 4.2 million customer card numbers Eg: Heartland Payment Systems, breach in 2008: 130 million credit card numbers exposed Critics: PCI DSS ineffective as it has failed to prevent data breach incidents Is PCI DSS Effective?
9. Is PCI DSS Effective? Ineffectiveness of PCI DSS developed by card companies to shift blame to retailers rather than actually preventing cybercrime lack of standardization high cost of compliance - $3.8M implementation cost for Level 1 merchants Executives see PCI DSS as a burden, not an investment ROI unknown
10. PCI DSS: Effective guideline, but does not guarantee security Breaches of PCI DSS compliant firms show that even compliance does not guarantee protection against security breaches PCI DSS - only a framework for protecting cardholder data – will not 100% guarantee security Effective from aspect of laying the groundwork for a secure system Forces entities to be continuously compliant
11. Canadians are among the most frequent users of debit and credit cards Canada seen as vulnerable to hackers and data thieves due to: lack of strong Canadian privacy legislation inadequate IS security at Canadian SMEs lag in adopting Chip & PIN technology on credit cards Canada has relied upon PCI DSS to improve cardholder data security PCI DSS and Canada
12. Impact of PCI DSS on the Accounting Profession opens numerous opportunities for the accounting profession CAs can act as consultants to businesses CAs can act as QSAs to assess PCI DSS compliance CAs can work together with the PCI to achieve greater protection of cardholder data
13. Impact of PCI DSS on the Accounting Profession CAs acting as QSAs can offer integrated services to clients PCI compliance & S. 5970 audit efficiencies can be gained However, should be aware of differences: Framework Testing period Scope
14. PCI DSS is a critical step towards improving the security of cardholder data in Canada and worldwide presents new opportunities for the accounting profession Conclusion