Credit cards have come a long way since the night in 1949 when Frank McNamara, out for dinner with his clients, realized he had forgotten his wallet and wished for some sort of account to which he could charge the dinner. Frank soon started the Diners’ Club card. By the close of the 1950s, tens of thousands of Americans held credit cards, issued by banks still recognized today, like Bank of America and American Express. Even though these first credit cards were made from cardboard, people, even then, realized the value of implementing credit card controls into their use. And, before the first decade of credit card use came to a close, plastic credit cards started to emerge.
As advances have come to the credit card industry, e.g., micro-printed signature panels in the 1970s, risk-scoring fraud detection in the 1980s, and CVV codes in the 1990s, security requirements have generally followed. One of the most significant came in 2004 with the formation of the Payment Card Industry (PCI) Security Standards Council, and the first set of PCI Data Security Standards (PCI DSS) that came soon after.
Years ago, when you asked someone, especially outside the US, where they kept credit card data, you’d get a blank look, and then, they’d dutifully go to their company’s shared drive, open an Excel spreadsheet and explain to you that, through a rather elaborate system that basically equated to Excel’s filters and searches functionality, you could quickly find any client’s credit card information – as long as no one had fat fingered the cells containing those credit card numbers. In conducting your controls review, you’d ask if they password protected the spreadsheet, they’d thank you for the recommendation, and you’d leave knowing that you had made the company a better, more controlled place. That won’t fly in today’s world.
“Today, credit card data protection, and the attitudes around it, has come a long way, especially internationally.” Says Ricardo Martins, Certified Information Systems Auditor (CISA), and currently a VP of International Internal Audit at Liberty Mutual Group in Boston.
These days, companies follow version 3.2 of the PCI DSS, which contains requirements around firewall protections, complex passwords and access controls, the storage, encryption, and transmission of cardholder data, vulnerability management programs, network testing, and the development and management of an information security policy.
Also, per PCI, all Level 1 merchants, i.e., those processing more than six million credit card transactions annually, must complete an annual audit of their security systems and procedures. The assessment can be conducted internally, as long as there’s a signoff by a high-ranking employee, or by a third-party.
Gone are the days where compliance auditors could evaluate data protection practices with a quick conversation over coffee, or by passing by someone’s desk casually.
“Today’s audit professional needs an IT audit partner, not just a generalist like years past,” explains Martins. “Most audit shops will run GCRs for an IT controls review, and the challenge is to ensure that these GCRs are sufficiently comprehensive in evaluating all risks, including compliance risks, that an organization faces.”
Indeed, with the advent of tokenization, and even more complex PCI data protections coming on the horizon, auditors skilled in information systems audit, or, even better, specialists in auditing PCI compliance, will become even more valuable to organizations seeking to show their compliance with PCI requirements, as states move toward requiring compliance as a matter of law.
What’s one of the most common pitfalls? “Many companies fall into a false sense of security once they’ve mitigated their external risks,” Martins explains. “After those external risks are mitigated, the internal risks remain – like, an employee who might dump a file of payment card data onto a data stick, and walk out the door.” He cautions.
There’s also the storage of credit card data. “Companies have to follow the risk [in evaluating their business processes],” advises Martins. “While companies go through extensive measures to implement advanced credit card encryption processes, they less often consider all the exposures presented within their network where the numbers are stored. Reducing those makes encryption easier to achieve, and compliance easier to demonstrate.”
Even companies that don’t reach the Level 1 threshold for PCI audits may still want to certify their compliance. Some states, like Nevada and Washington, are now shielding PCI DSS compliant entities from liability.
While credit cards have come a long way since their cardboard forebears emerged in the years following World War II, responsibilities held by companies who accept credit card payments have also grown exponentially. Compliance costs money but provides a way by which companies can show to their clients that they take the responsibility for protecting their data seriously. Today, compliance is not only a required cost of business an investment in our customers, the trust they place in us as their business partners, and costs much less–financially and reputationally–than any breaches of customer credit card data ultimately will.