Payment Card Security & IT Controls Explained

A client of mine recently updated their rich corporate governance program, and beyond obvious extensions to include recent State laws (introduced in the last 6 months) governing data usage and some International legislation there was particular attention towards the Federal government use of the FSG (Federal Sentencing Guidelines).  A recent increase in DOJ attention has raised this mandates requirements above the normal baseline within the organization, and now carries equal weight with such initiatives as SOX, PCI DSS, and NASD listing requirements.

Two nice sources for FSG are the full guidelines themselves - of particular interest may be section 8B2.1 Effective Compliance and Ethics Program“, and a nice text published by Theodore L. Banks and Frederick Z. Banks entitled, “Corporate Legal Compliance Handbook”.  Here is a link to Google Book Search with some interesting content already highlighted.

As a best practice, always review your responsibilities to stakeholders (whether they be investors, employees, industry watch groups, government agencies, or international treaty conditions) on a regular basis.  These periods of review vary depending on the growth and change of your particular industry, but should not exceed an annual inspection.  Reviews should focus on the business impacts these mandates impose and the controls established to satisfy each.  An executive session should be included in this process to ensure that strategic direction is captured, and that any shifts are embraced by management and all divisions of a company.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today

In the January 2008 issue by the Journal of Accountancy had a nice write up regarding PCI, the framework, the history, how the transaction system works, the threats (including TJX) and impacts, and providing CPAs with awareness of the opportunities. The article can be found here.

It is a worthwhile read for those new to PCI, and especially for those running the finance side of organizations. The author does a nice job of summing up the main points of PCI, and addresses the topic to an audience that may not be wholly familiar with the payment industry. Other great articles are available at the AICPA site, and access to the materials are free online. Definitely take advantage of the resources at this site, as it is only with multiple perspectives can information within organizations be sufficiently secured to ensure operational efficiencies.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today

The PCI Security Standards Council today released several important documents today. Every Merchant, Service Provider, and risk manager should review these publications. The official Press Release “PCI Security Standards Council Issues Updated Self Assessment Questionnaire“. A quick overview of each:
A Guidance document - “Understanding the Intent of the Requirements, v1.1“

• This document provides much needed elaboration in the form of “Guidance” for every PCI DSS control requirement. For instance, the standard requires a quarterly review of the firewall and router rule sets (1.1.8), and the new guidance now expands on what this opportunity allows - clean up, removal of incorrect rules, sufficient time to balance rules with business.
• The guidance document is 45 pages in length and available at the PCI site

An updated SAQ Package has been released. The Self Assessment Questionnaire originally was a single questionnaire list where companies of all types (Merchants, Service Providers, etc…) were required to complete. The new release of documents today provides greater explanation of how SAQ is part of the PCI DSS, and provides unique SAQs depending on the organizations business structure. There are now five types of questionnaires that may be completed:

• SAQ Validation Type 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
• SAQ Validation Type 2 Imprint-only merchants with no electronic cardholder data storage
• SAQ Validation Type 3 Stand-alone terminal merchants, no electronic cardholder data storage
• SAQ Validation Type 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage
• SAQ Validation Type 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

In the SAQ Instruction Guide pages 6-7 provide a nice common-sense approach to minimizing the impact of credit card processing and simple means of reducing the risks.

As in all new releases, read each document yourself and then prepare a distilled version for internal parties and your business partners. In addition, all SLA and contractual agreements should be reviewed and any necessary communications should occur to update the business operation thresholds. These documents contain important clarification and have been tuned to be more reflective of the business itself, so it is important to leverage these improvements and provide feedback to the Council.

Michael and others have some good tid bits posted about the new standard. Definitely check them out (Especially check out pcianswers to find out a good nugget on Compensating controls) Thanks to everyone out there making a better transaction environment!

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today

A short piece in the Wall Street Journal the other day focused on the challenges that firms face with the introduction of new technology, and how these new gadgets can complicate an organization’s controls.  The article highlights the difficulties faced by investment firms as there are specific regulations to capture all traffic relating to financial transactions.  In the context of this mandate, the article raises the issue when employees purchase iPhones and other smartphones, and the resulting difficulty in meeting regulatory mandates.
This issue is not reserved only for financial firms, but is applicable to any firm.  New technologies - such as smart phones, Instant Messenger, Peer to Peer, Torrents, and VOIP are all initially resisted by firms until an ROI and business case justifies the added management expense.  Beyond the adoption of these technologies organizations that adhere to standards, such as PCI DSS, must be aware of the implications regarding these tools:

• Sensitive Data may be transferred to these devices increasing the scope of an audit
• Transmission, Storage, or processing of sensitive data through these newer technologies requires a re-evaluation of the risks, controls, and procedures
• Deployment and enhanced control environments are required as the technology expands the platform, geography, and dimension of the data itself
• Management direction must be re-evaluated to ensure that extended operations resulting from newer technologies are aligned and consistent with the strategic efforts of the organization
• Updates to policies and procedures are necessary
• Modifications to disaster recovery and backup systems must include these newly introduced technologies that emerge as part of the business processes.

Avoidance of technology leaps and enhancements can damage a firms competitiveness, but blind adoption can result in far greater financial and legal penalties.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!!  Pre-Order Today