Why should an organization address and comply at least with industry supported practices? A question of compliance versus driving business value, and one often raised in the Payment Card space is important to understand and convey at every level of an organization. The importance is building an organization’s security and compliance program in a manner that cohesively manages the demands of client requirements, government cares, and general competitiveness. In an era where competitiveness includes thwarting attackers focused on poisoning your supply chains with misinformation or directly seeking to “acquire” the Intellectual Property that makes the business competitive. The executive and board of directors within an organization are acutely seeking demonstration of focus and effectiveness.
So what are the risks to an organization not managing the risks of an industry standard?
To answer that below I will speak directly to PCI (to eliminate the obnoxious “it depends” statements) and about a Fortune 500 company that has other intellectual property.
Ultimate risk to an organization out of compliance with PCI is well documented (on the Card Brand sites themselves and breach news sites), but stems from a violation of contractual agreements with the business’ banks and ultimately the card brands. This contractual obligation (and violation) can be determined without a breach. The violation (profiled in a public court case out West) can be identified when a QSA / Forensics team from the Card Brands / or any of their team members conduct an assessment of compliance to the organization. The court case referenced is of a restaurant that had been suspected of a Common Point of Fraud; proven to not have been breached, but in violation of PCI DSS based on forensics report issued to Bank & Card Brands). So, the risk and associated damages can result from a breach (classic) or simply by confirmation that the business violated the contract established with the Card Brands.
The highlight here is being compliant means addressing the threat vectors to the business and the assets requiring protection. Failure to achieve those results from either path can result in a number of business and financial negative events. These, in part, are described below:
- Financial punitive fines by the Card Brands ($500k is a number published by the Card Brands)
- Per account # breached associated costs & fines – this number is a hard figure to lock down .. $100-$170 per card in some cases
- Higher interchange fees per card transaction for the entire legal entity – this is very costly and most damaging
- FTC and public government actions, that may include recurring privacy audits (such as 20 years of third party audits)
- Automatic level 1 status for the company (which requires annual onsite attestation)
- If you look at TJX and the other public breaches they have published hose expenses around $130M+
- Civil / class action lawsuits likely
There are also reputation and periphery risks to the business:
- The company possesses additional data protected and considered sensitive by industry and governments around the world, PCI Data is one element but it is likely that these systems share networks, applications, and permissions. The breach of one could inadvertently result in the breach of the other (PII)
- Not at least complying / deploying operational security controls broadly considered baseline practice would be damaging in an era when security of data and confidence is so important
The highlight here is that the risk is not addressed by the issuance of a ROC by a QSA or having run assessments, but that the security and risk programs are operational and effective. These ROC and assessments are simply attestations of a program that is mature and functioning. Compliance is not deemed by a ROC nor does it provide safe-harbor in the common sense of the term. A long standing statement by the PCI SSC is that “no compliant organization has had a breach” <– including TJX, Heartland Payments, and Global Payments all breached with current ROCs signed by TrustWave.
The success of the PCI program is the ultimate reduction of risk and adequate security controls of the organization. The risks addressed through a cohesive integration with the operational elements of the business are the critical success factors.
James DeLuccia IV