Financial Regulation and Supervision - Essay Example

?Financial Regulation & Supervision Executive Summary The concept of business has changed in the last two decades with more emphasis on e-commerce around the world. In layman’s term, e-commerce refers to buying and selling goods over World Wide Web. However, there is more to this interconnected concept of technology and business. The changed face of business has brought changes in the way the transactions occur through debit cards and credit cards, and the issue of security that has often been cited as a barrier to ecommerce (May, 2000, p.165). In response to such a barrier, firms engaged in such business have continuously assisted establishment of set of standards known as PCI DSS that today governs all the firms engaged in online transactions in the developed world. These regulations not only protect the firms involved in online transactions but also the cardholders from being exploited by the online frauds. Such compliance requirements have posed new challenges as to how to minimize compliance costs and continuously monitor the security systems to stay ahead of web criminals. Nevertheless, the benefits seem to surpass the costs associated with these regulations. Table of Contents Executive Summary 2 Table of Contents 3 Introduction 4 Facts of the Case 5 Andrews’ Options with Bank 6 Advantages of PCI DSS Compliance Advisor 10 Conclusion 11 References 13 Bibliography 15 Introduction A few years back the fraud in payment cards was conducted by small time criminals who used to take the advantage of opportunities as they came along. However, today it has become a well organized crime where sensitive customer information is stolen and ruthlessly exploited, affecting millions of cardholders and retail businesses. Considering this the PCI DSS were introduced. PCI refers to ‘Payment Card Industry’ and DSS to ‘Data Security Standard’ (Carpenter, 2010). This is a statement of compliance to the information security standard worldwide, which ensure that companies that are involved in the processing of payment cards such as debit cards and credit cards implement secure processing practices. As PCI DSS are industry standards but they are not enforceable by law (Gregory, 2008, p.12). The PCI Security Standards Council was established in September 2006 for the management and development of PCI security standards to improve the payment account security in transaction process (PCI Compliance Guide, n.d.). PCI SSC was formed by major credit card brands like VISA, American Express, MasterCard, JCB and Discover (Kim and Solomon, 2010, p.395). These brands and their acquirers are responsible for the enforcement of compliance with the standards. All the merchant companies that process transmit and store the cardholder data should be PCI DSS compliant. There are three steps in adherence to the standards: 1. Assess: This involves identification of cardholder data, inventory of business processes and IT assets along with an analysis of vulnerability in the security system for potential cardholder data exposure. 2. Remediate: No to store cardholder data unless needed and fix the vulnerabilities identified in step 1. 3. Report: Compilation and submission of required validation records and compliance report to the acquiring bank and the payment card company (Hart et al, 2010, p.357). There are four merchant levels: Level 1: The level 1 merchant has aggregate annual online transactions of more than six million and has been subject to cardholder data breach or poses significant risk. They are required to have an onsite audit every year by Qualified Security Assessor and quarterly network security scan by Approved Scanning Vendor (Bradley, 2007, p.209). Level 2: The level 2 merchant has annual aggregate transaction between one million and six million. They should submit PCI DSS self assessment questionnaire on an annual basis and conduct network scans every three months by Approved Scanning Vendor. Level 3: The level 3 merchants have annual aggregate transactions between 20,000 and one million; therefore, they should PCI DSS SAQ on an annual basis and network scans every three months. Level 4: These merchants have less than 20,000 online transactions every year (Jackson, 2010). This also includes merchants with less than one million annual transactions. They should submit annual PCI DSS SAQ and conduct network scans every quarter by ASV. Facts of the Case The facts of the case are: Andrews Pick & Mix is an online UK retailer whose online income is small but is generated from diverse products range. It has its own web servers hosted and designed by an external agency, which has also developed an online payment application of it. Its online payment system is integrated with third party provider of payment card processing. Andrew Pick & Mix is not PCI DSS compliant, which has been notified by its merchant bank along with the advice of appointing an advisor to achieve compliance. The retailer is not aware of the risks, level of charges for compliance and the contractual obligations and therefore, has been asked by its acquiring bank to take advice of a UK-based firm on achievement of PCI DSS compliance. The gap analysis against PCI DSS requirements reveal that Andrew Pick & Mix is a low volume retailer and comes under tier 4 merchant level with lesser than 20,000 annual transactions. Andrews’ Options with Bank Andrews’ acquiring bank is medium of building up trust between the retail merchant and the credit card company as it is the one that will end up with burden by the credit card company if Andrews suffers a breach. Therefore, it is necessary for Andrews to be adequately protected. Andrews currently is not PCI DSS compliant but wishes to become one as its online income is small but significantly diverse. Moreover, non-compliance is likely to increase risks through greater processing charges or withdrawn of the facility by the acquiring bank. Moreover, this may also attract fines and penalties by acquiring bank and payment card issuers in order to cover the increase in fraud risk. The PCI DSS framework is based on 12 security requirements under six categories: Establish and maintain secure network: 1. To protect the cardholders’ data, compliant firm should install and maintain firewall configuration. 2. Vendor supplied defaults such as system passwords and various other security parameters should not be used. Protection of Cardholder data: 3. Stored cardholders’ data should be protected. 4. The transmission of cardholder data across all the public and open networks should be encrypted. Vulnerability Management Program: 5. Usage and regular up-gradation of anti-virus software and other malwares. 6. Development and maintenance of security systems and applications. Appropriate Access Control Measures: 7. Access to cardholder data should be restricted by need to know business (Grama, 2010, p.113). 8. Each person should possess a unique id with computer access. 9. There should not be any physical access to the cardholders’ data. Test and Monitor Network: 10. Access to cardholder data and network resources should be tracked and monitored. 11. The security systems and applications should be regularly tested. Information Security Policy: 12. There should be a policy to address information security for vendors and employees. The compliance procedure for a tier 4 merchant is as follows: 1. Identify its validation type as defined under PCI DSS to determine the self assessment questionnaire that is appropriate for its business. 2. Complete the self assessment questionnaire as per the given requirements and guidelines. 3. Complete a passing vulnerability scan and obtain evidence of the same by PCI DSS ASV (Approved Scanning Vendor). For a merchant that stores cardholder information or has a processing system with internet connectivity, a quarterly scan is required. 4. Complete the attestation of compliance. 5. Submit the self assessment questionnaire, evidence of passing scan, attested compliance and other requested documents to the acquiring bank (Visa-a, 2007). In the light of the facts of the case, the compliance requirements and the compliance procedure, Andrews has two options: 1. Upgrade the current payment system to make it PCI DSS compliant. 2. Completely remove cardholder data from the online systems i.e. pay page integration. Andrews need to assess the relative costs and benefits of both the options. If Andrews chooses to act upon first option, then it should state and enquire its acquiring bank and the credit card company that it is presently not PCI DSS compliant but is in the process of becoming one, if its bank offers hosted system, the charges and fees required for switching to the hosted payment option, and the current charges on the internet merchant account. This is required to assess the costs of the first option. Also Andrews should determine the costs of switching the payment systems and the requirements stated above. The second option of pay page integration i.e. removing all the cardholder data from the online systems would require the checkout process to be undertaken by a third party payment page and revert the customer back to the company’s website once the transaction is complete. This would be different from the present system where the customer provides the credit card details on the retailer’s website. This would involve costs associated with the changes in website, explaining the customers regarding the changes and assurance that the orders are placed successfully and securely. The greatest advantage of this is that the website of Andrews will not hold any cardholder data therefore it is not liable customer’s security but the disadvantage is that it will not have any control over payment process as the final step is taking all details to the payment server and cannot even put a logo on the payment screen. Advantages of PCI DSS Compliance Advisor To become PCI DSS compliant, all the merchants have to liaise with the assessors, also known as Qualified Security Assessor (QSA). QSA perform assessment of PCI data security for the service providers and merchants and are approved by PCI SSC (Visa, 2012). In addition to the merchant’s payment processes, it also seeks to evaluate its IT infrastructure as per the requirements laid by the payment card industry. The compliance with PCI DSS is not a difficult task if planned and executed carefully and effectively. Therefore, it is important to get trained and professional assistance from QSAs to plan the compliance procedure as this will help prevent non-compliance structural designs, configurations and unnecessary remediation. However, many firms try to save the expense of engaging a QSA until later but by not engaging a qualified advisor, the firms subsequently end up with more expensive compliance process than what could have been simpler and economical (Thapar, 2010, p.2). As the compliance is an on-going process, it becomes difficult to consistently adhere to the guidelines under PCI Data Security Standards that involves continuous review of firewall rules some of the advisors provide automated continuous compliance with PCI DSS and let the merchants know in case of policy violations. Therefore, following are the potential benefits by engaging advisor for PCI DSS compliance that may incur to Andrews Pick & Mix: The advisor company would engage with Andrews Pick & Mix to prepare estimates and to understand the scope of the compliance. It will review Andrews’ documentation and verify that the PCI DSS requirements are met through its team of QSAs. It would also conduct a gap analysis and prepare report on the same that would contain information related to fields that have not met the requirements and therefore, would recommend solutions on them. It would also prepare and deliver presentations on security related issues. So it can be inferred that Andrews Pick & Mix would definitely benefit from taking the external company’s assistance to understand its current state and draft the compliance architecture. Conclusion This project entails the compliance issues at Andrews Pick & Mix, a UK-based retailer that is engaged in online sales but is not PCI DSS compliant. This has posed transactional risk and financial risk for the retailer as well as its acquiring bank and the payment card company. The risks are in the form of transaction fraud faced by the cardholders as their sensitive data may be exposed to the web criminals while this also poses threat in the form of financial liabilities of all the parties involved. In order to minimize these risks the payment card industry around the world impose the PCI DSs standards and any merchant not adhering to these standards are liable to fines and revoke of their activities. This has made the compliance with the standards very important for Andrews. Andrews can either upgrade its payment system to be PCI DSS compliant or it can use the option of pay page integration where the third party will be responsible for cardholder data security. Considering the costs related to both the options, the level of online transactions, and requirement of advisor in case of former option, Andrews can choose pay page integration in the short run while slowly preparing itself for PCI DSS compliance as the size of online transactions increase. Andrews’ decision to switch to the PCI DSS compliant payment system should be carefully analyzed with the help of advising company because of the benefits it provides like preparation of estimates and scope of compliance, gap analysis, continual monitoring of compliance with the requirements and solutions based on the assessment of the merchant’s business activities. References Bradley, T., 2007. PCI Compliance: Implementing Effective PCI Data Security Standards. USA: Syngress. Carpenter, T., 2010. SQL Server 2008 Administration: Real-World Skills for MCITP Certification and Beyond. John Wiley and Sons. Grama, J., 2010. Legal Issues in Information Security. United Kingdom: Jones & Bartlett Publishers. Gregory, P., 2008. IT Disaster Recovery Planning For Dummies. New Jersey: John Wiley & Sons. Hart, T., et al, 2010. Internet Management for Nonprofits: Strategies, Tools and Trade Secrets. New Jersey: John Wiley and Sons. Jackson, C., 2010. Network Security Auditing. USA: Cisco Press. Kim, D. and Solomon, M., 2010. Fundamentals of Information Systems Security. United Kingdom: Jones & Bartlett Learning. May, P., 2000. The Business of Ecommerce: From Corporate Strategy to Technology. United Kingdom: Cambridge University Press. PCI Compliance Guide, No date. PCI Compliance Guide Frequently Asked Questions. [Online] Available at: http://www.pcicomplianceguide.org/pcifaqs.php [Accessed 20 March 2012]. Thapar, A., 2010. 10 Tips for a Successful PCI DSS Compliance Project, White Paper, Security Solutions. [Pdf] Available at: http://www.verizonbusiness.com/resources/whitepapers/wp_pci-dss-compliance_en_xg.pdf [Accessed 20 March 2012]. Visa, 2012. Assessors | Merchants | Visa USA. [Pdf] Available at: http://usa.visa.com/merchants/risk_management/cisp_assessors.html [Accessed 20 March 2012]. Visa-a, 2007. Level 4 Merchant Compliance Program Requirements, CISP Bulletin. [Pdf] Available at: http://usa.visa.com/download/merchants/level_4_merchant_compliance.pdf [Accessed 20 March 2012]. Bibliography Calder, A. and Carter, N., 2008. PCI DSS: A Pocket Guide. IT Governance Publishing. Chuvakin, A. and Williams, B.R., 2009. PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. 2nd ed. USA: Elsevier. Fry, C. and Nystrom, M., 2009. Security monitoring. USA: O'Reilly Media, Inc. Gary, H., 2008. Security Monitoring with Cisco Security MARS. India: Pearson Education India. Harwood, M., Goncalves, M. and Pemble, M., 2010. Security Strategies in Web Applications and Social Networking. United Kingdom: Jones & Bartlett Publishers. Moeller, R., 2010. IT Audit, Control, and Security. John Wiley and Sons. Virtue, T.M., 2008. Payment Card Industry Data Security Standard Handbook. John Wiley and Sons. Wright, S., 2011. PCI DSS: A Practical Guide to Implementing and Maintaining Compliance. 3rd ed. United Kingdom: IT Governance Ltd. Read More