Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
In December 2004, the Payment Card Industry Security Standards Council (PCI SSC) released version 1.0 of the Payment Card Industry Data Security Standard (PCI DSS). This standard marked a turning point in the security management that had been applied to payment card data protection up to that point. By organizing a series of physical, logical and administrative controls into different groups and requirements applicable to a specific asset environment and data (cardholder data and sensitive authentication data), it was possible to define a security baseline for managing the risk associated with card payments. These same criteria have persisted throughout the different versions of the standard (currently v3.2.1, published in May 2018).
However, this standard and others like it (such as ISO/IEC 27001 or ISO 22301) do not take into account the size or complexity of the organization in which it is to be implemented, to ensure its uniform applicability in any environment from a generalist perspective. And it is precisely at this point that many projects, both implementation and formal evaluation of PCI DSS, fail to address the compliance project without a defined strategy, regardless of whether the organization is small or large.
Focusing on this last point, what elements should be taken into account to classify an organization as "small" or "large"? It all depends on what we compare it to, with the risk that the result may always be subjective. For reference purposes, the following values could be used to determine the size of an organization from a PCI DSS perspective:
Number of physical locations
Number of payment channels
Number of payment interaction points
Number of employees
Number of payment transactions processed
If we assume that an organization is "large" (given that the answers to the above questions are significant measures) then we will also assume that the complexity of implementing and operating the standard's security controls will be more difficult than in a small organization, since its risk is proportionally higher.
In that regard, how can a compliance strategy be established that optimizes the effort, time, and cost of implementing PCI DSS controls in a large organization?
To answer this question, in February 2020 the PCI SSC published "PCI DSS for Large Organizations", which lists a number of strategies to improve a large organization's card payment environment within the PCI DSS standard.
An effective strategy for managing large and complex scenarios is to use the concept of "divide and conquer" (from the Latin Dīvide et īmpera), applying recursive logic to reduce a problem into one or several sub-problems of the same class or type as the first one (sub-problems). The solution to the original problem is achieved by combining the solutions of the sub-problems.
Applying this concept, large-scale implementation of PCI DSS controls can be done by dividing the organization into environments, tasks, or business units that are more narrowly defined but have similar characteristics. For example, if a large organization has multiple payment channels in different geographic regions, with different acquirers and even with specific personnel, these elements can be grouped in similar environments, applying compliance actions at a specific level and adjusted to the cases of each of these groups. In the end, the organization’s overall compliance will be the sum of the compliance of these groups.
To ensure consistency throughout the organization, some tasks must be cross-cutting (e.g., implementing security policies and managing projects globally), but others can be specific and customized to each environment based on its risk. It is essential that centralized monitoring of activities is maintained to identify possible deviations and to obtain an overview of the compliance status at any time that is required.
The information supplement "PCI DSS for Large Organizations" identifies a number of critical areas in which this criterion can be applied, as follows:
1. Definition of a strict compliance baseline at the global level of the organization.
2. Identification, classification and organization of assets into groups based on similar characteristics,
3. Analysis of applicability and deployment of PCI DSS controls in each of these groups based on their risk, and
4. Centralization of monitoring, follow-up and compliance reporting.
The success of this process is based on a corporate culture of collaboration and communication, as well as the support and commitment of executive management.
The PCI compliance journey may seem overwhelming, but we are more than ready to walk you through this journey guaranteeing that nothing is missed. Get in touch with our cyber security experts today to get a free consultation on your cyber security posture.
I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.
Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor