When it comes to security breaches no industry is completely safe. According to the Breach Level Index 2018, financial, retail, technology, and hospitality industries account for an unbelievable 26% of cybersecurity breaches in the world.          

Have you ever wondered if Payment Card Industry Data Security Standard (PCI DSS) takes care of cardholder data security across different industries in a consistent manner as a universal compliance mandate? At Advantio we believe that each project has to be approached with the best possible understanding of a client’s business and industry specifics to perform PCI DSS compliance assessment most efficiently. Therefore, starting from September this year we’ll be posting a few separate blogs discussing industry-specific challenges affecting PCI DSS compliance for – e-commerce, call centers, retail, hospitality, ATMs, issuers and acquirers.

We’ll be looking at different types of e-commerce implementation, such as URL Redirects, iFrame, Direct Post Method (DPM), JavaScript forms, Application Programming Interface (API), wholly outsourced e-commerce solutions, and their impact on PCI DSS compliance validation effort.

As for call centers and their PCI DSS compliance path we’ll analyze the protection of telephone-based cardholder data, higher than average staff turnover and its impact on processes, and Voice over Internet Protocol (VoIP) specifics.

The PCI DSS challenges in the retail industry will be covered by a more in-depth review of Point-to-Point Encryption (P2PE) and non-listed encryption solutions.

The hospitality industry is subject to PCI cardholder data security standards as well, including sensitive authentication data storage prior to authorization for quite some time if, for example, hotel bookings are made well in advance. In fact, this area is not covered within PCI DSS apart from the requirement not to store sensitive authentication data after authorization.

ATM environments are also subject to very specific constraints when it comes to PCI DSS compliance due to geographical dispersion, tendency of more legacy operating systems and targeted malware attacks.

Finally, the issuers and acquirers as two cornerstones of the payment card transaction lifecycle usually have a specific approach in terms of PCI DSS compliance validation. Acquirers first and foremost have to take care of their merchants, while issuers make sure sensitive authentication data is protected accordingly (an area where PCI DSS lacks specifics).

So, are you ready to learn more about PCI DSS peculiarities in different industries? The first blog in the series is dedicated to ATM environments.

ATM environments case

In my professional life as a cyber security professional, I’ve been involved in dozens of ATM compliance and security projects. So, all the insights specified in this and upcoming blog posts are based solely on my 14+ years of experience in the industry. 

First of all, let’s bust a myth by confirming that ATM environments do fall into the scope of PCI DSS compliance validation as cardholder data is processed and transmitted (hopefully not stored) there. The problematic aspects here are geographic dispersion of ATMs, tendency to use more legacy operating systems and targeted malware attacks.

Considering geographic dispersion, one has to pay specific attention to physical security and remote interaction with the ATMs, including quarterly vulnerability scanning, for example. Many ATMs in the world are still running on older operating systems, which inevitably calls for the need to apply compensating controls when undergoing PCI DSS compliance validation.

Another area ATM environments are known for is targeted malware attacks. This means that application whitelisting solutions, including host-based Intrusion Detection/Prevention Systems (IDS/IPS) with USB port protection and personal firewall functionality, may cope with such threats better than traditional ‘blacklist’ antimalware products. Again, due to geographic dispersion and relatively low computing power traditional ‘blacklist’ antimalware solutions are not easy to maintain given the need for regular updates and scans (not to mention ever-increasing database of malware signatures) to ensure PCI DSS compliance.

In a sense, application whitelisting solutions when implemented properly could be treated as compensating control for usage of legacy operating system and lack of traditional ‘blacklist’ antimalware solutions. However, any compensating controls must always be reviewed and agreed upon with your Qualified Security Assessor (QSA).

In January 2013 Payment Card Industry Security Standards Council (PCI SSC) issued ATM Security Guidelines, which was a good attempt to cover industry specifics as PCI DSS was too universal. It’s important to note, and it is emphasized within PCI SSC’s document itself, that the guidelines are not intended to cover protection of cash stored within the ATM (an area as interesting, if not more, as cardholder data for an attacker).

Remember, PCI DSS only cares about the security of cardholder data, and this makes the above document quite specialized in the holistic view of ATM security. If you want to ensure ATM security not only in light of PCI DSS compliance, you should look at ATMIA (ATM Industry Association) Best Practices, available only to ATMIA members, or you can contact us for a piece of advice how deep or how far you can go in this area.

To ensure that you are keeping cardholder data protected, get in touch with our cyber security experts. The PCI compliance journey may seem overwhelming, but we are more than ready to walk you through this journey guaranteeing that nothing is missed.

Contact us

Irmantas Brazaitis

Written by Irmantas Brazaitis

PCI QSA and Information Security professional with more than 14 years of experience within the payment card industry. I’ve been involved in dozens of ATM compliance and security projects having worked for global payment service providers alongside the Fraud team, engaged in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).

Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.