 |
| Banks which issue or acquire credit cards shall - without exception - comply with the credit card companies' Payment Card Industry Data Security Standard (PCI DSS). This requirement can be seen in the credit card companies' operating manual, which describes the obligations that a bank must meet if it has a credit card licence. In practice, this means that although one or more acquiring banks have the licence for credit cards in a specific country all banks in the country lie within the scope of the licence agreement and - as result hereof - are obliged to obtain PCI DSS validation. |
|
| |
| In addition to the fact that it is a requirement that banks comply with PCI DSS, there are a number of benefits associated with doing so: |
|
| |
Avoid the inconvenience of credit card theft
PCI DSS is designed to protect credit card data and thus prevent the inconvenience that results from card theft. For banks, this primarily involves reissuing of credit cards, coverage of losses on the cards on which fraud has been committed and a clearing out of IT systems. Furthermore, the bank's image can be damaged if the bank is subject to repeated credit card theft. |
|
| |
Attractive target for hackers
The theft of credit card data has seen a sharp rise in recent years. Today, credit card information has become just as attractive a target for hackers as home banking systems. At the same time, there is an increasing tendency for shops to remove credit card data, which in turn means that banks make up the primary target for hackers looking to steal credit card information. Moreover, the banks have access to the full range of credit card data, including pin code data. |
|
| |
Inappropriate protection of credit card data
Although the majority of banks generally have their IT security under control, their risk assessment has traditionally not taken into account the sharp increase in the risk of credit card data being stolen. The banks' systems are in many cases designed in such a way that they are not very effective at protecting credit card data, as witnessed, for example, by the fact that the credit card number is used as the primary key. It is therefore vital to take steps to enhance both the IT systems and the processes such that credit card security covers everything ranging from the storage of data on mainframes to the business procedures in the individual branches of the bank in question. |
|
| |
| In other words, there are a lot of good reasons to take steps to improve credit card security in banks, and as such PCI DSS can be useful, in addition to the simple fact that it is a requirement. Furthermore, remember that you can in all likelihood save time on your internal auditing when you have received PCI DSS validation because your IT security can be examined on the basis of this validation. |
| |
| Effective PCI DSS assistance |
| Whether your particular bank needs to have an audit carried out depends on whether you are an acquiring bank or an issuing bank - and on any agreements that have been concluded with the credit card companies' organisation, PCI Council. Regardless of which PCI DSS requirements you have to satisfy, FortConsult will be able to help you - either with advice concerning how the requirements are to be interpreted and demarcated between you and your data centre or through the performance of an audit, which can be certified by the credit card companies and result in qualification for PCI DSS validation. |
|
| |
| We are also able to offer you a gap analysis, according to which we ascertain your exact PCI scope including how close you are to being able to qualify for PCI DSS validation, and what steps you need to take - nothing more, nothing less - in order to be fully prepared. In our experience, such an analysis is the best way to get a general picture of where to focus efforts in order to comply with PCI DSS. In this way, you will ensure that you can work effectively towards being audited and qualifying for PCI DSS validation rather than having to rush everything through and risk not being finished until the last possible moment. |
|
| |
| During the course of the gap analysis it is important that you communicate your PCI DSS status to the credit card companies on a regular basis once they have laid down the exact PCI DSS requirements and deadlines for your PCI DSS validation, thus enabling you to implement a carefully considered and balanced PCI DSS process. FortConsult will be happy to deal with this communication for you. |
| |
| Why choose FortConsult as your PCI partner? |
| FortConsult is one out of a very few security companies in Scandinavia that has been certified by the PCI Council to conduct audits (PCI QSA) and scanning on behalf of the credit card companies. We were the first enterprise in Scandinavia to be PCI DSS certified, and have subsequently accumulated a great deal of experience in interpreting the requirements from the credit card companies and working with the PCI Council as well as the credit card companies. This means that we are able to help you obtain PCI DSS validation in the most effective manner. |
|
| |
| We are one of only a few operators on the PCI market which, via our core competencies within professional hacking, combines the PCI DSS requirements with a fundamental focus on the overall philosophy behind PCI DSS, i.e. to protect enterprises against credit card theft by malicious hackers. This means that generally speaking we are able to balance the PCI DSS requirements against your existing or planned security control procedures. |
|
| |
Considerable PCI DSS experience from the bank sector
Thanks to our many customers in the financial sector and our early PCI DSS certification, we have been chosen by PBS and the Danish bank sector to handle the PCI process for all Danish bank data centres. In addition, we are a permanent qualified security assessor for the majority of Danish banks that require PCI DSS assistance. |
|
| |
| Another example is Portugal, where we are a permanent full-line supplier in the PCI DSS area to Portugal's biggest acquiring bank, SIBS. SIBS is responsible for more than 2 billion card transactions every year and controls 95 percent of all POS and ATM terminals in Portugal in an extensive network. A final example is CEKAB in Sweden, which handles more than 1.3 billion transactions annually for acquirers and issuers of credit cards throughout Scandinavia. |
|
| |
| In other words we have accumulated a great deal of experience in helping banks to obtain PCI DSS validation including assessing what is required in order to be validated and to determine the interface between the IT systems of the banks and their data centres. |
|
| |
| If you choose to work with FortConsult in the PCI DSS area, you will therefore benefit from the fact that representatives from the bank sector have established or are in the process of establishing a common standard with us for the sector's credit card security based on our proposed solutions. This applies, for example, in the fields of security in MPLS networks, handling of ATMs, logging requirements and wireless networks. |
|
| |
Practical experience in interpreting PCI DSS
Our general approach to working with PCI DSS is to find the right balance between doing enough, yet at the same time not doing too much. Experience has shown what can be done in practice, not least because we have established a good, long-term working relationship with the credit card companies and the PCI Council. In addition, we can offer different solutions to our customers because we know how the grey areas of PCI DSS can be interpreted. |
|
| |
| Over the years, our PCI consultants have conducted a large number of audits and other PCI DSS tasks for European enterprises. Apart from their skill in quickly being able to understand the "credit card universe" of our various customers, they are experienced project managers that are able to ensure that major PCI DSS projects enjoy a successful outcome. |
|
| |
| If you wish to know more about the standard and how best to achieve PCI DSS validation, you are welcome to us at info@fortconsult.net. |
|
| |
In the following, you can read more about PCI DSS itself and what it means for European banks:
|
