The Implications of handling Credit Card Data

Credit card fraud has always been a major cause for concern for the Card Brands (VISA, Mastercard, American Express, etc); with fraud figures running into billions per annum who can blame them!!

Credit card details are stolen from credit card holders in all sorts of situations; at restaurants, hotels, retail outlets, etc. However, when a database full of credit card data is stolen, then it becomes a real issue as the numbers immediately run into thousands. With ecommerce on the rise as well as the use of credit cards to effect payments online, websites transmitting, processing and/or storing credit card have become prime targets for hackers. The reason being that selling of credit card data is a very profitable business!!

The Credit Card brands invest a lot of time and effort in trying to reduce the incidence of fraud, however, fraud continues to rise. A major investment has been made in chip and pin technology for physical cards and also in online secure payment systems such as 3D secure for card not present environments (e.g. Internet).

The Card brands had each come up with minimum security standards to be implemented by any merchant or service provider who stores, processes and/or transmits credit card data. Eventually, these standards were amalgamated into one Data Security Standard under the Payment Card Industry Security Council. The council is responsible for the development, management, education, and awareness of the PCI Security Standards, including: the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and Pin-Entry Device (PED) Requirements. The card brands want to tackle card fraud from every possible angle.

Now that we understand why and who, lets look at where remote gaming companies fit into this.

A remote gaming company has to collect funds from players before allowing them to gamble on their website. One of the most popular forms of online payment is the use of the credit card. The remote gaming operator has to apply to an acquirer bank to obtain a Merchant ID and then arrange with a payment gateway to provide online payment services. As a merchant the remote gaming operator has an obligation to become PCI compliant. This means that the merchant must fully comply with all applicable requirements stipulated in the DSS v1.2. This of course is assuming that the merchant is actually transmitting, processing and/or storing credit card data.

Becoming PCI compliant is not an easy or cheap task and it is advisable that a merchant carefully understands what is required and whether there are alternate solutions available before they decide on how they want to handle credit card data if at all.

By now all Merchants and Service Providers should be PCI compliant, however, this does not seem to be the case. Recently acquiring banks have started to apply pressure on Merchants to become compliant.

Why would a merchant want to store credit card data?

The reasons are various. The main reason being that they do not understand the implications of being hacked nor the costs required to become PCI compliant. Other reasons being fraud management, charge back management, customer convenience and duplicate account management.

Do these business needs really justify the risk and expense?

It is up to the businesses to decide on their risk appetite and availability of funds. Customer convenience and fraud management are good business cases for shouldering the risk and related costs. However, if you are a small operator then it is difficult to afford the costs related to PCI compliance and alternate solutions are available to achieve the same business needs without the associated risks and costs.

What are key controls for PCI compliance?

When one goes through the Data Security Standards similarities are immediately apparent to ISO 27001 (Information Security Standard) and other de facto standards. The availability of documented policies and procedures is obviously a requirement. The presence of adequate physical and environmental controls over the devices and networks involved in credit card data is also important. The most difficult and complex controls to implement are however encryption with related key management and log management.

How does a merchant identify whether they need to be PCI compliant or not?

Once you accept credit card data on your website in all probability you are doing one or more of the following functions: transmitting, processing or storing credit card data. You need to understand exactly the data flow between your customer, payment gateway and possibly the acquiring bank. You also need to understand what your systems do with credit card data once collected on your website.

How can you determine what Merchant Level the remote gaming operation is? Does it make a difference to PCI compliance requirements?

The Merchant levels are determined by the volumes of credit card transactions processed per annum. Card brands have different levels, however, the most stringent one will be applied. Furthermore, an acquirer bank can itself determine the level a merchant is to be classified at. This enforced classification is normally based on the bank’s perception of risk related to the merchant.

The validation requirements for each level varies, however, irrespective of the Merchant Level full compliance with the PCI DSS is required. So for example, if you only process 20,000 transactions a year your operation is classified as a Level 4 and your validation requirements would require you to fill in the Self Assessment Questionnaire and submit it to the acquiring bank and a quarterly vulnerability scan carried out by an Approved Security Vendor (ASV). A level one would require an on site audit by a Qualified Security Assessor, an annual internal and external Attack and Penetration test and the quarterly vulnerability assessments by an ASV.

Not being compliant is not an option. Huge fines and law suits can be brought against companies who suffer theft of credit card data.

Author: Alan Alden
Kyte Consultants Ltd
Date: Jan 2009