PCI DSS 3.0 Webinar Q&A - Fines, tokens and P2P

Last week, we were fortunate to have Jeff Tutton from Intersec Worldwide join Chris Noell to deliver a very informative and useful webinar on what’s changed in the PCI DSS 3.0 requirements and how to prepare your organization.

If you missed the event, here are links to the slides and the recording:

We also did a webinar that introduced Alert Logic solutions for PCI DSS and you are welcome to watch that recording as well.

During last week’s event, Jeff and Chris answered questions about vulnerability scanning, penetration testing, how the requirements affect different levels of merchants, and more. We ran out of time to answer every question so they were gracious enough to answer a few more questions.

What are the specific fines and penalties for non-compliance and is this aspect of PCI DSS changing with the new requirements?

The actual fines and/or penalties associated with non-compliance with the PCI DSS and/or confirmed security breaches are defined by each of the payment card brands. So fines can vary by card and/or level of merchant.

The card brand websites don’t provide specific details (e.g., no one offers a table of “these are our fines.”) but other sites give guidelines. E.g., the table below from the Focus on PCI website gives some ranges…

It’ll be up to the banks and payment card brands to decide to increase the fine and penalty amounts.

In addition to the amounts shown above, in the event of a breach, the breached party will be responsible for reimbursing issuing banks for the costs of reissuance and fraud watch programs as well as fraudulent charges.

Finally, it’s important to consider brand impact of non-compliance, particularly in the event of a breach. For large merchants, lost sales and brand impairment are typically the most significant damage.

How does using tokenization of card data impact our requirements?

Protecting cardholder data by tokenization (substituting the card data that would be stored with randomly created data that can be only reversed back to card data using a unique identifier) is one way for merchants to reduce their PCI footprint. The tokens are stored in a central vault, typically offsite, meaning there are fewer systems storing card data which reduces the audit footprint.

The storage of tokens and payment card data must comply with the PCI requirements but using tokens can simplify meeting the requirements by reducing the number of systems that are within the scope of PCI.

Some merchants view tokenization as a “get out of PCI free” card. This is not the case. While tokenization solves some problems related to secure data storage and scoping, it does not typically address one of the most common forms of breach – malware installed on the point of sale itself that scrapes card numbers out of memory. Remember – PCI requires protection of data while it is transmitted, processed, and stored. Protecting data while it is processed is no small challenge.

How does PCI DSS 3.0 affect merchants utilizing P2PE technologies?

Point-to-point encryption (P2PE) is extremely useful for keeping card data secure by immediately encyrpting it at the point of sale device and keeping it encrypted all the way to its final destination.

If your organization is taking advantage of P2PE technology, your responsibilities don’t change with the PCI DSS 3.0 requirements. You still need to use a validated P2PE solutions and segment P2PE network channels.

The PCI Security Standards Council P2PE documentation is your best source for details on P2PE.

If you’d like more detail or have other PCI DSS questions, Jeff and the team at Intersec Worldwide are great PCI DSS resources or feel free to get in touch with us at Alert Logic.