PCI DSS: Trends and Benefits

/ photo by Håkan Dahlström CC

Recently, we conducted a survey among fifty significant players in the market of electronic payments in Russia and Kazakhstan. The largest payment systems told us about the benefits of PCI DSS certification.
')
The PCI DSS standard was developed by the Payment Card Industry Security Standards Council. It defines the requirements for organizations related to the security of payment card data.

In total, the standard contains 12 requirements, which are divided into six categories:

Network security support

• Protection of the computer network and setting up firewalls;
• Change of standard network equipment settings;

Data protection

• Protection of data stored on cardholders;
• Protection and encryption of data transmitted on cardholders;

Vulnerability Management

• Installation and regular updating of antivirus programs;
• Development and support of information security systems;

Access control

• Restricting access to cardholder data;
• Implementation of authentication mechanisms;
• Restriction of physical access to information infrastructure;

Network monitoring

• Logging of events and actions;
• Regular inspection of information security systems;

Information Security Management

• Information Security Management.

In total, the standard requires about 440 verification procedures.

Benefits of PCI DSS

The benefits of PCI DSS certification can be divided into two categories: image and technology. From a technological point of view, PCI DSS acts as a guarantor of the safety of customer data and service stability against external threats: virus and DDoS attacks.

Moreover, protection against attempts of theft of card data by malefactors allows to avoid the losses and penalties connected with it.



/ photo by Anders.Bachmann CC

“Over the past two years, the number of malicious attempts to hack the data of our customers has increased, and working in full compliance with the requirements of the certificate helps to reduce the headache intensity,” said Dmitry Popov, commercial director of IntellectMoney. “Plus, users who see the PCI DSS mark on our page show a large conversion of successful payments.”

There is also an image component. When a person far from cyber security sees a PCI DSS badge, he perceives it as an additional level of protection (similar to a valid SSL certificate). Thus, the certificate becomes another argument that allows convincing potential customers of the company to "jump" into the conversion funnel.

The fact of passing an audit for compliance with the PCI DSS standard tells the company's customers about a really high level of card data security. In addition, PCI DSS structures the knowledge and criteria that information security personnel need to strive for.

Thus, compliance with this standard is not just a formal procedure, but a matter of security in processing and transmitting data about customers using payment instruments. The introduction of PCI DSS allows you to join the world's best practices, streamline business processes and improve the company's reputation, and this often opens the way to new markets.

Hosting PCI DSS

The PCI DSS compliance audit is primary and regular annual. Some companies face certain difficulties during initial training, therefore they attract certified consultants who help to develop documentation and create an architecture (for more information about the certification process, please read our blog).

Participants in the electronic payment systems market agree that the introduction of the PCI DSS standard is a time-consuming task that requires time and money, because, to facilitate the certification process, most companies use the services of suppliers who take on the task of meeting part of the standard requirements. According to our survey, 77% of participants in the electronic payment market use the services of certified suppliers.



This is explained by the fact that the transfer of part of the responsibility for implementing the PCI DSS requirements to an external company greatly simplifies the work. The most common service in Russia at the moment is physical placement or colocation, when a company rents racks or individual units in a certified data center.

But with all this, there is a tendency towards a gradual transition from physical location to higher levels of transfer of responsibility - to the rental of server infrastructure (IaaS).

“The use of certified suppliers with the necessary expertise and a guaranteed resource, greatly simplifies life. The more resource-intensive tasks you can give to a reliable partner, an expert in your field, the better, ” says Dmitry Telenov, technical director of InPlat.

The higher level of outsourcing is the so-called managed services, or MSP (Managed Service Provider) services, when the supplier provides its customers not only the rental of equipment or virtual infrastructure in the IaaS model, but also the ability to administer in accordance with the requirements of the PCI DSS standard.

“Using the services of a certified supplier makes it much easier to pass an audit. My position is this: everything that can be outsourced should be given, - said Konstantin Yang, CTO CloudPayments. - In the standard PCI DSS twelve sections. Ideally, the supplier closes eleven of them - all except the development of software, on the basis of which we provide services to our customers. ”

In other words, such technologies make it possible to focus attention on one’s own business, without being distracted by administrative work, and reduce some of the technical risks.

Market trends

Today, 8 out of 10 participants in the market we are considering using the services of an external certified supplier are limited to outsourcing physical security requirements, that is, using the server hosting service in data centers with PCI DSS. However, colocation is beginning to "prop up" such promising services as PCI DSS IaaS (32%) and managed services MSP (21%).



“The data center where our equipment is located has been certified. This closes the issue of the physical protection of the information infrastructure at the data center level, says Ivan Sergeev, technical director of MOBI.Money. “Today, physical deployment and virtual server infrastructure are the most promising levels of outsourcing to meet the requirements of the PCI DSS standard.”

If earlier in the territory of the Russian Federation there was not a single PCI DSS certified hosting provider, today the picture has changed. Last year, several of the largest cloud providers certified their platforms according to the PCI DSS standard, which enabled them to take responsibility for fulfilling the PCI DSS requirements at the level of virtual infrastructure (IaaS). Certification has passed and the company IT-GRAD.

“We spent more than a year preparing for the certification audit of our cloud, and in 2015 we successfully certified our PCI DSS Compliant Hosting services at PCI DSS at all levels of responsibility required by the market: physical placement, IaaS and managed services.

Our customers - banks, payment systems, gateways - get all the benefits of PCI DSS certification with minimal effort: during audit, most of the requirements are closed by providing our PCI DSS service provider certificate, ” says Alexander Starodubtsev, deputy general director of the IT -GRAD .

Using the PCI DSS certified cloud in the IaaS model, organizations significantly increase the level of security of the card data processing environment and reduce the risks of financial losses from various information security incidents, while being able to concentrate on developing their business.

Other materials from our blog:

• Not a plane, but in the "clouds": Cars and cloud technologies
• 25 books on cloud economics and security
• Cloud Backup - Commvault v11
• Modular data centers: data center IaaS-provider "IT-GRAD"