Accountability is a problem that I come across in PCI DSS time and time again. Recent challenges with ownership and accountability prompts me to write this post.
Complex systems require a complex set of controls to ensure that these systems work as intended. These controls aim to reduce the risk of disruptions in the intended operation. However, incidents do happen and not all controls are adequate the first time they’re put forward. Hence, the controls are revised to improve the relevance and reduce the likelihood Take an aircraft for example. Or a car.
Payment Cards are just one such complex creation. In order to provide customers convenience to pay for goods, banks created this complex system with input from entities such as the Cardholder, Merchants, Service Providers, Payment Gateways, Acquiring Banks, Card Brands, Issuing Banks and various other third parties.
In the world of digital electronics, data passes from one system to another, which is owned and/or managed by one entity to another very quickly. In the case of payment cards, this data is very important as it translates into cash/goods with relatively less effort. With the increased complexity of business delivery models and the time to deliver new services to the customer, security of this data can take a back seat and with it, does the appropriate agreements between various entities delivering this service. It is when controls put forward in PCI DSS can help in order to secure the cardholder data.
It is very important that PCI DSS requirement 12.8 is given appropriate emphasis as a key control to ensure all relationships with various entities are clearly described in a written agreement with appropriate legal teams involved. As an example, where service providers, merchants and third parties are collectively delivering a service, they should review the data flow diagram of cardholder data collectively and ensure each requirement is owned and complied by the appropriate entity. This should drill down to each requirement preferably on the assessment sheet. Merchants can have reporting structures/metrics with service providers and their third parties to ensure compliance is maintained.
In absence of such rigor around Ownership and Accountability, the entity in question eventually will have a difficult time when a major incident happens. This may end up in review of liabilities, service contracts and SLAs and may severely effect the business eventually. Most of all, it effects the user confidence. The end user empowers the payment system and trusts that the system is securely handling their data. It is very important to ensure this trust is maintained. Surely, this is how this complex system was designed or was intended to operate.
