Dissecting PCI 3.0 Compliance For The Ticket Office
The new PCI DSS 3.0 compliance standards, which were implemented in January 2015, are neither arbitrary nor optional for ticket offices, unless a franchise chooses to not accept credit cards as a form of payment. Every franchise executive that generates revenue from credit cards should consider the organizational and financial implications of payment card industry (PCI) compliance.
Jeff LoSapio, managing partner of consulting company Stratum Security, says that any organization that stores, transmits or processes credit card transactions is required to achieve full compliance with the PCI Data Security Standard (DSS). The DSS is a list of security controls aimed at protecting cardholder data. An organization’s PCI 3.0 compliance reporting and assessment requirements are driven by the number of annual credit card transactions.
Understanding the Tier System
3.0 Compliance standards are judged into a four-tier system based on the volume of credit card transactions. Tier 1 encompasses most material information, including merchants that process $6 million or more in annual transactions. Tier 1 merchants are required to have an on-site PCI DSS audit completed by a qualified security assessor. Tier 2-4 merchants are able to certify themselves using the appropriate PCI self-assessment questionnaire.
“The actual PCI DSS requirements are the same for all merchants,” LoSapio said. “The difference includes the level of vigor for compliance auditing and reporting requirements.”
PCI standards are updated on a three- to four-year cycle, but 3.0 is a potential game-changer for the industry over the next few years. Every ticketing operation accepting credit cards as payment will see a dramatic difference in PCI 3.0.
For sports franchises, LoSapio said, ensuring partners are compliant depends on the partnership between the franchise and vendor.
“If the partner is processing credit cards or providing a service that is used to store, transmit or process cardholder data, then the merchant (franchise) is required to verify that their service provider is PCI-compliant,” he said.
The most vital component is the size of the merchant’s business, LoSapio noted. “Tier 1 merchants have the most stringent reporting and auditing requirements,” he said. “Tier 1s require an annual on-site PCI audit, quarterly vulnerability scanning and an annual penetration test.”
Internal Questions Arise Around PCI
Each compliance rating relies on annual penetration-testing standards. Franchises will be required to hire certified information technology (IT) directors that are capable of handling, initiating and evaluating those penetration tests for the franchise’s database and network. Computer terminals accepting credit cards may not be up to PCI 3.0 standards if they include word processing applications or other programs that can potentially be breached by hackers.
No longer will one computer within each cubicle suffice. In order to comply with PCI 3.0 standards, sales staff members may have to use a separate terminal to process payments and another for standard office functions. The intent is to protect consumers’ credit card data from intrusion.
Information security has become a pain point for a franchise, especially when those at the top of the organization do not take it seriously until a breach occurs. While every data stream may seem secure, few currently comply with the PCI standards.
Hackers can easily access unsecured wireless systems, seize customer data and corrupt the entire network. Businesses will not be allowed to use these networks for credit card transactions under the new PCI changes.
While cellular networks themselves may be secure, smartphones do not come standard with data firewalls to protect against a breach. This has caused confusion around what is secure and what isn’t, especially for the average customer. While white-hat hackers performing penetration tests may have issues breaching a cellular network’s high-security standard, the same cannot be said for those illegally accessing a smartphone or tablet. These portable devices have a much lower security standard — they are consumer toys, not credit card terminals.
Where Responsibility Lies
According to LoSapio, helping clients understand why some choose to go to third-party vendors who handle most PCI aspects of taking credit cards can be a challenge.
“The onus of PCI compliance is primarily on the merchant,” LoSapio said. “Utilizing PCI-certified vendors and service providers is a good strategy to transfer a good deal of the risk and compliance cost to a third party. Rarely does this completely absolve the merchant from PCI compliance activities. PCI is relevant for every business that uses credit cards — this can include call centers, fax orders, in-store and online.”
Part of the codex is also a movement to further segment credit card terminal networks, which means workstation computers cannot be used access a credit card terminal across the same network.
Though compliance and security are related topics, LoSapio said he doesn’t think they are necessarily the same thing.
“Being compliant does not prevent attacks and breaches,” he said. “The PCI DSS includes a long list of security controls and activities that, if implemented in a structured and thoughtful manner, can greatly reduce the risk of a data breach. The problem we see is that organizations only focus on PCI compliance around their annual certification date, while hackers focus on stealing data 365 days of the year.”
Malware Affects PCI
Malware is malicious software that has breached cash registers at Target and Home Depot. Small access points, such as point-of-sale (POS) registers, are easily exploited by hackers and should be included in any IT professional’s routine security check.
A data breach can happen at any time, especially when credit card swipers are detachable or connected via USB. PCI 3.0 standards require these types of detachable swipers to be placed in a physically secure area at all times to ensure that it cannot be subject to a software manipulation or hardware attachment, thereby allowing the theft of information. However, malware can seep into POS software and collect consumer credit card numbers during the purchase. Now, ticket managers and IT security specialists will be specifically tasked with ensuring detachable USB devices are protected from malware.
Assessment and Initiation Process
During the certification process, franchise executives should involve everyone affected by PCI 3.0 compliance changes, including ticket operations, sales managers and ancillary partners within the venue. Everyone should discuss concerns that apply to every component of a credit card transaction and how to comply with PCI 3.0 standards within that scope of control.
Fighting the cost and implementation of PCI 3.0 certification standards is a losing battle. These standards are set up by the credit card industry, not federal, state or local governments. According to LoSapio, any franchise executive who balks at the cost of certification will lose the ability to accept credit cards.
“The acquiring bank is ultimately responsible for ensuring merchants are PCI-compliant,” he said. “The banks are able to fine the merchant on a monthly basis until compliance is achieved. And, if the merchant has a credit card data breach, the fines are higher for those that were not compliant.”
The Cost of PCI 3.0 Certification
LoSapio estimated certification compliance service costs could range from $50,000 to $100,000 depending on the size and complexity of the merchant’s business.
According to LoSapio, the variable costs depend on the maturity of the franchise’s PCI program.
“The first year of PCI compliance is typically the most expensive, as there are often several areas in which the merchant’s information security program does not meet the PCI requirements [and] thus needs to be enhanced,” he said. “This could involve updating documentation, creating policies and procedures, implementing additional security technologies, network changes or enhancing current security operations.”
LoSapio said that for smaller merchants, the cost of compliance may not be as material, but the comprehensive nature of PCI requirements are often a challenge for small businesses.
“The best strategy for smaller merchants is to offload credit card processing to firms that specialize,” he said. “This places the effort of achieving and maintaining compliance on a third party so the merchant can focus on their core business.”
Franchise executives must embrace these changes, keep staff fully informed and understand the consequences of not complying with PCI 3.0. With so much revenue coming from credit cards, franchises simply cannot afford to slip up for even one day.