I have been getting a lot of inquiries lately about whether or not financial institutions are required to comply with the PCI standards. It fascinates me how certain groups seem to think that the rules apply to everyone else but their own. Page five of the PCI DSS states:
“PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.”
I do not see any exclusion for financial institutions in that definition and the use of the term ‘all’ seems pretty inclusive to me.
A few years back we started to get panicked phone calls from financial institutions that were being pressured by the various ATM networks to prove that the financial institution’s ATM network was PCI compliant. While most financial institutions in the United States outsource the management and networking for their ATMs to a third party, a small number of financial institutions still switch their own ATM networks. And it was those financial institutions that switched their own ATMs that were the target of the PCI compliance initiatives of the ATM networks. Some of those financial institutions did PCI Report On Compliance (ROC) for their ATM networks. Some financial institutions outsourced their ATM networks.
Most financial institutions in the United States and Europe outsource their credit card processing and issuance to third parties or wholly owned subsidiaries. As a result, the financial institution itself is typically not involved in the PCI compliance regarding the credit cards issued under their name.
Unfortunately, the same cannot be said about debit cards. While the issuance of debit cards is typically done by a third party, in order for the debit card to work, the financial institution must store the debit card primary account number (PAN) in their banking system so that the debit card can be linked to the customer’s account. As a result, the financial institution is storing cardholder data in their computer system(s) which means they must be PCI compliant. And that cardholder data must securely traverse the financial institution’s network.
Another area that catches financial institutions is statement preparation. While a lot of financial institutions outsource this as well, some have purchased software that accomplishes the combining of statement information from a variety of sources. Unfortunately, the firms that process their credit and debit card transactions put the full PAN on their statements. As a result, the statement prep software creates PDFs and other documents with the full PAN without the financial institution necessarily being aware of that fact.
What adds insult to injury to this situation is that most financial institutions purchase their software applications from third party development firms. As a result, the financial institutions are at the mercy of these third parties to ensure that cardholder data is processed, stored and transmitted per the PCI standards. To make matters even worse, with all of the regulatory changes going on in the financial institution industry over the past five years, these software firms have been focused on those regulatory changes and not PCI compliance.
The only piece of good news in all of this for financial institutions is that the card brands have not been pushing the issue of PCI compliance. The unofficial reason that financial institutions have not been pushed on PCI compliance to this point is that, in the scheme of things, they have not been where the breaches have occurred.
With merchants and service providers finally getting their acts together on PCI compliance, the focus is going to shift to the other entities named in that earlier definition. How soon financial institutions will start to be asked to document their PCI compliance is anyone’s guess. But I have to bet it will start occurring over the next two to three years. We are already hearing rumblings from some fairly large financial institutions that want to get PCI gap analyses done so that they can get started on remediation and stay ahead of the curve.
So, if you are one of those financial institutions with their head in the sand, you have been warned. It is not a question of ‘IF’ you will need to be PCI compliant; it is a question of ‘WHEN’. And knowing how quickly some of you move, it might behoove you to get started on your PCI compliance efforts now.