I have been struggling with a client recently regarding what is involved in the scope of a PCI compliance assessment. It appears from these discussions that a lot of people either forget or are unaware that there is more to the PCI DSS than technology. It also involves a lot of manual procedures as well. People seem to forget about all of the ancillary activities that surround credit cards.
They forget about the manual processes that can occur when their fancy integrated POS systems are unavailable. This was driven home a couple of months ago when a client had four locations affected by a telephone line cut. This outage affected the long line trunks of a couple of major carriers out of a good sized community. The backup process for this organization is to manually fill out a multi-part, carbonless credit card receipt for the customer and have the customer sign the receipt. The customer gets a copy and the original is retained by the organization and then manually keyed into the POS system once communications is restored. During the two and a half hour outage, this organization generated over 2,000 receipts at the four locations. The kicker in all of this is that the receipts not only contain the cardholder’s name, PAN and expiration date, the clerks have also been instructed to capture the CVV/CVC so that they can prove it was a card present transaction.
My first question was, “What happens to all of those receipts after they get rekeyed into the POS system?”
“Why, they get thrown out,” was the matter of fact reply.
“Do they get shredded?” I asked.
“We do not have shredders out at our stores,” the CFO responded.
I explained that those receipts were in-scope for PCI compliance and since they were just being discarded in the trash, the organization was not in compliance with a number of PCI DSS requirements. You would have thought I had tossed cold water on them. They were shocked. They argued that the PCI DSS was all about computers and storing cardholder data on the computers. After all, that is why the head of IT was leading the compliance effort. After a half an hour of discussion, I finally was able to convince them that the PCI DSS was all about everything post-authorization, electronic or manual.
The resolution to this situation was that the organizations now requires that all manual receipts are returned to their Corporate office in the store’s daily balancing bag that is picked up by a commercial security courier every morning. Once receipts are entered at the store, they are put in the store safe until the courier pickup. At corporate, the accounting department takes the receipts and, using a “Sharpie,” redacts the PAN to the last four digits and redacts the CVV on the receipt, images the receipt and then puts it in a shredder bin for secure destruction.
A couple of years ago, I was at a client that stores three years worth of manual credit card receipts in an office at their corporate headquarters. This is a standard office that was meant to hold four people and it could barely hold the one person and the imaging equipment used to image all those receipts. This office was not locked during business hours and there were no cameras near this office. Everyone in the facility knew what was stored in this office and since the office had windows, everyone could see into the office. The corporate facility itself required card key access to gain entry and there is video monitoring on all entrances, the loading dock and the data center. As usual, the first push back was regarding the fact that the PCI DSS had nothing to do with paper, it was all about electronics. Even their internal auditors knew this was not true, but the CFO persisted. After much persuasion, the CFO relented and we began to discuss the situation.
The resolution here was to extend the automated access control system to this office. We decided that the windows in the office were a deterrent since anyone in the office that did not belong would stand out through the windows as other employees walked by. The cost of adding video monitoring to this location was determined to be too expensive, so it was not implemented.
My final example is in regards to back office activities. Last year I had a client that had outsourced all of their credit card processing to a major vendor of such services. As a result, management felt they were off the hook for PCI compliance. They explained everything about their outsourcing and then asked, “What can we possibly be responsible for?” A fair question.
So I asked, “Who takes care of chargebacks and disputes?”
The Vice President of Accounting said that their department handled those, but they were all handled through the third party’s system, so the CHD was not on their organization’s systems.
My next question was, “Do they get any reports or screen shots out of the system to use in researching the chargebacks and disputes as well as for their files to show how the situation was resolved?”
The head of the department said, “Why yes, all of the time. How else would we be able to do the work and prove to the card brand that we had taken care of the problem?”
I then went into the explanation that all of this research material was to be protected just like the credit card data that was on the third party’s systems. Again, there was a lot of push back from the accounting people and other management as they felt that all of this was out of scope. I went back to quoting from the PCI DSS and explained that this was all post-authorization data and was required to be protected.
The resolution to this situation was not so simple. It turned out that the people handling chargebacks and disputes also handled some other accounting duties within the department, making physically segregating them away from the rest of the department not possible. What they did was isolate the records for chargebacks and disputes in a locked room with only the department head and the Vice President of Accounting having the keys. If one of the clerks wanted to work on chargebacks or disputes, they had to sign out the key to get into the room. When their work was done, they again used the “Sharpie” technique to redact the PAN and CVV/CVC from all paperwork and it was then filed with their completed work.
I hope you now see that there is more to the PCI DSS than technology. So, the next time you are out looking for cardholder data, do not forget to look outside of the box.