PCI Compliance Challenges for Banks and Credit Unions

Regarding PCI compliance, financial institutions have an advantage. Having complied with GLBA for several years, banks and credit unions have relatively robust and complete information security programs in place. They are audited several times per year by FDIC, NCUA, State, external firms, internal auditors, SOX audits, etc.

The problem is card brands like Visa and MasterCard have been focused on the retail industry as a major trouble area. Compared to most retailers, financial institutions are more mature in their Information Security Management and Audit programs, less likely to cause a breach, and are therefore not the initial priority.

Even with a head start, financial institutions still need to put PCI compliance and PCI Assessments high on the list of projects.

The good news is many PCI controls are in place: firewalls, change management, policy documents, etc. However, there are three areas where GLBA audits and PCI requirements don’t overlap so examiners are unlikely to ask about them. Without pressure from examiners, these areas are often overlooked and could burn the unaware security officer.

1. Encrypting Data at Rest. PCI requirement 3.4 requires the primary account number to be rendered unreadable (e.g. encrypted, truncated, tokenized) anywhere it is stored. FFIEC and other banking guidance reference encryption, but examiners typically do not document exceptions if the data are internal and appropriate access controls are effective.

2. Network Segmentation.  While not a direct requirement, limiting the scope of the cardholder data environment (CDE) is desirable to limit the compliance scope and save costs. In many cases based on traditional network architecture and a business need to see full card numbers, the entire network may be in scope. Not completely horrible by itself, but cybersecurity compliance efforts could get expensive where multiple branches and facilities are involved.

3. File Integrity Monitoring. PCI requirement 10.2.7 requires logging of system-level object creation and deletion. Auditing system-level events can be done natively in Windows, but introduces performance issues. Many institutions will be better off with a commercial FIM solution like Bit9 or Verdasys.

If you haven’t yet looked at PCI DSS v3, I highly recommend downloading it from the PCI Security Standards Council web site.

Reach out to us for expert guidance on a PCI self assessment or support with your ongoing cybersecurity compliance.