As more cards move to EMV chips it makes sense to wonder how this will impact the Payment Card Industry (PCI) Data Security Standard (DSS). A good example can be seen by looking at Europe. In a mature EMV environment the fraud migrated to card-not-present transactions, so the security controls outlined in the standard still apply. And if you think about how the data is used in a financial institution, it isn’t the point of sale where financial institutions are involved. EMV provides stronger authentication for in-person transactions, but doesn’t add protection within the financial institutions where cards are issued and card numbers must exist in human-readable form (e.g. not encrypted or tokenized).
When dealing with PCI compliance, the challenge for financial institutions is that nobody is asking about PCI. Federal examiners began asking about PCI at a very high, generic level a few years ago. But those questions dies out fairly quickly. The major card brands, meanwhile, are busy with retailers that, compared to finance, had no real security in place prior to PCI. They know after more than a decade of strict regulation that financial institutions are still ahead of other industries.
Banks and credit unions do have to comply with PCI standards, even if nobody is asking about it. According to the major card brand compliance web sites, any entity that stores or transmits cardholder data must comply with some level of the PCI standard. This means in the event of a security breach involving cardholder data (which the vast majority of financial institutions have) there would likely be significant fines issued.
The good news is financial institutions aren’t processing large amounts of transactions so we typically fall into lower compliance levels. And with the FFIEC-based controls you already have in place, adding a PCI self-assessment, some vulnerability testing, and possibly some control updates… PCI compliance isn’t too bad.
Once you’ve scoped in your systems, your existing security controls can be mapped to the controls to give you a good indication of where you stand. This mapping is made easier if you use a well-known standard like the NIST Cybersecurity Framework, ISO, or the new FFIEC Cybersecurity controls.
If you are interested in FFIEC Cybersecurity Maturity controls mapped to PCI let me know through the Contact Us link on our web site. I have an internal tool for helping my clients develop an internal common control framework. If there is enough interest I will trim it down and provide it.