Expert insights – Kevin Dowd on why organizations shouldn’t touch payment card data

Expert insights, PCI DSS

Expert insights – Kevin Dowd on why organizations shouldn’t touch payment card data

Cyber-security and payment security expert Kevin Dowd was Chairman of CNS Group until August 2018.

Can you start off by talking a little bit about your background?

My original background is technical, in networking and computer security. In 1999, I founded CNS and we have since then built a private security consultancy and services company. As a company, we do everything from ethical hacking through cybersecurity advisory and strategy work, all the way through to secure operating systems and monitoring services looking after people’s equipment and seeing if they’re being hacked, that sort of thing.

Personally, my speciality is on the consultancy side. The chargeable work I do is as an advisory consultant. I will do anything from advise boards on such cyber-security strategy through to things like PCI DSS QSA work, so signing people off for their PCI DSS audits and advising them on how to get compliance, really anything to do with cyber security advisory tends to be what I get involved in.

How much of that of the work for the company more broadly is around payment security and PCI? Is that a big part of the work that you do?

Yes, it is particularly for me personally but for the business as well, we do a lot of PCI work. That comes to us in two ways: one is the QSA stuff so advising people how to get compliance, but also we do work in our solutions team on helping people actually create the compliance systems and then monitor them over time. We play a role both in getting people over the line and in helping them maintain compliance from a technical perspective.

What would you say are the key challenges that face organizations that are trying to ensure payment card security these days?

The main challenge really is that the PCI standard is extensive. There’s two hundred and forty plus controls and they cover an awful lot of ground. There’s everything from digital security to process security to some quite in depth technical security aspects. It’s like lots of cybersecurity these days, lots of the things that PCI asks for are difficult to do unless you’re of a certain scale.

For example, they require a lot of logging and monitoring and it’s difficult to meet that if you’re a small business or mid-sized business. You have a number of decisions to make, really.

My line on the PCI standard is really that it’s a heavy hint to everyone from the card industry not to touch card data.

If you touch card data, then you’re in scope for all the controls. If you don’t touch card data and you just let your suppliers do that who are specialised to do that for a living, then almost none of it applies, you’re just making sure that your suppliers are doing the right things and your direct compliance burden is much lower.

The key challenge really, whenever we sit down with someone, is determine how best to reduce their local scope, their actively managed inside their infrastructure scope, for PCI compliance to as little as possible and preferably none. If you can do that, then you’re going to have a successful PCI compliance program. If you find yourself with an extensive PCI DSS scope, this likelihood is that you’re going to hit problems all the way.

How well understood do you think the different methods of tackling that problem are amongst merchants?

I think they’re getting better understood. It depends who you speak to. It depends how much direct experience they have. There is a lot of rubbish talked still sometimes. Actually, if you talk to people about website redirect, leaving ecommerce out of scope, or DTMF leaving call centers out of scope, or P2PE leaving face-to-face out of scope, by and large people are pretty on board with what that means.

More the challenge sometimes is in convincing people that the change in working practice is worthwhile. Especially with call centers, they like being on the phone with people, so to get the idea that a relatively simple change in working practice can have quite profound implications for the cost and maintenance of PCI compliance, that is sometimes an argument that needs winning. That’s more the issue, convincing people that by perhaps changing the way they’re working a bit, they can avoid lots of compliance issues.

Are call center managers still seeing PCI as a cost rather than a benefit, then?

Yes. I think, to be fair, PCI is a cost rather than a benefit in all brutal honesty. Really, it’s a compliance overhead. All you’re really getting is the ability to continue taking credit cards to avoid any PCI issues should there be an incident. Don’t get me wrong, I think that’s a cost well worth paying, even if you’re paying a reasonable amount for it. I think it’s something that you’ve got to do, I think it’s just something any responsible business would do.

It is a cost. It is an overhead. It is the banks sharing the cost of fraud avoidance and fraud, and justifiably so. There’s no reason why the banks should take the burden of fraud that comes to people not looking after credit card numbers.

It is a cost, and therefore what we always say to people is that they should find not only the easiest, lowest maintenance way of doing it, but do that in a way that also minimises your risk as much as possible and makes it as easy to maintain as possible. What it means is being as clear-eyed as possible about whether you need to see card numbers. If you don’t need to see card numbers, don’t see them. There’s an easy path through this if we just think about the scope of the strategy up front and get the right solution in place.

Why is reading out card details over the phone still so widely practiced given the issues that you’ve already raised?

It’s a good question. The quick answer is I don’t really know.

It’s not something I’m comfortable doing anymore. I can’t think of the last time I did it. I can’t think of the last time I rang a call center and read out my credit card details. It’s just knowing it from the other side, it is not something I would do.

The quick answer is you’ve got a reasonably entrenched industry there. You’ve still got lots of people running call centers or running revenue lines that are dependent on call centers, who have who have a bit of fear about changing the way those call centers work. I can understand that to a certain extent although I don’t think it does impact revenue to change the way that they work. There’s a lot of call centers out there in Britain, and it takes time to affect change.

Is there more of a push from consumers, do you think, to not give their details over the phone?

I think so. I think people are increasingly seeing that. There’s always a tension between the familiar and what people perceive as being “easy” versus the secure. It’s a bit of a fake distinction because apart from anything else, if you ever read out a card number over the phone you’re usually doing it twice because it’s a long number and people rarely take it down properly the first time.

It’s not really an efficient way of doing things to read your card number out and nor do I think it’s a particularly secure way of doing things. I certainly don’t think anybody would perceive DTMF as not secure. I think they would see it as a secure alternative.

Is GDPR likely to make this more of an issue?

Funnily enough, I think so. I was a little bit resistant of that, not of GDPR, which I think is a good thing, but of any link between GDPR and PCI, but the reality is, I’ve got my father ringing me over the weekend asking me about GDPR and so by that point you’ve got it much more in the public consciousness. I think it has genuinely got people thinking about what happens with their data and how people communicate with them, what that means, that they have actually got rights about how their data is used. From that perspective, I think it will be an interesting few months certainly because people will start to think more about who’s got their data and why they’ve got their data, and what they’re doing with it.

From a company’s point of view, your advice is generally to reduce scope as much as possible, just not to hold the data if you don’t need to. Is that the best way of tackling this?

Yes. I would go further than that and say that in almost all instances, there is absolutely no need for a company to even see credit card data that’s going to bring them into PCI scope.

The exceptions are rare and are usually companies that are in some way involved in payment processing or issuing or are in the financial system or are offering services to do with payments.

I think our advice is as strong as that these days. If you’ve got the active PCI scope, you really do need to look at whether that is in any way justifiable. The simple fact is, even if you’re compliant, there is still a hell of a risk. No setup is perfect and we’ve seen that in that compliant customers have been breached. That’s just the simple truth.

If you’re seeing credit card data, and therefore there is data on your network that is of interest and could be breached, there is still an element of a risk even if you’re compliant. To my mind, the best thing to do is just to get rid of that completely and not see the data in the first place. As I say, I’ve done a lot of PCI engagements, and the ones where you genuinely need to see the credit card number in your business are very, very rare indeed.

For telephone payments, that means DTMF masking is the solution?

Absolutely. Yes, absolutely. If I was running a call center I would do it.