IT in Banking

SA ignores PCI DSS compliance

Read time 4min 20sec
It is critical to keep in mind that the PCI DSS is the floor, not the ceiling when it comes to security, says Andrew Kirkland, regional director for Africa at Trustwave.
It is critical to keep in mind that the PCI DSS is the floor, not the ceiling when it comes to security, says Andrew Kirkland, regional director for Africa at Trustwave.

Companies in SA have known about the Payment Card Industry Data Security Standard (PCI DSS) for several years now yet adoption and management support continue to be an issue.

That's the observation of Andrew Kirkland, regional director for Africa at information security company, Trustwave.

Kirkland points out that the increase in criminal activity in the payment card space in SA sparked the Reserve Bank to take action in March 2013 and appoint the Payment Association of SA (PASA) to assist with the adoption of PCI DSS by all companies that are required to comply with it.

"Once companies meet the PCI DSS requirements, they need to follow the policies and procedures that have been set by the company to protect this data - it's not enough to have a document; what's in this document must form part of the daily operations," he explains.

"Do not delete your logs - have a storage system in place to archive all the log files and ensure the file integrity monitoring applications are up-to-date. If you are unsure if an upgrade, system change or patch will maintain compliance, then consult your qualified security assessor," Kirkland urges.

"It is also critical to keep in mind that the PCI DSS is the floor, not the ceiling when it comes to security", says Kirkland, adding that while the PCI DSS helps businesses deploy some essential security controls, it doesn't cover security around every attack vector, such as security surrounding targeted malware, mobile devices and cloud technology.


If organisations use a defence-in-depth approach to security consisting of multiple layers of defence, detection, response and ongoing testing, they can better protect themselves against attacks and inherently maintain compliance with the PCI DSS, he explains.

Kirkland warns that the regulator in SA - PASA - may impose fines or penalties depending on a number of variables which they are finalising in addition to any breach related costs should that occur.

"We are not yet clear on the details at this stage; however, companies must not be complacent in this regard or they could get out at which point it may be too late.

"The PCI DSS has been around for several years and the message around this has been communicated to all relevant parties via the banks. It should not come as a shock that a new version is being released or that it's being regulated. What is surprising is how many organisations have not planned for these security requirements and compliance certifications in their 2014 budgets," Kirkland says.

To Kirkland, increased cyber criminal activity and newer more advanced methods of exfiltrating data, as well as new technologies and methods to access that data, such as mobile technology, means local organisations need to be more secure.

Also, he adds, the improved connectivity between SA and the rest of the world has meant the cyber criminals do not need to be local to launch their attacks.

"It is concerning that it takes organisations being compromised before senior level management and the governing bodies take action to address this with the update of standards and compliance requirements.

"This level of ownership is every organisation's responsibility; organisations need to be aware of these changes and have the required skills and knowledge at the senior management level to be able to be proactive and not just reactive to when it comes to data security. Time has proven it is not if organisations will lose data but when. The senior management is responsible to make sure their company is not the next victim.

Enter POPI

According to Kirkland, the POPI Act also being passed into law states that any personal data like personal account number or credit card numbers have to be protected with industry standards.

"This means PCI is not a compliance that is driven by contractual obligation with the banks but is mandated by the government. If companies have adopted the PCI concept of protecting data then they have a blueprint of how to protect the additional data that POPI aims to protect."

He is also of the view that there may also be some overlap so addressing the POPI requirements should be easier.

"For those companies who have not adopted this thinking, POPI may become harder for them to implement. These additional measures may be unfamiliar to companies who have not been exposed to this. The key item here is if organisations work with the correct trusted advisor they can take advantage of a large cost avoidance by running a multi-level and effective security and compliance program for PCI and POPI as well as other compliance standards," Kirkland concludes.

See also