Global Practice Lead - PCI DSS - CSIR Global Cyber, Risk & Advisory Leaders
Article published 28 June 2021
Why PCI DSS is significant for the utilities sector and how to achieve compliance?
PCI DSS in the utilitiessector is often portrayed as a complex and painstaking endeavour. However, payment processing models, technologies and the standard itself are constantly evolving, as are the ways of achieving compliance. There are methods to de-risk your cardholder data environment (CDE) from card breach and in doing so, the burden of compliance activities is also reduced.
In this blog, we will look at how PCI DSS applies to utilities, a sector that has traditionally been required to manage a wide demographic and thus have multiple channels available for accepting card payments.
Utility providers such as those providing water, gas and electricity often manage large volumes of sensitive customer data. This may include medical information to ensure that those with a dependency on critical equipment get priority for electricity supply resilience, through to marketing preference data and even to stored payment card data to facilitate recurring payments. The focus of this blog will be on payment card data, which has its own set of specific cybersecurity requirements, known as the PCI DSS.
PCI DSS applies to all locations, systems, processes or people which store, process or transmit cardholder data (CHD). In a traditional utility provider the payment channels leveraged most are eCommerce and call centre based payments, and in many cases direct debits are more common than card transactions. BSI work with many utility companies and have seen first-hand the challenges that have to be balanced. From addressing call recording retention, using core legacy systems for processing payments, right through to challenges with network segmentation.
Why should the utilities sector care about PCI DSS?
The answer is simple, you are contractually obliged by your acquiring bank to be PCI DSS compliant.
Additionally, there are many benefits to being compliant, and drawbacks for non-compliance. The drawbacks for non-compliance include fines, which if left unmanaged can range from 2 - 6 figures per month. Moreover, if you are compliant at the time of a breach you can avail of safe harbour, i.e. you will not be subject to fines for breach of card data. Fines for a breach are significantly different to fines for ongoing non-compliance and depending on the scale of breach / cards stolen, the fines can run into millions, you will also be forced to shut down card processing operations until the breach is contained and the source of the breach remediated.
It is also worth noting that very few organizations are PCI DSS compliant at the time of a successful card breach. The most common areas which contribute to successful breaches are poor patching regimes, insecure identity and access management practices and bad software development practices. These risk areas are common challenges in cyber security. For many utilities companies who are also deemed national critical infrastructure, it is likely that PCI DSS is not the only external influence exerting pressure on these areas, with the EU’s directive on security of network and information systems (NIS) and proposed NIS 2 looming, and continued attacks on OT systems, the pressure for good security hygiene is greater than ever. With this in mind, PCI DSS controls can serve as a great aid when implementing NIST CSF or the CAF in the UK.
How do I achieve PCI DSS Compliance?
1. Identify your card flow channels
In a utilities environment, card data will typically traverse your ecommerce site, mobile apps, telephony systems and may well be included in call recordings. The latter can often be a significant challenge to manage not only from a compliance perspective, but also from a traditional cyber security risk management viewpoint.
2. Determine how many card transactions occur per channel
Ask your acquirer about this as this will affect the attestation levels and type of audit required.
3. Determine whether options exist to descope your network
Typical options include leveraging iFrames, Redirects, outsourced processing and network segmentation.
4. Gap analysis
Conduct a gap analysis against the remaining requirements. It is also possible here to leverage controls already in place if your organization has been working towards NIST CSF or indeed the UK CAF to satisfy the EU NIS directive. This obviously depends on scope however.
Develop an implementation plan to address gaps, and ensure that roles and responsibilities are in place for effective management of compliance into the future.
The final stage; is to attest compliance. The types of attestation depend on the volume of transactions processed per annum and how you process those transactions. Attestation can be either self-assessed or may have to be undertaken by a Qualified Security Assessor [QSA] based on how many card transactions you process.
7. Annual revalidation
PCI DSS attestation is an annual validation exercise, however compliance is a 24/7/365 process, including time bound requirements which must be actioned daily, weekly, monthly, quarterly and annually.
How can BSI help?
BSIs QSAs can assist utility companies by:
advising on scoping and solution design;
conducting gap analysis;
providing implementation support;
performing ongoing PCI health-checks; and
formally validating PCI DSS compliance
We ensure that solutions are in place to meet compliance into the future. All too often BSI QSAs observe that year 1 compliance is achievable when backed by a dedicated project, but in year two, without effective governance in place, organizations often fail to meet the recurring controls required to be meet year 1 + n controls.