PCI compliance requirements in the UK
(Last updated on February 17, 2020)
In 2018, criminals successfully stole £1.2 billion through fraud and scams. Now more than ever, businesses that processes cardholder data look to the Payment Card Industry Data Security Standard (PCI DSS) for security recommendations. PCI DSS is a set of security standards introduced to the UK in 2006. PCI compliance is required for any business that accepts, stores, transmits, or processes cardholder data.
Payment fraud is a major threat with costly consequences. According to the Fraud the Facts 2019 report from UK Finance, unauthorised financial fraud losses across payment cards, remote banking, and cheques totalled £844.8 million in 2018. Additionally, UK Finance members reported 84,624 incidents of authorised push payment scams with gross losses of £354.3 million. The same report claims that social engineering and data breaches were a major contributor to the losses.
The PCI Security Standards Council has published this infographic to help organisations defend against phishing and social engineering attacks. Compromised credentials allow hackers to gain remote access to a network. PCI requires strong passwords for all users with access to payment card numbers. The recommendation is to educate users on choosing strong passwords, and force frequent password changes. Version 3.2.1 of the PCI Requirements and Security Assessment Procedures (requirement 8.4) reads:
Document and communicate authentication policies and procedures to all users including:
• Guidance on selecting strong authentication credentials
• Guidance for how users should protect their authentication credentials
• Instructions not to reuse previously used passwords
• Instructions to change passwords if there is any suspicion the password could be compromised.
This advice differs from that of the National Cyber Security Centre (NCSC) that wants to reduce the burden on end-users. The NCSC says your authentication system should help you identify and stop the use of compromised passwords.
PCI fines and penalties
The PCI requirements alone might not be enough to secure authentication. An analysis of 5000 PCI-compliant passwords revealed 3 out of 4 contained dictionary words. This means that even with PCI compliance, organisations may still be vulnerable to password attacks.
In the event of a data breach, PCI will require your organisation to cover the cost of a forensic investigation. A PCI Level 1 investigation can cost upwards of £100,000. You will also have to consider fines from banks, and even GDPR fines if the data of EU residents is compromised.
Is it time to re-evaluate your PCI passwords? User-generated passwords have their limitations but you can minimise your exposure by blacklisting compromised passwords. A password blacklist should contain all of the passwords that a hacker will use to gain access to a system. A third-party password blacklisting service can simplify the process of managing the list of leaked passwords. Specops Password Blacklist is influenced by major breach incidents, and updated in response to new threats.