When the Information Commissioner’s Office recently fined British Airways £20 million, the penalty highlighted how businesses need to take their online security seriously – particularly regarding remote, online payments.
Failure to do this will not only be a failure to comply with GDPR, but also with the Payment Card Industry Security Standards Council (PCI DSS) requirements.
GDPR/PCI DSS non-compliance
Regarding GDPR, BA failed to comply with GDPR articles 5 and 32:
- Article 5 concerns the ‘integrity and confidentiality’ of personal data.
- Article 32 concerns the processing of personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’
BA also should have paid more attention to PCI DSS (3.2.1) requirements:
3 – Protect stored cardholder data
10 – track and monitor all access to network resources and cardholder data
11 – regularly test security systems and processes.
BA’s failure to protect the data of its customers is key to non compliance of the security principle. The problems included:
- Lack of multi-factor authentication regarding passwords and usernames?
- Why was the hacker able to access the entire network via a third party supply chain attack and access files containing thousands of payment card details stored in plain text?
- How was the hacker able to remain on BA’s systems undetected for three months?
For BA, the catastrophic lack of security protocols resulted in the compromising of 250,000 card holders, which included the name, address, card number and CVV number (card security code) of BA customers.
So, along with the newly branded UK GDPR, what do organisations also need to know about PCI DSS 4.0 and how can they prepare for this update?
Importantly, next year PCI DSS will upgrade from 3.2.1 to 4.0. This means the standard is taking a more risk-based approach and along with UK GDPR companies will be obliged to follow the regulation and comply when it comes to handling and protecting personal data
If a security conscious business is PCI DSS 4.0 compliant then it will already have a framework in place that can be used for implementing measures to comply with GDPR.
Overall, PCI DSS 4.0 will set out to:
- Ensure PCI DSS continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures
As consumers and organisations continue to interact and conduct more business online, the need to enforce the PCI DSS regulations will continue to become necessary if businesses are to fall foul of GDPR and PCI DSS.
Once 4.0 is in place, the ability to continually monitor and test systems could be a costly process to set up and administer. At MAPS Wireless, we recommend, for wireless deployments, the use of the Dome technology from AirEye, which once configured will continually control and protect the airspace around points-of-sale and back-office and give central IT a bird’s eye view of the corporate airspace.