Understanding Non-cash Payment Processing – Part 2


Understanding Non-cash Payment Processing — Part 2


An auditor’s best line of defense in information security is understanding related standards and regulations and keeping ahead of emerging trends.

George Thomas
Senior Vice President, Internal Audit
First Data

Data breaches cost companies an average of US $204 per compromised record, according to the 2009 Ponemon Institute LLC’s annual study, U.S. Cost of a Data Breach. One way to reduce the risk of data loss is to meet or exceed the Payment Card Industry Security Standards Council’s (PCI-SSC’s) Data Security Standard (PCI-DSS). Any business that handles credit card numbers or primary account numbers is subject to this standard.

The PCI-SSC is a global forum that develops and manages the PCI Security Standards, which include PCI-DSS, the Payment Application Security Standard (PA-DSS), and the PIN Transaction Security (PTS) Standard. PCI-SSC includes American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa. Understanding the PCI-SSC framework and key banking regulations provides a robust foundation for developing an appropriate internal audit program.


PCI-DSS Requirements

1 – Install and maintain a firewall configuration to protect cardholder data.

2 – Do not use vendor-supplied defaults for system passwords and other security parameters.

3 – Protect stored cardholder data.

4 – Encrypt transmission of cardholder data across open, public networks.

5 – Use and regularly update anti-virus software.

6 – Develop and maintain secure systems and applications.

7 – Restrict access to cardholder data by business need-to-know.

8 – Assign a unique ID to each person with computer access.

9 – Restrict physical access to cardholder data.

10 – Track and monitor all access to network resources and cardholder data.

11 – Regularly test security systems and processes.

12 – Maintain a policy that addresses information security.

PCI-DSS is a set of comprehensive requirements related to data security management, policies, procedures, network architecture, software design, and other critical protective measures related to personal account numbers. The standard consists of 12 requirements that fall into six logically related groups. Together, the objective of these requirements is to protect cardholder data, both stored and in transmission. Each objective is supported by specific rules.

Before assessing current audit programs, note that each of these requirements are augmented by 64 subcomponents that provide more specificity into how the requirements are to be met. You can gain a better understanding of how one should approach the development or assessment of these requirements by reviewing one requirement and its subcomponents.

For example, Requirement 3 on protecting stored cardholder data includes six subcomponents.

  • 3.1 – Keep cardholder data storage to a minimum. Develop a data retention and disposal policy.
  • 3.2 – Do not store sensitive authentication data subsequent to authorization (even if encrypted).
  • 3.3 – Mask personal account number (PAN) when displayed.
  • 3.4 – Render PAN, at a minimum, unreadable anywhere it is stored.
  • 3.5 – Protect encryption keys used for encryption of cardholder data against both disclosure and misuse.
  • 3.6 – Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data.

While the subcomponents provide, in many instances, sufficient detail to build an internal audit program (and some are supported by additional guidelines and best practices), building an appropriate audit program requires in-depth knowledge of the standards, guidelines, and best practices. For example, key management practices are well established and the auditor needs to have an understanding of these practices before finalizing audit steps to address subcomponent 3.6.

While internal audit may provide an independent assessment, depending on the volume of transactions, the organization may still require an assessment performed by a qualified security assessor (QSA). However, internal audit can add value in the early detection of exceptions, assessing the systems and processes that should be in scope for the QSA assessment, and in tracking exceptions to resolution.


The Gramm-Leach-Bliley Act applies to financial institutions and covers a broad area related to the protection of customer data. It requires that institutions establish administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

The Federal Deposit Insurance Corporation’s (FDIC’s) examination manual details approximately 45 key questions or considerations under the broad topics of board involvement, risk assessment process, adequacy of the program to manage and control risk, oversight of service providers, and program flexibility.

Credit card issuing company rules require merchants to protect card data from other customers and employees. The rules also require card numbers on receipts be truncated, and provide limits for card payment acceptance, surcharges, and requests for identification. Merchants are becoming increasingly knowledgeable and many are now moving towards PCI compliance.

Rules for debit cards, PIN management, and ATMs are issued by the PCI-SSC and debit card networks, and include specific guidelines on encryption, synchronous and asynchronous keys, key management (creation, storage, transportation, transmission, and destruction), and required assessments and reporting.


The PCI assessment framework is tiered into 4 levels ranging from Level 1 for businesses that process over six million transactions annually, to Level 4 for those processing less than 20,000 transactions annually. Validation requirements for Level 1 businesses include quarterly network scans by an Approved Scanning Vendors (ASVs), annual assessments by a QSA resulting in a report of compliance, and attestation of compliance. In contrast, Level 4 businesses are required to complete an annual self-assessment questionnaire, quarterly network scan by an ASV, and report as required by the merchant’s acquiring bank. For larger or high-volume organizations, an annual PCI-DSS assessment performed by a QSA is required. The certification is valid for one year or until material changes are enacted. Smaller organizations may meet requirements through self-assessments.

Meeting PCI standards does not guarantee information security. A prudent risk management strategy is to shift some of the potential risk through the purchase of insurance to cover some or all of the risk from data loss. This type of insurance is generally not inexpensive and one approach is to tailor coverage with a high deductible.


There is strong push to leverage the card payment infrastructure to the mobile platform by a variety of players, ranging from banks and networks to telecommunication and Internet companies. The growing movement to mobile payments and the entrance of nontraditional players into the payments value chain need to be considered in conjunction with other established mobile technologies to anticipate emerging trends.

For example, many already use smartphones. A user could authorize an app to access spending patterns from their mobile wallet and location to receive targeted responses and merchant offers. If a user is looking for a restaurant, the mobile device could locate restaurants within a defined range based on the user’s spending patterns or preferences and present this information with special offers, if any, from these restaurants to the mobile user. This would require the consumer to authorize access to otherwise protected data.

Should internal audit be proactive in the risk assessment process and consider coverage of these emerging areas though initial business volumes might not appear to warrant it? If so, how does one do that? A strong understanding of privacy laws — at a minimum financial and health, information security, compliance, and vendor oversight — would serve as a robust foundation to develop this type of audit program. The risk is in managing the confluence of multiple, potentially unique, private data elements to create value while remaining in compliance with all relevant laws, rules, and standards.


Understanding these regulations and standards positions auditors to develop audit programs that assess risks and controls related to existing non-cash payment channels. It also points the auditor to skills that need to be strengthened or maintained to assess potential strategic risks and opportunities to business models stemming from emerging trends.

To comment on this article, email the FSA Times editor at shannon.steffee@theiia.org