APRA Level Security Compliance
How seriously does your organisation take payment security?
In early October 2013, Adobe, the world’s leading developer of graphic design software, suffered a major payment security breach with hackers stealing 3 million credit card records, plus login data for an undetermined number of users.
After further review and investigation, Adobe revised their estimate reporting that 38 million ID’s and encrypted passwords were compromised.
But this wasn’t the end of it.
In reality, more than 150 million usernames and hashed password pairs were taken from Adobe exposing customer names, ID’s, passwords, debit and credit card information in what was one of the most significant data breaches in the 21st century.
In August 2015, Adobe paid a heavy price reaching an agreement to pay $1.1 million in legal fees and reportedly $1 million to users to settle claims of violating the Customer Records Act and unfair business practices.
Now, in 2020, just five years after this breach and many others, Governments around the world and regulatory bodies are taking the protection of customer payment data more seriously. But the question remains, how serious are organisations about payment security?
How has payment security evolved?
Since the introduction of the first plastic credit cards in 1959, technology and security measures have grown in their sophistication. This growth has been matched by the ability of cybercriminals to steal credit card information.
The Payment Card Industry Data Security Standard (PCI DSS) was first introduced in December 2004 in response to the increase in credit card fraud and the lack of a common set of security standards. It was the first globally recognised set of security standards and developed by American Express, Discover Financial Services, JCB International, MasterCard and Visa.
From the introduction of PCI DSS standard 1.0 in 2004, all merchants and payment processing companies that were accepting credit cards as payment were required to adhere to the new standard, i.e. any company or service provider that stores, processes or transmits card data need to be compliant. PCI DSS aimed to address the increasing prevalence of high profile data breaches and losses from fraud that were impacting consumer confidence in credit cards.
Since the first iterations of the PCI DSS standards and subsequent updates, Governments and Regulatory bodies around the world have placed a legal obligation on large corporations to report and protect sensitive customer data.
Some key dates that have had an impact on payment security in recent years are:
22nd Feb 2018 – Australia’s Notifiable Data Breach legislation became law requiring businesses, Australian Government Agencies and Non-for-profits that turnover more than $3 million per year to report any data breaches to the Office of the Information Commissioner, affected customers and publish related information on their website.
25th May 2018 – Europe’s General Data Protection Regulations (GDPR) came into effect unifying all current laws relating to data protection across the European Union. While these laws are Europe based, they do impact Australian businesses that have offices in Europe, offer goods for sale in Europe or collect personal data of individuals that live in Europe.
1st July 2019 – Australian Prudential Regulation Authority (APRA) introduced their new prudential standard CPS 234 to address information and cybersecurity for APRA regulated entities in Australia. This new standard places obligations on APRA regulated entities to implement information security capability which corresponds with the size and threats to its information assets and enables the sound operation of the entity. It also identifies that the board is ultimately responsible for information security on behalf of the identity.
1st July 2020 – As part of APRA Standard 234, on 1st July 2020, all third-party suppliers to APRA regulated entities are also required to align with the standard. This meant that any third-parties responsible for information assets on behalf of an entity must comply with CPS 234. From a payment security perspective, this would include payment information storage suppliers and payment processors that manage transactions on behalf of the entity. IPSI has been working with several insurers to ensure their broker channels, pay by phone (IVR), web and call centre processes are secure and aligned with the APRA security requirements.
Do organisations take payment security seriously enough?
With the growth in government regulation and increase focused on boards to take responsibility for cybersecurity, the question needs to be asked, how seriously do companies take payment security?
The 2019 Global Cyber Risk Perception Survey published by Microsoft and Marsh highlights that while 79% of the 1600 senior executives from the around the world who responded see it as a top-tier priority, 1 in 5 executives lacked confidence that their organisations ability to manage or respond to a cyber attack.
Also of concern is the lack of focus boards and executive place on cybersecurity. According to the research, Executive Leadership/Boards only spent 5% of their professional time on cyber risk and security during 2019. Those roles spending most of their time are in IT, and information security with only 20% of those IT and information security staff surveyed identifying that they spend “most of their time” on cyber risk management.
How to tell if your organisation is serious about payment security
The first sign is there must be a senior executive responsible for managing cyber risk and more specifically, payment security. This is a strong signal that an organisation commits from a leadership perspective to address security threats. And it recognises that seniors leaders and boards are responsible for cybersecurity as identified in APRA’s CPS 234.
Secondly, your organisation must have a commitment to compliance, in particular PCI DSS compliance which is a mandatory security standard relating to payment security. Any organisation or service provider that accepts credit card payments from customers whether they be via a call centre, online or through a retail environment must be PCI DSS compliant.
The third signal; has your organisation asked all of its service providers which store, process or transmit customer credit card data, are they PCI DSS certified? And are their services Level 1 PCI DSS compliant? (this is the gold standard as it is based on an independent third-party security assessment).
Where too from here?
It’s clear from the research that some organisations have a way to go before they can be considered to be taking payment security seriously. In many cases, the banks have down a poor job educating businesses about their security responsibilities and how they can leverage available market options to reduce the costs, risks and lead times associated with security and compliance while improving their customer’s digital experience.
At IPSI, payment security is in our DNA. We’ve helped many organisations across a broad number of industries become PCI DSS compliant and meet the APRA CPS 234 standard with our Level 1 PCI compliant payment services. AgentSecure, our PCI compliant solution for call centres ensures Agents accept payments in a PCI compliant manner, and credit card data is not stored within the call centre. At the same time, our IVRSecure service secures client-side IVR infrastructure. EnterpriseSecure is also Level 1 PCI compliant and allows secure payments whether they are accepted online, via mobile devices or other methods, while delivering the flexibility to tailor services to meet business-specific use cases.
If you’d like to discuss how we can help, please send us an email to email@example.com or call us on 1300 975 630.