Q&A: PCI DSS and the changing cyber landscape

Tom Harwood is CPO and Founder of Aeriandi, a company which specialises in hosted, secure voice services that enable organisations to meet FCA and PCI DSS compliance obligations. Here, Tom discusses PCI DSS, the changing cyber landscape, and the future for the IT industry.

Tell us about Aeriandi. What does the company do?

As a business, we help to secure over half a billion pounds in payments every year. We have spent over a decade investing in cloud-based design and architecture, working with some of the biggest names in banking, telecommunications, utilities and travel.

How did you come up with the name?

When Matt (Bryars) and I decided to set up a hosted software company, I had been heavily involved in computer game software programming. The name actually derives from a computer game that I had played quite extensively with my brother as a teenager. The game was set in a star system far away. When it came to naming the company, one of the names of these stars stuck in my mind – Epsilon Aeriandi, as I remembered it. Turns out, the star was actually called Epsilon Eridani and we had misspelled it… However, the name stuck, it works, and it did mean the domain name was free!

Aeriandi is 14 years old this year – how much has the industry changed?

As technology has become more advanced, hackers have become increasingly skilled too. Not only are businesses working hard to keep pace with the ever-changing cyber landscape, they are also under growing pressure to adhere to a broad array of standards, such as PCI DSS (Payment Card Industry Data Security Standard) and FCA (Financial Conduct Authority) compliance. Businesses are becoming more aware of the data they are storing and these areas of compliance are expanding. This is a far cry from where we were 14 years ago.

How – and why – have standards such as PCI DSS advanced in recent years?

The PCI DSS was introduced as a proprietary security standard to assist organisations that handle branded credit card information. It was created to increase controls around cardholder data to reduce credit card fraud. Almost a decade on from its original launch in 2006, PCI DSS continues to generate heated debate regarding its precise application and interpretation. Many of the issues stem from the wealth of misinformation out there about the standard, perpetuated by individuals and groups who do not properly understand the principles behind it or why it was originally created.

What are some of the myths surrounding PCI DSS?

One of the most common myths is that if your business is non-PCI compliant, the card brands will fine you. This is incorrect. Whilst the global card brands such as MasterCard, VISA, and American Express are the driving force behind PCI DSS, their relationship is with the acquiring banks (Barclays, HSBC etc), not the merchants themselves. As such, the card brands cannot directly fine the merchants for any breach where the merchant is found to be non-PCI DSS compliant.

However, that’s not to say merchants can’t be fined. Acquiring banks can levy fines in cases where merchants are the subject of a security breach and upon investigation are found to be non-compliant. Fines for a small merchant typically total around £15,000, which is payable on top of any forensic investigation and remediation costs (that can significantly increase the financial penalty).

How are standards evolving – and what role does the Government play?

When it comes to the evolution of standards such as PCI DSS, FCA, and legislation such as GDPR, it is becoming arms race. As businesses store increasing amounts of sensitive data, security practices are becoming stronger and more widely implemented. In turn the threat landscape is becoming more sophisticated, with threats rising at a rapid pace. In order to keep up with this, standards and legislation need to evolve and adapt equally rapidly. It’s a never-ending cycle.

Government legislation such as the GDPR needs to be as well-thought out and effective as it is broad. There is no issue with the reach of these legislations. The GDPR, for example, is making the headlines almost daily, especially now with the UK’s planned exit from the EU. However, what legislation such as the GDPR must have at its heart is data protection. There is no use implementing these standards if they do not reduce the overall risk for the organisation. There must be an understanding of the changing threat landscape at the core of this legislation. This will ensure that rolling them out will have a beneficial impact on the security and safety of businesses - and the data they handle.

Where do you see the IT industry compared to where we are now?

In the next five years, it is safe to presume more smaller businesses will get on board with security measures and begin to introduce more products and solutions to their organisations. The industry will continue to see an increase in the number and complexity of security standards and compliance regulations and will hopefully adopt these into their organisations.
Organisations will be in a position to help shape and drive these growing security standards. Impressive technology advances such as big data and open source technology will continue to grow and develop and be adopted by organisations worldwide.

At the other end of the scale, it is impressive to see how much large enterprises have helped to shape the IT community. That extends right across the board, and it would be difficult for organisations to operate without these movements in the community.

Tom Harwood, CPO and Founder of Aeriandi