Do severe consequences of non-compliance with payment card security standards
point to the advantages of engaging QSAs with audit backgrounds?

Grant Thornton LLP notes that qualified security assessors with business audit and systems management backgrounds offer valuable experience in gauging compliance with mandatory data security standards.

TORONTO, May 4 /CNW/ - Last year, following the announcement of the world's largest breach of payment card information, more attention was paid to existing regulations requiring merchants accepting payment cards, and service providers who performed card transaction processing for these merchants, to prove their compliance with the Payment Card Industry Data Security Standard (PCI DSS). The looming deadline for filing compliance reports with PCI DSS is October, 2010. The consequences of not meeting the standards for the protection of confidential information are significant and can include the imposition of heavy fines, probationary penalties, loss of payment card service and ultimately, immeasurable damage to a company's brand and revenue stream. Added to these are losses that could result from the possible class action lawsuits from cardholders for not protecting their privacy. Grant Thornton LLP recommends that businesses whose payment card transactions represent a significant part of their revenue stream have their PCI DSS compliance accurately assessed by accredited professionals with a comprehensive background in IT controls auditing and information systems security.

"Security standards for automated processing of payment card transactions have been in place for well over a decade. What's new is the requirement for reporting compliance at the umbrella level under the Payment Card Industry standard which is supported by the five major card brands. While recent high-profile security breaches have focused attention on the importance of data security, many merchants don't recognize the extent of consequences they'll face if they don't take proper security measures," explained Chris Anderson, CA(NZ), CISA, CMC, CISSP, PCI QSA, Business Risk Adviser, Grant Thornton LLP. Heartland Payment Systems Inc., one of North America's largest payment card processors, announced a $60 million settlement with Visa alone following their security breach that is believed to have compromised the data of up to 130 million payment cards.

Canadian businesses have a particular interest in these developments since Canadians are among the world's most frequent users of payment cards. Equally important, Canada has lagged behind Europe in adopting Chip & PIN technology on credit cards, making us an alluring target for international data thieves. According to the Canadian Bankers Association, reported payment card fraud as a whole exceeded half a billion dollars in 2008.

The PCI DSS is overseen by a council founded by the five largest PCI players: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The PCI DSS is designed to protect consumers' payment card data by enforcing security standards ranging from firewall installation to security policies. The council offers a formal qualification, the Qualified Security Assessor (QSA) designation, to individuals who assess compliance with the PCI DSS standard.

"We're very supportive of the PCI Security Standards Council's drive to improve the quality of the work being done by the QSA community," Anderson continued. "Properly prepared PCI DSS compliance reports should be considered as equally important as annual financial statements when you take into account the potential for reputation damage, the risk of increased transaction fees, potentially crippling fines, and loss of revenue. Our view is that QSAs from chartered accounting firms with formal internal controls audit and information security backgrounds bring the right skills to the table in assessing a retailer's payment card transaction processing security. A QSA with this background has the experience necessary to confirm compliance, the skills to integrate PCI DSS with other governance, risk management and compliance initiatives and also deliver a higher level of assurance of a more formal approach rooted in often decades of experience of providing independent assurance services."

"It's important to remember that the PCI DSS process doesn't make a network absolutely invincible from data theft. Nothing will. But when a bank is robbed, it doesn't mean that vaults, guards and cameras have been rendered useless-it means the bank's security system needs to be adapted and strengthened. The PCI DSS is a mandatory benchmark to help lower the risk and the standard will evolve to keep pace with the threats," adds Bashir Fancy, Former EVP, Risk Management and Security, VISA, and Special Adviser, Business Risk Services, Grant Thornton LLP.

Anderson concluded by emphasizing that the risk of payment card fraud is always present. The most effective PCI DSS compliance needs to be an ongoing process rather than an annual "tick the boxes" exercise.

A Grant Thornton white paper on PCI DSS auditing, Out of the breach, is available for download at: www.GrantThornton.ca/insights.

Notes to editors:

About Grant Thornton in Canada

Grant Thornton LLP is a leading Canadian accounting and advisory firm providing audit, tax and advisory services to private and public organizations. Together with the Quebec firm Raymond Chabot Grant Thornton LLP, Grant Thornton in Canada has more than 3,100 people in offices across Canada. Grant Thornton LLP is a Canadian member of Grant Thornton International Ltd, whose member and correspondent firms operate in over 100 countries worldwide.

For further information: or to arrange an interview please contact: Peter Mumford, Compass Communications Inc., T. (902) 455-3307 No. 55, C. (902) 488-5155, [email protected] or Andrea Mascarenhas, Grant Thornton LLP, T (416) 360-5065, F (416) 360-4944