One of the biggest points that organizations should consider is how to give customers the confidence that they can transact with them in whichever way they want without compromising the security of their data or account information. To do that, they need to have the infrastructure or the functionality in their IT environment. Joining Abhijit Verekar and co-host Mike Caffrey on today’s podcast is Jaydeep Palkar, who oversees the PCI Compliance and General Governance for Gap. Jaydeep shares how they’re keeping electronic payments and transactions secure for their clients and vendors. As more and more businesses are transitioning from a paper-based process or cash payments to electronic, this is an episode you wouldn’t want to miss.

—

Listen to the podcast here:

Keeping Electronic Payments Secure With Jaydeep Palkar

AV: This is going to be a slightly different episode. We’re talking to a gentleman that oversees PCI Compliance and the General Governance for Gap. My guest is Jaydeep Palkar. He’s with Gap Inc., makers of clothes and other accessories. I also have with me Mike Caffrey, who is my partner and Vice President at Avero. Welcome. It’s good to have you, Jay, all the way from California. We’re excited to talk to you about stuff that we might be coming up against here. Give us a little bit of a background, how did you come to be overseeing compliance in such a large company. What’s your story?

Jaydeep: I went to school in Ohio and started my career with a public accounting firm. I stayed there for about twelve years, primarily focusing on external audits, stock support, financial audit work in addition to working on consulting or advisory engagements as well. After that, I got an opportunity through my network at Gap. I tried that interview and probably sold my skills better. The good part was in the same realm that I had been for about twelve years which is risk and compliance. No matter what name or what form you put it in, it’s important to have that risk mindset. That’s how I got the opportunity to work on such a wide range of risk management frameworks.

AV: You’re CISA certified. Tell us what that means. That will help our readers put our chat in context a little bit.

Jaydeep: I have a CISA certification which is the Certified Information Systems Auditor. It’s a certification that is offered by ISACA, which is the organization that has multiple information systems, audits or risk management certifications like CRISC, CIS or Certified Information System, and the Information Security Manager is another one that comes to my mind. That was one of the requirements as you progress in the organization that I was part of at the beginning of my career. I wanted to make sure that I got done with it before I get to a point where it’s required for my promotion. It also helps me in my day-to-day work because it allows me to take a perspective of not only an auditor but also how an internal function would look at information security from an auditing standpoint. It gives you a good perspective.

AV: What we do is we help our clients modernize their IT infrastructure. A lot of our work is helping our clients set up financial systems to the point where most things are electronic and there’s less paper. A lot of our clients are not as advanced as Gap is or a lot of your clients at your previous employer were. We’re trying to get our clients to the point where they are compliant with PCI and all of these things. Even us, as a consulting organization, we want to know what it is that we need to do to prep our clients to take the next step towards EFT payments, to make sure that the credit card transactions are being secure. To our clients, that may be in the near future, but you’ve been in this environment for many years.

Jaydeep: Overall, I’ve been in IT security in one way, shape, or form, whether it be financial controls-related security or purely securing your environment. Talking about PCI or SOC, whichever framework, taking a step back, I would think about more of how you are going to give your customer the confidence that when they provide you some of their payment information or their account banking information, it’s going to stay secure. More than going specific to the framework, that would be the first step. Many times what happens is organizations may want to stick to a framework, which is fine. The basis of that needs to be, how am I going to give my customer confidence that they can transact with us in whichever way they want to and their data is secure?

That is one of the biggest points that organizations should consider. In order for you to do that, you also need to have the infrastructure or the functionality in your IT environment. Some of these threats are changing almost every second day. Where something was acceptable now is not acceptable the next day. That would be the first thing. From speaking in general about PCI, it’s a standard that is created by the Payment Card Industry, which had about maybe 4 or 5 brands like Visa, MasterCard, JCB, and Discover. There is a security committee called PCI SSC that continues to evolve the standard, which is called a PCI DSS as a whole. DSS stands for Data Security Standards. That is expected to be followed by merchants or by service providers who either accept credit cards, whether it’s virtually or in-person from the customer, and show that those are secure.

 

The reason why I say that is there have been a lot of situations that we as customers have come across a scenario where you call your card brand or bank saying, “I did not ever make this transaction. This is not my purchase. You have to return this to me.” You call the retailers, “It appears that this card is swiped at your store or your website, but I never used it.” That increases the liability for those merchants, as well as the cards. That is one way of trying level best as an organization to secure that data. That’s what drives the creation of this whole standard. The standard has evolved over a period of time from when we had some of these older merchandise equipment where you gave your American Express or your MasterCard. They would scan it on a carbon paper and then process the payment, to then swiping your card, then using the chip and tapping it using your mobile devices. You might have your iWatch or iPad.

AV: Mike, what kind of questions are you seeing these days because you’re working on the front end trying to modernize. We work with county clerk’s offices, court systems, and all of these very important functions are either trying to get on board with electronic payments in some form or the other or they’re trying to be more secure. What are you seeing, Mike?

Mike: Most of what we see out there are people using a service provider for credit card processing. We should be seeing the burden of compliance fall on the people that do the credit card processing, not the government agency that pays them.

Jaydeep: It should be both sides because it’s like buying insurance. Irrespective of whether you have the coverage or not, there is some responsibility on you. You can buy insurance for your house, but you cannot do things that the insurance policy doesn’t allow you to do. Otherwise, that would be a moneymaking business. I don’t like my house I’m going to break it down and then say the insurance will pay for my house. This is where my role with managing the third parties also comes into the picture. Not only do I need to look internally of how we are staying compliant with some of the requirements as a merchant accepting cards, but also holding my third-party partners to that same standard for areas that they’re responsible for. Essentially, what we’re seeing is we are going to transfer the risk from internal parties to an external vendor who are specialized in that function.

I keep referring to this concept of merchant which in some cases are the retailers and the government agencies that you’re talking because you have the merchandising equipment or the POS devices in your environment. Once that card is inserted, scan or tag, it goes through the ether and transfers the data to the payment processor. They also need to secure that data. The third-party who manages the transfer after it moves out of your environment also needs to have controls and adhere to requirements of the security frameworks.

Mike: I’m not disagreeing with anything you’ve said. What I’m suggesting is that some of these agencies are small. They don’t have that experience. Seeing the risk transfer to somebody much bigger that understands not just how to do these things, but knowing also that it’s their responsibility as well to be PCI or SOC. All the compliances you can imagine are there. What I see though is these agencies many times don’t understand what their role is in that compliance equation. It’s not right and I understand that but what I hear is, “We don’t store that data. I don’t store any of that financial data. That’s on my bank,” or “That’s on that third-party application,” or whoever is doing the actual transaction and storing that data, it’s all on them.

I agree that that’s not right. We need to understand who’s doing that processing for us, and we need to understand it well enough that we can own that responsibility as well. I don’t think anybody walks up to an agency, pays for a service and thinks to themselves, “The agency that I had swiped my card with isn’t responsible for what happens at this point. The people they do business with are responsible.” I don’t think any of those customers are thinking, “It’s the people behind that agency that I’m going to have to go after if I have an issue.” Especially, in smaller shops or agencies, I don’t think there’s a lot of knowledge out there as to what governs compliance, what happens if you’re not compliant, and then if there should be a breach, that they have any responsibility at all.

Jaydeep: You are right in some cases that a lot of the responsibility might fall to these specialized partners, third parties or vendors. However, what becomes the agency or in this case, the merchant’s responsibility is to have processes in place to hold their vendors responsible. Case in point, if we are saying all of the security aspects of the data once the card is swiped falls on someone else as a vendor because they are specialized in parties, what is the agency or the merchant going to do to validate that they are staying in compliance with the specific framework?

In this case, are we asking for something called an attestation of compliance from a qualified security assessor, which is an external party, depending upon the transactions that are being processed by that merchant? It might be a scenario where you have an internal resource in a department where the PCI framework allows you to perform your own internal assessment and then provide a standard report or an attestation of compliance to say, “We are doing our side of the data appropriately as well.”

There are multiple ways of looking at it. There are about twelve or so high-level requirements for the PCI framework in general. Each of those in most cases are required for you. It’s a yes or no answer. There is no gray area in most cases from a PCI framework existing standpoint. How you provide that information is dependent upon the number of transactions the agency would be performing. Those are also classified based on the card brand. You might have an American Express that has a specific number of card transactions that would qualify you to become level 1, level 2, level 3, and level 4 vendors.

At a point in time, we want to do more virtually. We want to do more online and less in person. Click To Tweet

Level 1 is the highest number of transactions that you are processing. You are essentially expected to have an external party do the assessment of your environment. In level 2 and level 3, where you could choose to have an internal security assessor, perform the assessment, and then complete the attestation of compliance to provide your partners. It breaks down into further more detail. If you’re a service provider that has specific requirements that you have to adhere to in addition to the general twelve, depending upon how the responsibility is.

Mike: When you look at the private sector, I would imagine a lot of smaller companies might be faced with the same challenges that these local governments would, and that they don’t have a lot of people. The people they do have might not understand compliance well enough to do that attestation of compliance internally or have the funds to pay somebody to do that attestation. But PCI, for example, if I subscribe to a service where that vendor has to be level-1 compliant, is there an annual report that they can produce every year? Everybody that does business with them can tie into that attestation report, pull it down and keep it as part of their records. Does every business that subscribes to that service, do they have to do their own attestation of compliance report?

Jaydeep: Attestation of compliance report is a summary that you’re a qualified security assessor or an internal security assessor. A Qualified Security Assessor and an Internal Security Assessor are certifications that are granted by PCI SSC for completing certain educational course credits. You need to get an exam like any other certification. As far as everybody and anybody has access to it is a choice that an organization would need to make. For example, most of the banks might have that on their website or has a department that would provide you information. There might be something like Verifone or Verizon who do provide you payment terminals, they should ideally have that for a similar report.

For example, there is a specific report that would show you that the solution is a P2PE solution, which is Point to Point Encryption Solution, which then further allows you to reduce the number of procedures that as a merchant you need to do because you need to be compliant. If you think about like a mom-and-pop store, they may not be required to adhere to PCI because that is optional. They are the lowest level, which is maybe a level-4 vendor or below, but a company like for example, the government agencies, I would assume has at least 300,000 to maybe 500,000 transactions on an annual basis on any given twelve-month period. They would be having enough transactions to be at least level 3 or level 2. Many times, people don’t even realize that when you sign contracts with your vendors to put some of those, and a question through it says, “Do you have an AOC that we could get and review?” You need to do that every twelve months. It can expire every twelve months. If I sign it on June 12, 2020, by June 12, 2021, we would need to get another one because it expires after twelve months.

Mike: From what I understand from how you explain it is it has the part where the small organizations need to understand the value of being compliant, acting on that. Nobody is relieved of the responsibility of requiring that of the vendors they do business with, that you have educated yourself well enough to understand that. That mom-and-pop or that small agency should understand that.

Jaydeep: That’s the exact point I made right at the beginning where irrespective of the framework or the compliance requirements that you’re following, would you like to go to a store where the last time you went, you had a fraudulent charge on your card? The answer is no. Irrespective of whether you’re processing five transactions or five million transactions, that customer confidence is important when the customer walks in. Otherwise, they’re not going to come onto your website or your store and swipe their card. If there is someone who is used to paying using card and doesn’t carry a lot of cash, that is costing your business. That’s the thought process that I generally put myself into.

AV: How do we put this in context of our clients, Mike? Our clients don’t have a choice. It’s not like they’re going to Gap and then they can go to Abercrombie & Fitch. You have to go to the Blount County Courthouse for the next plate for your car. If you’re in jail, that’s who you pay to get out.

Jaydeep: You also need to consider the fines that some of these card brands or the council will put on you if you are not compliant with their standard. Eventually, they will not allow you to take cards at all. Think about the processing time that you’re adding to someone who has got a ticket, which is $100 and is a busy individual trying to run from pillar to post to make ends meet, to go and stand there and pay card or cash. It’s a roundabout way instead of going on the website and be done with it. That also holds the agency’s revenue because it takes more time to get the revenue.

Mike: You kind of have a captive audience on the government side. At a point in time, we want to do more virtually. We want to do more online and less in person. If I lose confidence in my city or county government’s ability to have a safe and secure transaction with my credit information, then I’m going to want to do more face-to-face. I’m going to want to do less with credit and more maybe with cash or cashier’s checks which has taken us in the wrong direction overall. This is a timely topic and light of the fact that everybody is in a rush to be virtual for everything. We forget some of the finer points that go with being virtual, which is more of our personal information is going to end up on the dark web for sale.

AV: Is there a function missing on our client’s side? Taking the example of getting car tags or getting permits when they take your credit card information. To Jay’s point, how are they keeping compliant? How do they know if they’re compliant or not, and keeping their end of the bargain?

Mike: How do I know, Jay, when I go into a store other than by reputation? How do I know when I go into the store that my credit information is being handled safely and securely? I can see the brand of the card swipe machine, but when I go into any store, how do I know?

 

Jaydeep: Since I have been in this position or my role, I have been questioning that all the time. How do I know whether where I’m putting my credit card information is secure or not? From an individual customer perspective, you’re going to say, “What happens if someone gets hold of my card information?” I’m going to call the bank and say, “This is a fraudulent charge. I needed return and I need a new card.” From an individual, the lowest level, which is the customer level, it’s not going to be as relevant. Where it becomes bigger on is the liability that individual merchants or agencies accrue because the card brands are going to start kicking back, and you have an environment that is not compliant, that is not secure and it’s causing us the money.

As a customer, I don’t want to be too worried about it independently because I have recourse for myself. We have seen a lot of breaches where personal information has been breached and companies have had to refund a lot of money and provide free credit monitoring in certain instances. That adds a lot of liability and expense to the organizations itself. That’s where I would look at it more than the individual customer level. When I look at it as a customer, I’m going to be very hesitant in going and swiping my card with an organization that has had a history of breaches.

AV: Is that the worst thing that can happen to a merchant? When I say merchant, it’s my client, the finance department, the clerk’s office selling plates. For example, if Visa says, “You aren’t keeping up your end of the bargain.” The worst thing that can happen to the merchant is that they get delisted. They’re not allowed to run Visa transactions anymore.

Jaydeep: Before it goes to that point, it’s also going to be fines that we will have to pay to those card brands.

Mike: Let’s say, I’ve got ABC Company that under the covers is doing all the credit cards, all the financial transactions for my “as a service” vendor that issues permits. It’s a cool piece of software and it’s got a splash page and it’s a portal upon which one of the functions is collecting my personal information so that I can purchase something online. Under the covers then that vendor has passed that responsibility on to reputable credit card processor who are obviously compliant. What we’re talking about is that the responsibility falls on the agency or company that has paid for to put that portal up and has this backend agreement with the credit card processor and the credit card processing company themselves.

What we’re talking about is that I know for a fact that many of the smaller agencies can spell PCI, but this isn’t their thing. I’m asking for a page to issue permits, but they’re not financial people. They are people that have a lot to do with inspections and permits. I might even think that’s not my thing. That’s what I pay these other guys for. Along the way, maybe what we should be doing in is helping our clients understand that, “You are small and perhaps there are pieces of this you don’t understand, but either by reputation or by attestation, you should be looking for a history of providing this kind of compliance.” That’s how some of these companies will grow because they’re good at it. They’re doing all the right things. Some of these companies should die whether they fall off the vine because they aren’t doing those things.

Jaydeep: It’s true to a large extent. As an agency, you are going to look for someone who is a reputable vendor and who is in the business, and that’s their core competency essentially. However, the reputation is not going to be enough. It has to be in attestation, which is a requirement. As for customer and vendor relationship, what essentially think through or create is something called as a responsibility matrix, where you go through the requirements of a framework like a PCI and then put in to say, “Who is responsible for meeting some of the requirements of the framework?” There might be scenarios where it’s a partial, meaning half you and half vendor or completely on the vendor side or completely on your side. For example, one of the requirements is to have policies and standards in place and they’ve been reviewed. As much as you want to say, “I’m not doing this. It’s going to be the vendor doing it,” you also need to have a policy and a standard to say, “What would I hold my vendor responsible and what’s the level that I required them to be at from a security standpoint?”

The other thing that some of the smaller companies or agencies may want to consider is not only look at one framework, but look at probably the host of frameworks that they need to be required and adhere to, and create an environment that will ideally allow them to be compliant with multiple frameworks by putting one control or one process in place. It’s the mindset that is important rather than saying, “This is a requirement for the framework and that’s why I’m going to do it.” This is not going to go away from my perspective. The more we are getting virtual and the more we are working remote, this is going to increase day in, day out.

AV: If you look at it, there is no overarching compliance framework or regulation. You just need to be secure so your data is protected. That’s what it sounds like.

Jaydeep: What kind of data is protected? If there’s something that I don’t care as an agency, that might be more like an area that you need to continue to watch and say, “Who’s trying to get it?” That’s one way to look at it. The other one would be, “These are my important data points that nobody other than my designated people should have access to or be able to access.” That’s another reason. Classification would be another aspect.

Mike: One of those few areas where private sector experience is going to be very different from public sector experience. It doesn’t mean that either is absolved of any responsibility, especially when you look at smaller and more rural governments and agencies, follow-ups of these annual audits that are conducted by the state. I’m not sure that all 50 states are up to date and what they would require of those digitally modernized agencies, the ones that are trying to do more virtually than in-person.

You’ve seen it, AV, probably more than I have and these audits that either begin in IT or in accounting finance and ask a certain level of question. You’re looking at some of the questions, scratching your head thinking, “I don’t think people do that anymore.” It extends that to what Jay is talking about. This isn’t cutting edge stuff. It’s been around for a few years, but these are expectations we would have if we were going down the street to buy a pair of shoes. If I’m going online and I’m buying some off in Amazon, I’m expecting all of this stuff to be in place. Why should it be different if we’re looking at an agency?

AV: Like with anything else in government, unless you stumble or you have a data breach, you’re not thinking about it. It’s like the roads you drive on. You don’t think about them every day until there’s a crack in it. As our clients are transitioning from a paper-based process or cash-only payments on certain windows to electronic, the question isn’t, “How do you make secure?” The question is, “How do we take electronic payments?” Some of our clients are saying, “We don’t want to be responsible for storing payment information on our systems. Let the vendor handle that.” What I’m hearing is that’s one way of doing it, but it’s simply passing the bucket to someone else and not taking responsibility.

Mike: You still need to take responsibility for it, even if you aren’t ultimately storing that data.

Jaydeep: If you put this in a RACI model, there is a Responsibility, Accountability, Consulting, and Informed. As much as you say, “I’m going to put the responsibility on my vendor,” you as an organization would still be held accountable for it.” That’s the basis of the vendor-customer relationship as well, or even as you delegate some of the tasks in your organization. If you delegate it to your manager and the manager gives it to another person below him, when you asked him the question, he is responsible for completing the task. You have to answer your client because you are accountable to them. You cannot say, “I told my manager and he didn’t do it.”

Incidents and breaches are going to be something that you cannot avoid 100%, but it also comes back to how you're responding. Click To Tweet

Mike: On the other half, even if you are compliant and you do everything you can, we have breaches from time to time and on the private sector side are reporting requirements when a certain number of records are exposed. How does that work with smaller companies that are doing business with large credit processors? When there’s a breach with one of their vendors, what is their responsibility if you’re small? The agency or the small business’s responsibility. The people that hold the financial information, is it only their responsibility to notify those thousands or hundreds of thousands of people that there was a breach or is there a certain amount of responsibility for reporting on the agency itself?

Jaydeep: The way I understand it is, it depends upon the nature and the level of breach. There might be some incidents that you might have to disclose to your reporting or governing body. That might be one. The second might be your regulators. The third would be the customers that are impacted because of this. The fourth would then be the public. Depending upon the nature of the incident, you may be required to report at different levels into different parties. If there is a breach that might have happened at your vendor, then you, as an agency will need to connect with the vendor security department or representative and understand what is the nature of the breach? What level of data has been lost? What is their process of communicating the impacted parties? Do you need to take over that? That is something that goes according to me, back to the contracting or the vendor management process before you get into the relationship.

Mike: It’s interesting to me, especially for those smaller entities out that are doing business with much larger processors. It’s very possible that I as the consumer would know about the breach maybe before the agency or small company knew about it.

Jaydeep: That would be a scenario that you don’t want to be in where your customer knows about an incident before you do. That’s where the majority comes into the picture. Incidents and breaches are going to be something that you cannot 100% avoid, but it also comes back to saying, “How are you responding? How quick are you in identifying those? How will you deal with them once they’re identified?” If a name-brand vendor, for example, if you do not know that there is an incident in your environment, but your customer knows first, then there is a different thought process that needs to go and to fix it as well.

I heard a couple of times some of the smaller agencies which are what you are referring to. Smaller might be a very relative term for someone like a huge Fortune 500 or Fortune 50 company. Even a merchant that has one million transactions a year might be small because they have more of that. For someone who processes one million transactions, somebody who processes only 50,000 might be small. When you think about the small merchants and how would you think through that? Is it an organization and an agency that has probably 1,000 transactions a year or would it be 100,000 transactions a year? Where does that level stop?

Mike: I get those emails, unfortunately, a couple of times a year that let me know that my information has been exposed and somebody is offering me another year of LifeLock. I don’t know which retailer was breached. I don’t always attribute the breach to the transactions that happened at a particular retailer. If it’s Experian, then I know who to blame, but if it came through MasterCard, I don’t know if I typically would know. If the information was available, I would. I remember Target a couple of years back has a massive breach. It was so big. I remember thinking to myself whenever I walked into a Target, “Am I going to do this?” If I’m driving by, I’m going to keep driving and go to Walmart for whatever I need. That’s how I viewed that transaction.

Jaydeep: Target has incident in the business. They can become a great case study, to begin with, for business students. That goes back to my original thought to say that some of these incidents are inevitable, given how the industry is evolving. As much as we’re trying to get secure, the bad guys are also starting to get smarter. How the organization responds to that incident is another aspect that we need to consider.

As a customer, if you get information or emails from MasterCard or LifeLock that says, “We’re going to give you free year because of ABCD,” anticipate that they should be able to provide you, what exactly happened to my information that you are allowing me to extend my membership without any charge? That’s a cost for them at the end of the day. As an individual customer, what are you not telling me?

Mike: I’ve become a little bit jaded towards the whole thing. If somebody’s offering me another year of any service like LifeLock, for example, it’s not doing anything for me. The service and my information are still out on the dark web. I know my information is up there. I’m not saying that I’m opting out of the electronic world and willing to go on my own, but there are so many breaches many times with retailers that I do business with on cards that I use on a frequent basis. It doesn’t have the same effect on me anymore. Do you feel the same, Jay, or do you feel even stronger than these controls are doing what they should do?

 

Jaydeep: As a customer, I’m not worried because I have a recourse. As a professional, I’m always worried about my organization because I’m going to get questions saying, “We should have identified this or we didn’t identify this. Why did we not determine this?” The biggest nightmare for any CSO or CIO is something like this saying, “Why did you not identify it?” As a customer, I don’t worry too much about it, but as a professional, I do. You mentioned about adopting this electronic world or digital world. I was very skeptical at the beginning, but I have made peace with myself that this is the only way to go about it.

Mike: I agree with that. I think you use the right word, “Make peace with it.” Nothing’s going to be absolute in anything we do.

AV: We can wrap it up by saying that there is no magic silver bullet and it all comes down to effective policies, processes, and making sure you’re following through with what you’ve decided and how to keep your data and your system secure. It isn’t very different from a blanket statement saying this is part of IT security. Even if we’re talking about data and transactions and specific, the mechanisms for keeping ourselves secure are the same.

Jaydeep: I’ll put an analogy because I tend to do this all the time. You have a car and you want to go fast, but you also need to make sure that you have all the assisting technology in place where you have your power steering rights so you can maneuver the car at high speed. You have your breaks working so if you need to slow down, you can take care of things and if you do need to see farther when it starts getting darker, your headlights are working. It’s a combination and everything comes together. You cannot sacrifice all of these, which essentially are safety features in order for you to go fast because that’s going to be an unpleasant end result in case something goes wrong.

AV: Jay, thank you for joining us and for the words of wisdom. I feel slightly better.

Mike: I enjoyed the conversation, Jay. I’ve always wondered about these things. You shared a lot of light on these controls, their purpose, where responsibility lies. We’re all able to at least better advise our customers based on that information. I appreciate your time. Thank you.

Jaydeep: I appreciate you guys for giving me a chance.

We’ll do it again. Thanks, guys.

Important Links:

• Gap Inc.
• Avero
• ISACA
• LifeLock
• Experian

About Jaydeep Palkar

Jay is an experienced executive with a demonstrated history of working in the public accounting and Advisory services industry. Skilled in Analytics, CISA, Data Analysis, Analytics, and Assurance. Strong Internal Controls and SOX Audit professional with a MBA focused in Finance from Bowling Green State University. Jayspent many years with Ernst & Young’s data compliance practice before joining Gap, Inc. as the Director of Governance.