Improving PCI Compliance in Banking with AI – Two Use Cases

Payment Card Industry (PCI) compliance is a rite of passage for emerging businesses, or at least a compelling marketing narrative for those who take the initiative to achieve certification before partners, future deals and business circumstances demand it.

As many SaaS leaders find after going to market or a few years after initial investment, PCI compliance is an indelible mark of credibility for a young business in an evolving marketplace. As financial institutions are looking to secure greater market share amid global uncertainty and an AI-fueled startup market, improving customer experiences in their every interaction appears to be the foremost battleground of their survival. 

Few points of sale ensure convenience, peace of mind and the commonplace security of credit card information. That makes cardholder data (CHD) essential for traditional financial institutions to maintain the upper hand in facilitating everyday use. 

As with credit card fraud, AI technologies have wide applicability in PCI compliance areas to drive down institutional costs for FIs, streamline associated workflows, and provide enhanced customer experiences. 

This article will cover AI capabilities in streamlining and facilitating PCI compliance for financial institutions and relevant use cases in the following sections:

• A summary of PCI compliance requirements and AI applications: Investment in AI solutions for PCI compliance is driven by the dual cost to enterprises for non-compliance and applicability of PCI Data Security Standards (PCI DSS) to three distinct AI capabilities.
• Use-case #1: Automating surveillance for elicit behaviors in payment card activity: Training models to automatically detect whether payment card data is not compliant with PCI security requirements.
• Use-case #2: Mining and classifying CHD: Using robotic process automation (RPA) to provide optimal enterprise search capabilities for older, “sprawled” data stacks to streamline classification workflows based on PCI security requirement presets. 

We will begin by summarizing the applicability of these technologies in helping companies abide by PCI security standards. 

PCI Compliance Requirements and AI Capabilities

The PCI Standards Security Council decides on standards and holds stakeholders accountable for ensuring data for payment cards is uniform and of the highest quality.

The latest version (4.0) of the PCI DSS was released in March and can be found here [pdf]. There are twelve PCI Data Security Standards (PCI DSS) requirements that essentially embody six distinct objectives, two of which speak to direct AI application:

• Routine monitoring and testing of security networks for vulnerabilities
• Maintenance of information security policy

AI capabilities in machine learning and data analytics, along with AI-adjacent technologies in RPA, are all remarkably well suited for monitoring, testing, and maintenance workflows. AI investment also usually follows where data is already being collected – a specialty of particularly older FIs dealing in CHD with legacy data stacks and systems to match. 

A significant driver of this investment is that AI technologies are proven to reduce the internal costs associated with PCI compliance. However, internal costs are hardly the only expenditure related to PCI compliance.

First, PCI security is an enormous concern across the financial services sector, as data breaches represent the foremost challenges in the industry – which end up with devastating media blowback not restricted to credit companies but retailers and other interacting financial institutions. 

The public nature of payment cards and credit and their proximity to individual purchasing power across digital and brick-and-mortar markets account for the level of risk industry security standards as ubiquitous and trusted as those in PCI. 

There is also a substantial price paid for non-compliance in the form of government penalties and fees passed down from acquiring banks, which directly impact the bottom lines for card companies and merchants.

The dual and particularly costly nature of PCI non-compliance and the broad applicability of AI capabilities in achieving PCI DSS certification drives AI investment in PCI compliance in the financial services space. Two use cases, in particular, best exemplify how FIs can achieve PCI compliance with the help of mature AI projects and vendors.

Use Case #1: Automating Surveillance for Elicit Behaviors in Payment Card Activity

AI capabilities in 2022 have broad applicability across digital systems involved in ensuring payment card security, particularly regarding sensor-based detection of vulnerabilities in digital networks.

In perhaps its most observed practice, AI has been at the forefront of ensuring that credit card customer behavior is traced for fraud detection for much of the last decade.

AI applications are well-suited for regulatory and compliance tasks, particularly for their ability to minimize repetitive workflows and maximize human judgment and attention on the most complex decisions.

These workflows are also present in sectors like financial services that harbor regulatory pressures, high penalties, and equally high reputational risk for large and medium-sized firms forced to play defensive roles by default.  

Machine learning is especially effective in training models that detect deviant behavior from datasets, especially around rules-based activities like compliance with specific regulatory codes. 

Vendor Example: Nightfall.AI

Nightfall.AI is a cloud-native data security provider that leverages AI capabilities to ensure clients’ information is kept safe from data breaches. According to its profile on Crunchbase, Nightfall has accrued over $60 million in funding since its founding in 2018.

According to company promotional information, the protections they provide are detector functions of their platform that are trained with machine learning to achieve compliance with various regulations like PCI DSS and HIPAA. 

Nightfall claims to train detectors with machine learning “to recognize many potential permutations of sensitive data tokens, and also to recognize and assess the surrounding context.” 

Below is a brief video featuring how the detector works in the broader scope of the Nightfall dashboard at roughly the 1:50 mark and runs for about a minute:

On Nightfall’s website, the company presents a step-by-step process of creating detection rules, using credit card information as principal examples. Each of these steps in the example suggests the Nightfall platform can intake the following data points to inform its machine-trained detector feature:

• Clients’ CHD
• A confidence classification given by the payment card employee, featuring the following levels of risk they can assess:
  • ​​Possible (40-60% confidence)
  • Likely (60-80% confidence)
  • Very Likely (>80% confidence)
• Setting a minimum number of findings’ per message’ to trigger a violation, as to decrease false positives.

Here, Nightfall’s website describes how client employees should score confidence classifications to minimize false positives. It features the following table to help client employees ascribe accuracy, sensitivity, and specificity to the data points they provide:

Ostensibly, a company can customize a PCI compliance detector for themselves with these available functions on the platform. Nightfall’s website also features a basic summary of their platform’s built-in PCI compliance detection features. 

The only case study on Nightfall’s website featuring PCI compliance comes from their partnership with Flatfile, a customizable data onboarding platform. 

According to the case study report, Flatfile integrated the Nightfall platform into their Saas environments to protect their customers’ personal identity information (PII) and maintain compliance with level one PCI and other regulatory standards.

Head of Infrastructure at Flatfile, Robert Trencheny, is quoted in the case study report attesting to Nightfall integrations assisting with their workflows. “Before Nightfall, I would get almost 200 [data loss prevention] alerts from Google a week, and most were false positives,” says Robbie. “Now with Nightfall, I only get alerts for things we’re actually looking for to protect PII. We no longer have to individually configure the rule sets across different platforms.”

The Flatfile case study does not explicitly list concrete business results for their platform’s PCI compliance detection capacities. However, those listed in the case study report for their partnership providing HIPAA compliance detection for Galileo Health give some clues as to how compliance workflow changes can bring about measurable benefits: 

• Galileo initially attached Nightfall data loss prevention (DLP) and compliance detectors on their company-wide Slack and GitHub systems. 
• The case study describes similar pre-automation workflows typical of compliance activities, including those for PCI standards (i.e., employees spending “countless hours monitoring Galileo’s GitHub repositories” and risking “leaks of sensitive information in between pull requests.”)

Head of Security and Compliance at Galileo, Michael Supon, describes a nearly autonomous process provided by Nightfall’s HIPAA violation detection. However, the only hard numerical figure for savings reported by Supon is the potential cost of a severe alert on data that hasn’t yet occurred at Galileo: “$430 per patient record if there ever was one,” notes Supon. 

Given the recorded 55,000 downloads of the Galileo app – the partnership secures a potential risk for Galileo of over $23.6 million, not to mention the reputational damage of just one data loss incident. 

Use Case #2: Mining and Classifying Card Data

For many enterprises – particularly those large, legacy institutions with siloed departments, processes and decentralized data sources – all-in-one monitoring solutions, as described in the use case above, are impractical. 

These institutions are not early startups like Galileo Health, which was founded in 2018 and owns an equally young, structured tech stack. In other words, these older institutions:

• Have older, legacy data systems and tech stacks
• Are accustomed to meeting PCI DSS standards already
• Need help maintaining their certifications and keeping up as requirements change with technological advances 

A second category of AI solutions for improving PCI compliance is tailored to these institutions and their challenges. Instead of monitoring services that detect non-compliance incidents as they happen, these vendors provide robotic processing automation (RPA)-based data mining tools that verify and maintain whether legacy FI systems are already PCI DSS compliant.

Often these tools are referred to as “data discovery” – a relatively new term that, in concept, was synonymous with data mining before the age of AI and remained so up until a widely circulated report from Gartner coined the term “smart data discovery” in 2015. That report defines smart data discovery as “a next-generation data discovery capability that provides business users or citizen data scientists with insights from advanced analytics.”

Vendor Example: Securiti AI

Among vendors assisting companies in the PCI DSS certification process is Securiti AI, which secured over $150 million in funding to get 1,000 employees to align client data collection processes with regulatory regimes like the PCI DSS.

Securiti AI’s value proposition hinges on offering larger, legacy enterprises consummate data discovery capabilities that they argue in blog posts that can account for CHD spread across structured and unstructured data sources. 

As the post explains, assurance of PCI DSS compliance “is only possible when the merchant or the service provider knows where CHD resides in its systems, and this is especially a problem due to data sprawl” – a particular problem for older, larger FIs. 

According to the company’s promotional materials, Securiti AI provides clients with an “AI-powered robotic data discovery tool” called Asset and Data Discovery to scan data within their systems to classify whether it:

• Falls within the definition of CHD or not
• Which of them is more sensitive than the other

A three-minute video from Securiti AI on “sensitive data intelligence” (Securiti’s positioning language, based on data discovery, that the company began using in marketing materials starting last year) explains the value proposition of their Asset and Data Discovery tool:

Elsewhere, Securiti AI claims their Asset and Data Discovery platform can provide organizations with the following capabilities for PCI compliance: 

• Locate, classify, and centralize CHD. 
• Streamline CHD search using native data connectors 
• Remove false positives based on detecting contextual inferences.
• Identify authentication and non-authentication data.
• Link data to relevant cardholders for breach notification, consent management, and other privacy obligations.
• Assess the security posture of CHD to recommend security measures.
• Govern access control to cardholders’ data from a single dashboard.

CHD, as defined by the PCI Security Standards Council, always includes the following:

• The customer’s primary account number (PAN)

And can optionally include the following data points:

• Cardholder name
• Card expiration date
• Service code

Through a payment card company’s configuration with over 1,000 compatible management databases (CMDBs) and cloud providers, Securiti AI claims its Asset and Data Discovery solution centralizes CHD mining efforts in a single dashboard.

Despite being the most well-funded solution in this use case category, no case study documentation on Securiti’s website describes any success stories specific to PCI compliance that names direct companies, let alone concrete business results. 

Earlier this year, Gartner named Securiti among a list of five ‘Cool Vendors in Data Security.’