||Add To My Personal Library
August 14, 2009
Vol.31 Issue 21|
Page(s) 32 in print issue
A PCI DSS Primer
Understand & Meet Compliance Requirements
Because of their widespread use, credit card numbers are a primary target for data thieves, so securing credit card data is a critical task. The PCI DSS (Payment Card Industry Data Security Standard) is designed to provide for better security management, policies, and procedures within the payment card industry. Businesses that process payment card transactions have obligations under this industry standard.
• PCI DSS is a security compliance framework for the payment card industry that ensures consistency.
• PCI DSS affects retailers, along with any kind of institution that manages credit card or personal information from customers.
• Merchants must be compliant with their level on the PCI DSS requirements scale, which is based on the number of annual transactions.
What Is The PCI DSS?
The PCI DSS, according to the Security Standards Council Web site, is a “set of comprehensive requirements for enhancing payment account data security.” Credit card companies such as American Express, Discover Financial Services, MasterCard Worldwide, Visa, and JCB had a hand in developing this standard, with the goal of helping “facilitate the broad adoption of consistent data security measures on a global basis.”
Sheldon Malm, senior director for security strategy at Rapid7 (www.rapid7.com), a developer of vulnerability management and compliance solutions, says PCI DSS outlines 12 prescriptive security requirements spanning six control areas mandated by payment card brands. These requirements run the gamut from requiring enterprises to install and maintain firewalls to monitoring and testing of network resources and security systems and processes.
Jon Callas, CTO/CSO at PGP (www.pgp.com), says PCI DSS requirements are important because they let businesses act in reasonably uniform ways. In other words, PCI DSS requirements add the consistency across all enterprises to ensure payment card security is handled in the same manner.
Rapid7’s Malm says PCI DSS mitigates risks associated with security compromises and helps maintain consumer confidence in the use of credit cards. After all, the last thing the credit card industry wants to see is a drastic decrease in card use because of a loss of confidence in security.
James Hurley, senior research manager at Symantec (www.symantec.com), says recent research from the IT Policy Compliance Group reveals that almost all the firms with the lowest rates of customer data loss or theft, fewest hours of business downtime because of IT disruptions and failures, and the fewest deficiencies to correct from audits have adopted PCI DSS.
Who Must Comply
Fabian J. Oliva, global PCI competency leader at IBM’s Internet Security Systems division, says PCI DSS compliance is required by all entities that store, transmit, and/or process cardholder data. So, adds Oliva, these requirements apply to anyone who touches cardholder data, including retailers, online merchants, healthcare institutions, universities, and banks.
At first glance, it might seem that PCI DSS compliance requirements are the exclusive province of traditional retailers. But, says Ben Goodman, marketing solutions manager at Novell’s Compliance Management division (www.novell.com), PCI DSS compliance has a much wider scope. Educational groups, hospitals, governments, and the like all presently accept credit cards, so these organizations must also comply with the requirements of PCI DSS, he adds.
“The reality is, PCI is extremely far reaching and it is becoming increasingly relevant in virtually all vertical markets,” Goodman says.
Complying With PCI DSS
Essentially, says IBM’s Oliva, achieving compliance with PCI DSS involves complying with 12 high-level requirements that in turn contain specific subrequirements related to each area. Organizations that have mature and robust information security programs will need to implement and modify security controls, policies, and standards to specifically address the requirements.
But for most organizations, he adds, attaining PCI compliance may entail a deeper level of investment and fundamental changes to many areas within their business, from the processes utilized for software development to human resources, systems management, security monitoring, and others.
In general, compliance with PCI DSS is a four-step process, say Brian Monkman, firewall program manager, and Al Potter, senior consulting analyst, at ICSA Labs (www.icsa.net). First, companies must complete the report of compliance in accordance with the instructions in PCI DSS 1.2. Then organizations must provide evidence of passing a vulnerability scan performed by a PCI Security Standards Council-approved scanning vendor. Once that is done, organizations should complete the attestation of compliance found in the PCI DSS 1.2 appendix, and then submit all of these along with any other requested documentation to the acquirer (whoever set the entity up to process payment cards) or to the payment brand, say Monkman and Potter.
Rapid7’s Malm says merchants must be compliant with their level on the PCI DSS requirements scale, which is based on the number of annual transactions. No matter what the level, adds Malm, merchants must use a PCI ASV (Approved Scanning Vendor) to conduct quarterly vulnerability scans for all network systems involved in the transmission, processing, or storage of cardholder data. Merchants, he adds, must achieve and report compliance status from quarterly vulnerability scans conducted by a PCI ASV. If any quarterly scans result in noncompliance, the merchant must remediate the noncompliant components until compliance is achieved and reported, adds Malm. Merchants also must complete a security self-assessment questionnaire outlining security and compliance posture across the 12 PCI DSS requirements.
Problems With PCI DSS?
Philip Lieberman, president and CEO of Lieberman Software (www.liebsoft.com), says PCI DSS is a good idea that has improved the overall security of credit card payment handlers, but it has some serious flaws.
For example, says Lieberman, PCI DSS has a “point in time” audit philosophy. Those on the front lines of payment processing, he adds, implement a continuous auditing process where the principles of PCI DSS are verified on a daily or continuous basis.
Also, says Lieberman, the PCI DSS specs only address the lowest level of threats affecting most merchants connected to the Internet. But, he warns, large institutions with large daily transaction numbers represent a juicy target for criminals that incentivize them to develop more sophisticated threats, such as social engineering attacks, that are not addressed by PCI DSS.
Lieberman also takes issue with the manner in which the credit card industry handles data breaches and the financial penalties that can be levied against merchants victimized by breaches.
“In essence,” he says, “we believe it is unfair to penalize merchants for data breaches when the merchant has taken reasonable steps to protect themselves and the interests of credit grantors and processors.”
Even though PCI DSS is a good step, says Lieberman, the solution to the problem is a general upgrade of the credit card processing network to put it on a technological footing similar to what is implemented in the European Union. Namely, he adds, banks and processors need to immediately issue smart cards, PIN generators, and other technological solutions that positively verify the physical possession of credit cards.
“The current AVS (Address Verification System) and CVV (Credit card Verification Value) system has been broken for a long time and only a technological upgrade will solve the problem,” he says. Even though PCI DSS should be implemented in any case, the specifications do not solve the fact that static AVS and CVV information is the fatal Achilles heel of the current credit card processing system.
Regardless of the technological status of current credit card processing systems, the fact remains that enterprises that handle credit card information must comply with the PCI DSS. This is not only a requirement of doing business but is also a sensible step. After all, says Symantec’s Hurley, “No one wants a data breach incident where your CIO is on CNN explaining why millions of customers had their data breached.” If customers don’t trust a company with their credit card information, warns Hurley, a substantial part of that company’s business will dry up.
by Sixto Ortiz Jr.
PCI DSS Requirements In A Nutshell |
Build & Maintain A Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain A Vulnerability Management Program
Requirement 5: Use and regularly update antivirus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor & Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain An Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
SOURCE: “ABOUT THE PCI DATA SECURITY STANDARD (PCI DSS),” HTTPS://WWW.PCISECURITYSTANDARDS.ORG/SECURITY_STANDARDS/PCI_DSS.SHTML