Wednesday, August 27, 2008

PCI, PCI DSS 101

Here's a comprehensive article explaining the Payment Card Industry Security Standards Council requirements pertaining to protecting card holder data.   The article, written by Jeff Kress from NewsFactor.com does a good job putting, what many tend to consider to be a confusing subject,  PCI, into a better perspective.

 
"Any firm that stores, processes or transmits credit card data should comply with security standards or risk great losses. Whether we buy goods online or in a store, credit card purchases are a way of life.  Some may worry about transactions over the Internet, but they generally assume credit card data and related personal information with merchants are secure. But are they?

According to analysts, financial fraud surpassed all forms of computer losses in 2007. The most noted credit card loss was with TJX (parent company of HomeSense and Winners) in 2006. The security breach resulted in the loss of 45 million credit- and debit-card numbers. The TJX losses reportedly will exceed US$1 billion. The breach was due to inadequate security controls. In addition, TJX may have also lost customers' personal information such as drivers' license numbers. The problem is that TJX is not alone: many merchants have inadequate controls to protect credit card information.

To address financial fraud, major credit card companies created an organization, the Payment Card Industry Standards Council (PCI). Its goal was to set standards to enhance the security of credit card payment data. The result is the Payment Card Industry Data Security Standard. (PCIDSS)

Merchants that store, process or transmit cardholder data must comply with the PCI standard. Reports indicate that larger-merchant compliance is improving. On January 22, 2008, Visa reported that as of the end of 2007, 77 percent of large merchants and 62 percent of medium-sized merchants were PCI compliant.  These are big improvements compared with the previous year, when less than 20 percent of large and medium- sized merchants were deemed compliant. These two categories represent approximately two-thirds of Visa's transaction volume. However, smaller merchants and government agencies are slower in adhering to PCI requirements.

PCI requires merchants to verify compliance with the data security standard. A merchant's credit card transaction volume determines what compliance validation steps are followed. Larger merchants are required to have annual on-site audits and network scans performed quarterly by certified assessors. Smaller merchants may only be required to do self-assessments. The merchant levels differ between the credit card companies so one should refer to the merchant agreement for specific requirements. Although compliance validation requirements differ, all merchants that store, process or transmit cardholder data, regardless of size, are required to comply with all aspects of the PCI standard. Failure to do so may result in a merchant being fined and/or terminated from the processing services.

Not complying with PCI requirements can be costly. If a merchant's systems are breached, the merchant is responsible for all costs associated with inappropriately used credit cards. The merchant is also required to pay all costs associated with informing consumers, canceling outstanding credit cards, issuing new credit cards and forensic audit costs. Analysts have set the costs of credit card breaches at between $100 and $300 per credit card record. A breach can result in a loss of merchant reputation, lost customers or customer lawsuits. Credit card companies can also issue fines for noncompliance even if no breach is detected. To prevent such costs, merchants need to comply with the PCI standard.

PCI Standard's Objectives


Build and maintain a secure network. Most merchants think their credit card systems are secure. But in the context of PCI, what is a credit card system? The PCI standard considers any network, server or application connected to the systems that store, process or transmit to be the credit card systems. PCI compliance on such a large scale can be difficult to achieve. The solution is to set up the credit card systems so they are isolated from other merchant systems.

The PCI standard identifies two primary requirements for building and maintaining a secure network. The first is to install and maintain a firewall configuration to protect cardholder data. Firewalls must protect all credit card systems from external access. In addition, the PCI standard identifies the need to change vendor-supplied defaults for system passwords. Systems that have not changed default settings and vendor-installed passwords are common compliance violations.

Protect cardholder data: Keep cardholder data stored to a minimum. Stored credit card information needs to be protected using strong encryption standards. A common violation occurs when merchants store the magnetic stripe data from a credit card. The data contains all the information a criminal needs. Such information should never be stored. PCI information suggests that most merchants are unaware that their systems were storing the complete magnetic stripe data.

Maintain a vulnerability management program: It is important to protect systems against such threats as a computer virus. Also, follow appropriate processes for making changes to systems. Merchants that collect credit card information from e-commerce Web sites need strong security processes to develop and monitor the Web sites. Weaknesses include missing and outdated security patches. Also, Web applications often have weaknesses that are accessible by anyone on the Internet.

Implement strong access control measures: Limit access to cardholder information on a need-to-know basis. Bad practices such as group sharing of user accounts, not changing passwords regularly or not having minimum password standards are not acceptable. Other weaknesses include inadequate access controls due to improperly installed merchant point-of-sale equipment. While credit cards are typically stored on systems, the PCI standard requires strong physical controls in merchant facilities.

Regularly monitor and test networks: Merchants need to track and monitor all access to network resources and cardholder data. This requires logging and monitoring systems on a timely basis. All credit card systems need to be regularly tested. The requirements in the PCI standard are explicit and detailed. For example, perform vulnerability assessments at least quarterly or after any significant change to the network. Test credit card systems annually. This includes annual penetration testing on both the network and application layer. The standard also requires effective intrusion detection systems to alert staff to possible security breaches.  A lack of effective monitoring is a weakness. Merchants often find it difficult to meet the PCI standard requirements for monitoring and testing its network. Segmenting the network to isolate the credit card systems will reduce the time and costs associated with meeting these requirements.

Maintain an information security policy: Merchants need a strong security policy that sets the tone for the whole company. Staff awareness processes need to ensure employees are aware of their responsibilities. Many security breaches are caused by staff who are unaware of their role in keeping the company's data secure.

So what happens if a merchant can't meet a specific PCI requirement? The standard allows merchants to implement compensating controls. Merchants need to show that the compensating control effectively mitigates the risk addressed by the PCI standard.

The PCI Data security Standard sets security and monitoring requirements that far exceed some merchants' existing capabilities. Smaller merchants would like to have the standard reduced to reflect their size. However, for now, merchants that store, process or transmit cardholder data must comply with the standard.

There are many articles on PCI and the Data security Standard. However, the best source for guidance and materials is the Payment Card Industry Security Standards Council Web site at: https://www.pcisecuritystandards.org/index.htm. Merchants should also refer to their respective merchant agreements for guidance.

A common misconception is that smaller vendors are not required to be PCI compliant. Some think not being compliant is OK as long as they continue to make progress. That's what credit card firms reportedly told TJX before it was breached. That did not prevent TJX from facing losses that could reach billions of dollars. So make sure you and your clients take steps to protect credit card data before harm occurs to your firm or clients' reputation, before customers are lost and before fines and litigation start."

Disqus for ePayment News