PCI Standard's Objectives
Build and maintain a secure network. Most merchants think their credit card systems are secure. But in the context of PCI, what is a credit card system? The PCI standard considers any network, server or application connected to the systems that store, process or transmit to be the credit card systems. PCI compliance on such a large scale can be difficult to achieve. The solution is to set up the credit card systems so they are isolated from other merchant systems.
The PCI standard identifies two primary requirements for building and maintaining a secure network. The first is to install and maintain a firewall configuration to protect cardholder data. Firewalls must protect all credit card systems from external access. In addition, the PCI standard identifies the need to change vendor-supplied defaults for system passwords. Systems that have not changed default settings and vendor-installed passwords are common compliance violations.
Protect cardholder data: Keep cardholder data stored to a minimum. Stored credit card information needs to be protected using strong encryption standards. A common violation occurs when merchants store the magnetic stripe data from a credit card. The data contains all the information a criminal needs. Such information should never be stored. PCI information suggests that most merchants are unaware that their systems were storing the complete magnetic stripe data.
Maintain a vulnerability management program: It is important to protect systems against such threats as a computer virus. Also, follow appropriate processes for making changes to systems. Merchants that collect credit card information from e-commerce Web sites need strong security processes to develop and monitor the Web sites. Weaknesses include missing and outdated security patches. Also, Web applications often have weaknesses that are accessible by anyone on the Internet.
Implement strong access control measures: Limit access to cardholder information on a need-to-know basis. Bad practices such as group sharing of user accounts, not changing passwords regularly or not having minimum password standards are not acceptable. Other weaknesses include inadequate access controls due to improperly installed merchant point-of-sale equipment. While credit cards are typically stored on systems, the PCI standard requires strong physical controls in merchant facilities.
Regularly monitor and test networks: Merchants need to track and monitor all access to network resources and cardholder data. This requires logging and monitoring systems on a timely basis. All credit card systems need to be regularly tested. The requirements in the PCI standard are explicit and detailed. For example, perform vulnerability assessments at least quarterly or after any significant change to the network. Test credit card systems annually. This includes annual penetration testing on both the network and application layer. The standard also requires effective intrusion detection systems to alert staff to possible security breaches. A lack of effective monitoring is a weakness. Merchants often find it difficult to meet the PCI standard requirements for monitoring and testing its network. Segmenting the network to isolate the credit card systems will reduce the time and costs associated with meeting these requirements.
Maintain an information security policy: Merchants need a strong security policy that sets the tone for the whole company. Staff awareness processes need to ensure employees are aware of their responsibilities. Many security breaches are caused by staff who are unaware of their role in keeping the company's data secure.
So what happens if a merchant can't meet a specific PCI requirement? The standard allows merchants to implement compensating controls. Merchants need to show that the compensating control effectively mitigates the risk addressed by the PCI standard.
The PCI Data security Standard sets security and monitoring requirements that far exceed some merchants' existing capabilities. Smaller merchants would like to have the standard reduced to reflect their size. However, for now, merchants that store, process or transmit cardholder data must comply with the standard.
There are many articles on PCI and the Data security Standard. However, the best source for guidance and materials is the Payment Card Industry Security Standards Council Web site at: https://www.pcisecuritystandards.org/index.htm. Merchants should also refer to their respective merchant agreements for guidance.
A common misconception is that smaller vendors are not required to be PCI compliant. Some think not being compliant is OK as long as they continue to make progress. That's what credit card firms reportedly told TJX before it was breached. That did not prevent TJX from facing losses that could reach billions of dollars. So make sure you and your clients take steps to protect credit card data before harm occurs to your firm or clients' reputation, before customers are lost and before fines and litigation start."
Related Story: How to Ensure Safe Online Shopping - NewsFactor.com