By now, most IT managers are adequately familiar with the PCI Data Security Standard (PCI DSS) to know it is a requirement if they want to process credit cards. What frightens many of these managers is they are wading into this unfamiliar territory and are nervous about PCI likely consuming a significant amount of their staff’s time and department’s budget.
But even the most expensive PCI project still pales in comparison to the costs of even a single significant data breach. A single breach can cost millions of dollars to clean up and tens of millions of dollars in long-term costs.
TJX Companies, for example, is now the poster child for how to do things wrong when it comes to a breach. The company announced earlier this year that it took a $12 million loss, equal to 3 cents per share, because more than 40 million credit and debit card numbers were stolen from its systems during an 18-month period. That theft is one of the largest reported customer data breaches to date.
The $12 million in losses was for costs incurred to investigate and contain the intrusion, improve computer security and systems, and communicate with customers, as well as technical, legal and other fees. TJX also reported that it would continue incurring these types of costs related to the intrusion.
With a comprehensive and formal security program in place, which would support specific PCI requirements relevant to their business, chances are they would not be in the situation they are in now: facing myriad lawsuits. TJX violated numerous basic security guidelines and various PCI requirements, all of which had a direct financial impact on its earnings.
Understanding PCI Compliance
Businesses that process credit cards will fall into one of four PCI categories based on their annual processing volumes. The different levels maintain the same PCI DSS technical requirements but vary on proof of validation requirements:
Level 1: More than 6 million transactions annually across all channels, including e-commerce.
Requirement: Annual Onsite PCI Data Security Assessment and Quarterly Network Scans.
Level 2: 1 million to just shy of 6 million transactions annually.
Requirement: Annual Self-Assessment and Quarterly Network Scans.
Level 3: 20,000 to 1 million e-commerce transactions annually.
Requirement: Annual Self-Assessment and Quarterly Network Scans.
Level 4: Fewer than 20,000 e-commerce transactions annually, and all merchants across channel up to 1 million Visa transactions annually.
Requirement: Annual Self-Assessment and Annual Network Scans.
The following are the 12 PCI DSS requirements:
- Install and maintain a firewall configuration to protect data. Note that there are no PCI-compliant firewalls. PCI Requirement 1.1 is intended to ensure that companies put a firewall configuration policy in place and also develop a configuration test methodology. A merchant must configure the firewall accordingly to protect cardholder data. Most firewalls can be configured for that need.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored data.
- Encrypt transmission of cardholder data and sensitive information across public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to data by business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
A quick review of these 12 requirements shows nothing close to being revolutionary. In fact, the PCI DSS is simply basic computer security.
The best way to ensure PCI compliance is to have a security framework in place. A security framework (such as ISO 17799 or Information Technology Infrastructure Library) encompasses the assumptions, concepts, risk values and security practices underlying an organization’s information security infrastructure. Frameworks are invaluable because today’s enterprise security projects are likely to be more complex than those of years past. In addition, standards and regulations — the category PCI falls into — enable organizations to demonstrate compliance.
Adherence to a recognized security framework can bolster your case that you are in compliance with sweeping and often vaguely defined new laws and regulations such as Sarbanes-Oxley. Of course, an effective framework makes PCI compliance significantly easy to gain.
PCI Best Practices
This article doesn’t detail all the myriad best practices for PCI compliance. But executing the following steps will ensure your PCI project runs much smoother.
- Gap analysis
- Gap analysis is a natural starting point for any PCI endeavor.
- Determine whether each requirement is adequately addressed for every in-scope system.
- The PCI Self-Assessment Questionnaire from the PCI Security Standards Council should be completed. The SAQ is divided into six sections, each focusing on a specific area of security, based on the DSS requirements. After completing the SAQ, you should have a fairly good idea of which controls and tools are in place and which are not.
- Establish policies and procedures to limit the storage and retention time of PCI data.
- Data discovery
- Know exactly where all your relevant PCI data is.
- Identify all payment acceptance channels, data flows and locations where PCI data is stored.
- Create process for data encryption
- Far too many merchants send unencrypted credit card data via e-mail. Create a program for encrypting data.
- Don’t store track data
- Merchants are prohibited from storing track data. Track data is the information encoded within the magnetic strip on the back of a credit card, which is read by a point-of-sales (POS) system.
- Some POS systems have been collecting this information without the merchant knowing. Hackers find out what POS systems are storing this information and then target the retailers who use that particular system.
- Additionally, merchants have misunderstood what information they actually needed in order to process transactions.
- Most POS vendors with systems that capture and store that information have been scrambling to make sure they and their customers are making the appropriate adjustments to become PCI compliant.
- Unsecured wireless
- Merchants should not use unsecured wireless networks to transmit data.
- PCI training is a must. Not every staff member needs to be a PCI qualified security assessor (QSA). But they do need a formal training program on what they have to do to ensure they are handling credit card data in a manner that supports the PCI requirements.
- POS modification
- POS systems can be the Achilles heel of a PCI effort.
- Ensure that POS devices are not storing full card data, especially Card Validation Value/Code.
- The full 16-digit credit card number should never appear on any hard copy output.
- Physical security
- Ensure appropriate physical security of systems and associated peripherals. Verify no unauthorized physical access.
- Regularly review system security and audit logs.
PCI, like the fundamentals of information security, is simply focusing on attention to detail and risk management. By attending to those core elements, combined with best practices, you will significantly increase your ability to obtain PCI compliance.