The pressure to comply with the Payment Card Industry Data Security Standard (PCI DSS) has been a rude wake-up call for thousands of companies who believed their networks are secure and safe from security breaches.
This standard is a set of network security requirements agreed upon by five of the major credit card companies in an attempt to stem the growth of credit card fraud around the world and to give a common interpretation of what security is all about. Its implementation has exposed serious security shortcomings, companies' failure to follow security best practice and a general lack of awareness of the security threats facing organisations today.
The statistics reveal a worrying increase in the level of identity theft and credit card fraud. According to the 2007 Computer Security Institute's (CSI) computer crime and security survey, the average annual losses suffered by a company to fraud shot up to $350,424 from $168,000 in 2005. So serious is the situation that for the first time in seven years, virus losses were overtaken by financial fraud.
The urgency to meet these requirements was spurred by TJX Companies Inc.'s loss of 45.7 million records containing customer personal account information over an 18-month period earlier this year. Although considered to be the biggest in US history it is not the only one. According to the Privacy Rights Clearinghouse, between 1 January 2005 and 18 September 2007, more than 166 million records containing sensitive personal information have been involved in security breaches.
Public attention may be focused on high-profile data losses, but hackers are increasingly targeting small, commercial websites as well. Although small businesses offer fewer total victims, they often present a softer target, either due to flaws in the ecommerce infrastructure being used, or due to over-reliance on outsourced website security or simply due to the false belief that their existing security set-up is adequate.
What is the PCI standard?
The PCI standard is not a knee-jerk reaction to an increase in security breaches but it is a studied approach to data security taken by each of the card companies. Before 2004, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International each had a proprietary set of information security requirements that were often burdensome and repetitive for participants in multiple brand networks.
Seeing the need for greater cohesion and standardisation, these associations created a uniform set of information security requirements that became known as the PCI Data Security Standard (PCI DSS), governing all the payment channels: retail, mail orders, telephone orders and ecommerce.
The PCI standard is not rocket science and neither does it introduce any new, alien concepts that systems administrators should adopt; on the contrary it is an enforcement of practices that should already be in force on all corporate networks. Although PCI DSS was developed with the protection of cardholder data in mind, more than 98 per cent of the requirements apply to any company that needs to secure its network and its data.
Some of the PCI requirements may be open to interpretation, but it is a fact that the PCI DSS standard is one of the most robust and clear when compared to other compliance regulations such as Sarbanes-Oxley. PCI is the least ambiguous of the lot and the only standard that has gained universal approval.
PCI DSS comprises 12 requirements that are designed to:
- build and maintain a secure network;
- protect (cardholder) data in transit or at rest;
- maintain a vulnerability management programme
implement strong access control measures;
- regularly monitor and test your IT infrastructure;
- maintain an information security policy.
There are three stages that each and every merchant or provider must go through to become compliant. First, they are required to secure the collection of all log data and ensure that it is in tamper-proof storage and easily available for analysis. Second, companies must be in a position to prove they are compliant on the spot if they are audited and asked to present evidence that controls are in place for protecting data. Third, they must have systems in place, such as auto-alerting, which help administrators to constantly monitor access and usage of data.
Success or failure?
For over two years, credit card companies have been encouraging retailers to comply with the strict set of 12 requirements that are aimed at securing cardholder data that is processed or stored by them. With two deadlines looming for large merchants - 30 September and 31 December 2007 for Level 1 and Level 2 US merchants respectively - many companies will not be ready in time.
Most companies, especially in the SMB market, want to become compliant but they are still struggling to introduce basic security practices let alone implement all the systems needed to become compliant. The most recent compliance statistics from Visa indicate an improvement but they are far off the targets that Visa and the other card companies had hoped for.
The low compliance rate - still under 50 per cent - is possibly due to four reasons. First, some companies have taken a very laid-back approach to the issue, realising only recently that the credit card companies mean business. Now, they are rushing to comply by the deadline, suddenly aware that they have a massive task ahead of them.
Second, many small and medium-sized companies do not have the resources or the finances to invest in more personnel or a technology solution to meet the PCI requirements. Third, some retailers have complained that the standard does not distinguish between retailers on the basis of their size. Fourth, there is a greater need for awareness and education among merchants - and this applies across the board.
Merchants that fail to become compliant face hefty fines, possible law suits and loss of business and credibility. The consequences can be serious because, apart from card companies imposing fines on member banking institutions, acquiring banks may in turn contractually oblige merchants to indemnify and reimburse them for such fines. Fines could go up to $500,000 per incident if data is compromised and merchants are found to be non-compliant. In a worst-case scenario, merchants could also risk losing the ability to process customers' credit card transactions.
Furthermore, businesses from which cardholder data has been compromised are obliged to notify legal authorities and are expected to offer free credit-protection services to those potentially affected. That said, VISA and the other credit card companies have eased the pressure on merchants; they still insist on compliance but they will not impose sanctions if they see a company on the right track to become compliant. The card companies have also acknowledged that there are other issues that merchants must address such economies of scale and lack of resources.
Lesson to be learnt
Achieving compliance to the PCI Data Security Standard should be high on the agenda of organisations that carry out business transactions involving the use of credit cards. Implementing software tools for log management, vulnerability management, security scanning and endpoint security will go a long way towards helping you achieve compliance. However, the story does not end there. Just because a merchant receives a PCI stamp of approval, that is not the end of the story.
PCI compliance is but the beginning of a continuous process that requires regular monitoring of the security health status of the merchant's network. PCI DSS is not a one-off certification that stops with the Qualified Security Assessor (QSA) confirming you are compliant, as some merchants may think. Becoming PCI-compliant means that you have reached an acceptable level of security on your network but it does not mean that from then onwards your network is secure and cannot be breached. Maintaining PCI DSS compliancy status is just as, if not more, important.
PCI DSS compliance is a long-term journey, not a destination. And this is something that all merchants need to understand irrespective of size or business. Granted it is a cost of doing business. Yet the cost of compliance is a lot lower than having to pay $500,000 in fines and losing your goodwill and credibility if your network is breached.
Andre Muscat is director of engineering at GFI Software.