Credit card security: PCI facts and fiction
Content provided by IBM-ForwardView eMagazine .
Regardless of size or industry, all companies that accept credit cards must adhere to the safeguards mandated by the Payment Card Industry Data Security Standard—referred to as the PCI DSS. While most companies are aware of PCI, many are unsure what it means for their businesses. As well, companies that use a third party for clearing and remittance often incorrectly assume that PCI compliance does not apply to them.
"Some businesses haven't heard of PCI until they get the dreaded letter from their acquirer saying they have to be compliant with all of the requirements," says David Mundhenk, Senior Security Consultant for IBM's Internet Security Systems division.
So, what are the risks of noncompliance? Beyond exposing your customers to fraud or identity theft, your business can be held responsible for the credit card company's losses. In the event of a security breach or lack of PCI compliance, credit card institutions can assess your company higher credit card processing fees and levy fines of up to $500,000—or even bar your company from processing any credit card transactions at all. Keep in mind that this applies to all companies that accept payment by plastic—even if they don't store any related data.
PCI compliance and certification don't have to be a mystery. Armed with a little information about the 12 data security standard requirements, your company can start moving down the road to PCI compliance certification and avoid liability.
The digital dozen: Compliance requirements
"A lot of the small- and medium-size businesses are under the impression that they can essentially fill out a self-assessment questionnaire and that gets them off the hook," says Mundhenk. "But essentially they may be required—like any other business—to be compliant with what's known as the PCI Report on Compliance security audit procedures, which is 70 to 80 pages."
Sometimes confusion about compliance stems from not understanding the roles and responsibilities of key players in the financial industry, including issuers, remittance processors, acquirers and payment processors. What's important to note is that even if a third party performs many credit card security and processing functions, proof of PCI compliance—which is also called "validation" in the industry—is your responsibility.
Acquirer audits, which can be carried out at any time, cover the 12 areas of mandatory compliance frequently called the "digital dozen." The failure rate for PCI certification audits is high; according to recent research by VeriSign in "Lessons Learned: Top Reasons for PCI Audit Failures and How to Avoid Them," fewer than 30 percent of companies pass these examinations on the first try.
Answer these six questions: Understand all 12 PCI requirements
How well would your company do in a PCI compliance audit? The six questions below cover all 12 PCI certification requirements and may help you form a compliance plan of action.
1. Have you built and maintained a secure network?
PCI certification calls for specific measures to secure networks. PCI Requirement 1 mandates the installation and maintenance of standardized firewall configurations to protect data. According to VeriSign, 66% of companies do not meet this condition. Some security appliances can provide help with regular antivirus and intrusion updates along with features that allow reviewing audit logs and backup media.
Having these capabilities in place, however, is just the first step to a secure network. Consider PCI Requirement 2: Not using vendor-supplied defaults for system passwords and other security parameters. According to VeriSign, 62% of companies are unable to say this is the case. Meeting this requirement calls for frequent password changes, configuration reviews and a close look at user accounts on a regular basis.
2. Do you protect cardholder data?
Losing customer trust will most likely result in lost business, making PCI Requirement 3 important for more than compliance purposes. PCI Requirement 3 calls for the protection of stored data, but as the VeriSign paper notes, the first-time audit failure rate is 79%.
According to Mundhenk, companies find PCI Requirement 3 difficult to attain because security experience is not always available in-house. "The standard does a really good job of saying you have to do certain things, but it really doesn't tell you . . . how to do those things," he says. Still, most companies are able to comply with PCI Requirement 4: Encrypt the transmission of cardholder and sensitive information across public networks.
3. Do you maintain a vulnerability management program?
Most companies meet the stipulations of PCI Requirement 5: Use and regularly update antivirus software or programs. Again, comprehensive security appliances are a good start, but they must be used in conjunction with significant security administration oversight.
However, PCI Requirement 6—developing and maintaining secure systems and applications—is usually harder to meet. VeriSign says that 56% of companies fail in this area. Blame the way transaction data moves through different application formats and systems. In these mixed environments, Mundhenk notes, anything even remotely likely to touch credit card transactions must be made PCI-compliant—or separated completely from systems that accept, process and store credit card information.
4. Do you implement strong access control measures?
Not everyone in your business needs access to transaction information. Most companies do fairly well in meeting the stipulations of PCI Requirement 7, which call for restricting access to data on a need-to-know basis. The real challenge is to do it across all aspects of a highly distributed and diversified IT environment, especially when it contains both PCI and non-PCI systems with little or no separation between the two.
The same can't be said for PCI Requirement 8, which mandates that companies must assign a unique ID to each person in your company with computer access. In this area, VeriSign says the failure rate is 71%. Fixing this problem will help you understand the flow of confidential data and give you the ability to document the ways that credit card information moves through your organization. It is also an absolute requirement to support incident forensics to determine the who, as well as the what, how, where and when of a perceived compromise.
Credit card information can also be captured physically, such as at the point of sale in a retail environment. PCI Requirement 9 covers potential problems here by stipulating that companies restrict physical access to cardholder data. Failure rate for this requirement? VeriSign says it's 59%.
5. Do you regularly monitor and test networks?
Mundhenk says that SMBs must be able to identify the source of any potential security breach. "They're going to have to enhance their ability to be able to put together the who, what, where, how and when in the advent of an unfortunate incident," he says.
That's easier said than done. According to VeriSign, 71% of companies fail PCI Requirement 10, which calls for the ability to track and monitor all access to network resources and cardholder data.
Most companies also do poorly with PCI Requirement 11: Regularly test security systems and processes. Failure rate here is 74%, says VeriSign. That makes regular vulnerability scans and penetration testing essential, Mundhenk says.
6. Do you maintain an information security policy?
The myriad details of a security policy can be a real sticking point for many SMBs attempting to become PCI-compliant. That's why most companies—VeriSign says 60%—fail PCI Requirement 12: Maintain a policy that addresses information security for employees and contractors.
"It doesn't matter if you're a big company, a medium-size company, a small company; some of the requirements are fairly intensive and involve quite a bit of administrative overhead," Mundhenk says about the importance of having an information security policy in place.
PCI Compliance comes with a big silver lining
Sound daunting? There's actually a lot of good news for SMBs that become PCI-compliant. For example, the degree of PCI compliance complexity depends on the number and kinds of transactions a business processes annually. But few businesses are aware of where they stand, says Mundhenk. "Hire a subject matter expert to come in, review your environment and associated technical resources, and also interview your personnel," he says.
True, PCI compliance requires both time and resources further down the road, which is why many smaller businesses lean on outside expertise. "They don't typically have all the staffing required to actually meet some of the more intensive security administration functions," Mundhenk observes of many smaller businesses. Vendors to consider, he says, should be able to take care of all aspects of PCI compliance— which includes assessments, system design, deployment and comprehensive security policy development.
But when compliance is achieved, Mundhenk says the hard part is over. "Once a business actually is compliant, then it's a lot easier to maintain compliance than it is to try to make that big giant step to begin with," Mundhenk says. "It's a fairly straightforward process once you get compliant."
And with PCI compliance in place, SMBs can concentrate on the transactions they do best: Transacting business.
Content copyrighted by IBM Corporation.