The requirements consist of six major security controls categories. They are:
1. Build and maintain a secure network by using a firewall and eliminating vendor supplied passwords.
2. Protect cardholder data by protecting stored credit card data thru encryption and data retention policies.
3. Maintain a vulnerability management program by use of anti-virus software and security development of systems and applications including the use of change control.
4. Implement strong access control measures by restricting logical and physical access to cardholder data.
5. Regularly monitor and test networks by use of logging tools, intrusion detection, file-integrity monitoring tools and regular penetration testing.
6. Maintain an information security policy by having a formal corporate policy that addresses information security.
These requirements address enterprise security for payment card processing and are currently managed by the PCI-DSS Security Council, a consortium made up of representatives from the major payment cards. The standard can be found at the council’s website, www.pcisecuritystandards.org.
A quick glance at the security standard will reveal that it covers everything from physical security to wireless security and all potential methods of compromise of card data. A quick review of news stories on the same topics indicates that each of these areas have been methods of successful compromises in the past.
Even though at first glance this may appear to be an overbearing list of requirements, many firms find that their current practices are close to being inline with the regulations. Though if it is otherwise, there are plenty of firms out there that can provide direction in order to come into compliance.
The goal of PCI-DSS was targeted to provide a safer environment for online payment card processing, though of course the underlying goal was to encourage more online credit card usage by instilling confidence to the consumer over the security/safety of online payments.
One of the obvious drivers was the growing fraud in online processing.
Following the old adage “Why rob the bank? Because that’s where the money is,” it was soon recognized that the growth of online payments was a treasure trove of financial information, that initially wasn’t always treated with the security it deserved, and soon became an easy target for online hacking. One site even emerged just to count the number of instances and records of known compromises of both online and physical data leakage PrivacyRights.org.
What was seen in the hacking cases initially were attacks against the large processors in hopes of obtaining large amounts of data in one location or processor; but as the larger processors adopted the PCI standard and therefore became more secure, the hacker community began moving down the food chain to the smaller and possibly less protected processors. This is why no one can “play the ostrich“ and believe they are too small to be a target, as anyone who has card data can become a potential target.
For large merchants, certification requires an initial self assessment of their enterprise, or a 3rd party assessment to the established standard. Once this is complete they must submit to a qualified security assessor (QSA) who will certify the compliance of the entity. This then gets submitted to the PCI organization and recorded. Upon confirmation of compliance, the processor can post their compliance with the PCI DSS standard. A list of compliant processors is available by region. For the U.S. the standard is known as PCI. The foreign version is called AIS for account information security. You can find the lists of PCI/AIS compliant companies at the Visa USA website, from Visa Europe and from Visa Asia Pacific.
So why is it important to only deal with processors who are PCI compliant?
By meeting this compliance standard, merchants dealing with the processor should have some degree of confidence that the customer data submitted to the processor will be treated with a commensurate level of security (the fewer times you lose your customer data, the better). The last thing a merchant wants is to be associated with an online hack of customer data, and given the new privacy laws in many states, data compromises of personal information must now be publically announced to the consumer when they occur (California was one of the first to enact such a law, known as SB 1836).
Additionally it should be noted that while you may have already achieved or are working with a PCI compliant processor, it is not a onetime exercise. The following recurring aspects need to be exercised in order to main compliance:
- There are annual reviews – PCI compliance ROC.
- Semi-annual – review server configuration standards.
- Quarterly – vulnerability scanning.
- Quarterly – access control review.
- Daily – logging audit trails.
As an online merchant, PCI should no longer be just another acronym, but something that should be kept in mind for all your online payment processing. Maximizing your profits (and keeping them), as well as maintaining a high recurring customer base (hacked customers usually don’t return in droves), go hand-in-hand with PCI security.
As a 20 year veteran of Internet security, this author has long realized it’s a case of “us against them,” and for job security, can easily say, this threat is not going away anytime soon.