PCI Compliance Not Just for Retailers
The deadline of June 30th has come and gone, and thousands of companies have demonstrated that they are incapable of complying with a set of security guidelines to prevent data breaches and protect credit card data against identity theft. These security guidelines are from the Payment Card Industry (PCI).
All organizations that store, process or transmit credit card payments were required to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) by 30th June 2007. But studies have indicated that less than half of all affected businesses were able to meet that deadline.
Why are merchants struggling to comply with what many in the security industry say are basic, common-sense security measures? Even the penalties for noncompliance -- fines of up to $500,000 and loss of the ability to accept credit cards - apparently haven't been enough to get affected businesses to take security seriously. If you think it's only a merchant/retailer problem, think again, said David Taylor, president and CEO of The Payment Card Industry Security Vendor Alliance (PCI SVA), an organization formed to assist and educate the payment card industry on the requirements and business value of PCI DSS. He explained, "If you accept the notion that protecting credit and debit card data is only a merchant's problem, then it's only a merchant's problem."
But merchants aren't the only ones to touch sensitive cardholder information, he noted. "Credit unions and banks are too at risk. Credit card companies also should be held to the same standards," he added. At one major credit card company Taylor heard from, "They told me they felt like they didn't have to comply with PCI because they weren't a merchant," he said.
So what happens if your organization is completely compliant with PCI-DSS? "The fact that just following the PCI-DSS compliance standard to the letter doesn't mean you won't be hacked. Banks and credit unions' information security departments are cognizant of that fact, I wish more retailers and merchants would realize that," he lamented.
Taylor cautioned retailers and financial institutions, "Achievement of compliance, doesn't mean you're done. You have to do it over and over again, because you will continue to have the vulnerabilities. You can't just do it once and say you're done. You're doing it for multiple regulations, and every single time you change anything in your network, you have to look at what impact it will have on your security threat level."
With any new technology, you add a new level of vulnerability, he noted. "You could spend from now until Doomsday, trying to protect everything and not spend your way out of mitigating vulnerabilities."
And he added, "Encrypting everything is not the answer, because then you slow down business. The more you encrypt, the more it impedes your business. But you have to do enough to protect the data that needs to be protected."
"You can't just focus on perimeter security. You also have to know what's being done to the data when it's inside your organization. Fundamentally it is all about balance," he said. "You'll always see people drawing concentric circles around the data and saying that they have layered security. Defense-in-depth or layered security is porous. You can envision as a giant 'maze game,' and for a mouse (hacker), they will find the way to get the cheese/data that they're seeking," he continued.
Taylor noted that Gartner studies show an estimated 70 percent of the significant, major damage-causing breaches come from inside an organization. "This is either caused by an internal malicious insider, or by an inadvertent error or careless protection of data, such as sending out an email to a colleague. Data is supposed to reside in a protected database, but a user who is creating a report to show what they've done, will take the data, put it in a spreadsheet and then how do they get the spread sheet to a person? They'll put it in a Powerpoint slide, as a pasted object, then that same slide can be taken and the information pulled back out and placed on a spreadsheet," Taylor said.
He noted that financial institutions are much better at information security than their peers in retail. "But that said, I see a sense of complacency in financial institutions. They're saying 'we've spent a lot of money on security, and we've spent a lot of time in performing information security to protect our data'."
Taylor sees differences in smaller versus larger institutions in terms of the focus on the internal data security. "We can assume, except in very rare cases that all financial institutions do have good perimeter security, including good intrusion detection systems, firewalls, and good antivirus, and do a good job on maintaining their virtual private network and security. It's consistent across most sizes of financial institutions."
However, where Taylor sees the difference is when it comes to deployment of data encryption, and the management of that technology. "I focus on data assets, and always ask where is the data? If I ask 100 people where the data is in their institution, eventually I find that the data thought to be in only certain places in an institution are actually spreading out further than most information security folks would want it to go."
PCI DSS was developed by the major payment card issuers; American Express, Discover, JCB, MasterCard and Visa. The goal is to have one global standard to secure and protect payment card data throughout the entire transaction process. Prior to the development of PCI DSS, the card issuing companies each had their own set of security standards, PCI DSS was intended to simplify the process of securing systems.
PCI DSS's 12 basic security requirements include encryption of cardholder data, user access controls, running updated anti-virus software, deploying a firewall, and checking systems regularly for security issues. Companies are validated compliant after an audit performed by a qualified security assessor.