PCI: here to stay

PCI DSS has been created by the big credit card companies to standardise security practices with card data globally
PCI DSS has been created by the big credit card companies to standardise security practices with card data globally

Some people argue that the business landscape is cluttered with regulations which have led to security professionals untangling the red tape to keep companies labelled as trustworthy.

This summer there’s a new regulation in town – the Payment Card Industry Data Security Standard (PCI DSS, see end of story for further clarification), which has been created by the big credit card companies to standardise security practices with card data globally.

“PCI is the new kid on the block,” says Ritchie Jeune, managing director of Jersey-based digital security firm Evolution Systems. “In the past, the banks and card companies have had to soak up the cost of a breach. This gives the security manager a justification to now say why security is important. Essentially you have to ensure any credit card information is transmitted and kept secure.”

Fines of up to £250 000 (€370 000, $500 000) can be issued to companies whose security is breached, according to those behind PCI – American Express, MasterCard, Visa, Discover and JCB. And in the wake of retailer TK Maxx’s loss of the card data of 46 million people, these companies seem keen to make themselves heard.

Big standards for little companies

So what does it all mean for information security professionals? With yet another list of rules stating how security should be carried out, how will it fit in with all the other regulations?

“It’s an enforcement mechanism rather than a standard,” says John Colley, European managing director of (ISC)2 and formerly of Barclays and the Royal Bank of Scotland. “I think all the big companies will be meeting all these standards anyway. It’s nowhere near as strict as some of the others.”

All companies involved in PCI have to demonstrate compliance. In many cases that means hiring assessors. But how will small companies cope with that?
According to Tower Group, a financial services research and advisory firm, large merchants classified as Level 1 or Level 2 require independent certification, while Level 3 and 4 (smaller companies) use self assessments that follow a simple check list of “yes/no” questions.

“It’s just card issuers flexing their muscles,” adds Colley. “They are really worried about the three-digit number on the back of cards as it should be obliterated once processed. But the more cynical view is that it’s a regulation for them to protect some of the fraud losses.”

There are 12 security requirements laid out in PCI, which include: using firewalls; changing default settings of equipment; encrypting data; using antivirus; and many of the usual controls set out in standard security policies (see below).

“You find that compliance regulations are built off an already-existing standard,” says Richard Starnes of the ISSA UK, the security professional association. “With ISO27001 [the official name for the new international standard of the Information Security Management System], you can get 80% of the way for PCI, then you have to dig into the analysis. PCI is a bit more prescriptive than others but I haven’t found anything to be over the top.”

Compliance costs

However, the costs associated with proving PCI compliance can be high. Apart from spending on any new infrastructure, some companies must hire PCI-qualified, independent security consultants to carry out regular penetration tests.
The Royal College of Physicians (RCP) of London has just undergone this process. With 21 000 members, it provides training and exams to people around the world. It wanted to trade on its website, so members could pay for exams around the clock. As this would handle a large amount of credit card data, the RCP was advised to comply with PCI.

“It has been expensive but there has been a return on investment,” says Christopher Venning, IT network and support manager for the organisation. “The extra infrastructure and getting the audits done – that’s not cheap. It took time to find who to do the audit and that has be to someone who is approved by the credit card companies.”

The RCP migrated its website to a more secure hosting facility with tougher firewalls, under the supervision of Matrix Communications. It then hired security company Integralis as the independent penetration tester.

“It’s made us concentrate on the infrastructure more,” adds Venning. “We would have just gone for a firewalls and looked at user stuff, but now we are moving other sites across [to this environment].”

“With Integralis we briefed them and gave them the access codes. They were doing pen test stuff for about a week and then came back to us. But the commissioning and finishing goes on.”

Jumping on the bandwagon

Wal-Mart, Microsoft, PayPal, Tesco, British Airways, Apacs, Bank of America and electronic payments firm Verifone have all been elected to the PCI Security Standards Council – perhaps to send a clear message to businesses around the world that PCI is here to stay.

But there is some divide in the security industry as to whether PCI will actually bolster consumer security, or simply help card firms to distance themselves from the fraud and leave merchants with more burden to bear.

In a survey conducted by US security risk firm nCircle, in which 101 security professionals were polled, 37% said PCI is sufficient to protect consumer data, while 41% argued it is not enough to do the job properly.

Further research from the infosecurity-focused Jericho Forum found just 39% of Europeans are acting on PCI compliance where the figure in the US is 63% that are prepared. The group suggests this could be because there is no directive on breach disclosure in Europe yet, unlike in the US.

“Compliance is all to do with reputation protection,” says Mark McMurtrie, a director at UK secure transaction firm the Logic Group. “[The regulations] can’t just be used as a tick in the box or to avoid fines. It’s easy to write off a fine but a lot harder to rebuild reputation.”

“Security professionals have a very heavy work load because of compliance. Sarbanes-Oxley has had the biggest impact for the last couple of years. One common need for compliance is to have a security policy. If that exists and is up to date, then it’s a much smaller task to get PCI up.”

Storing PINs? Fine

There may also be financial reasons to comply with PCI. In the US, card processor Visa announced fines on acquiring banks for each large merchant which continued to retain PIN data or card security codes (link). Visa Europe, which is an association of European member banks, says it also imposes financial penalties, although it does not publish details, and has become more closely involved in educating merchants. And if credit card organisations fine banks, they may pass these on to the non-compliant merchants.

“Along with fines, credit card companies are implementing new systems to provide positive reinforcement to the industry’s traditional, fine-only approach,” says Taher Elgamal, chief technology officer of US firm Tumbleweed, which provides internet communications security. Compliant American firms can also receive lower interchange rates: “The positive incentive will have a noticeable impact on the bottom line of all large merchants.”

After companies align themselves with PCI, it could be some time before the rules are seen used around the world. But then again, it only takes another high-profile breach. And can PCI cancel the chances of that?

Rules on the cards
The Payment Card Industry Data Security Standard (PCI DSS) is a list of rules to boost security around card data, set out by the major credit card companies. It applies to any company that trades with cards.

The standard is something of a moving target in that it has been updated once in 2006 and the PCI Security Standards Council says that could happen again.

There are 12 core requirements:
1: Use a firewall
2: Change default settings
3: Secure stored data
4: Encrypt transmission of card data
5: Use antivirus
6: Secure systems and applications
7: Restrict access to data
8: Assign a unique ID to each user
9: Restrict physical access to card data
10: Monitor access to all cardholder data
11: Regularly test security systems and processes
12: Keep a security policy



What’s hot on Infosecurity Magazine?