The ominously stamped letters have been arriving in mailrooms around the country since December as banks deliver their guidelines on how to meet the dreaded PCI DSS compliance standard. Merchants can no longer avoid the issue, but their confusion is understandable. The subject is a minefield of acronyms, with significant variation in the rules, depending on the number of transactions you handle. PCI compliance is a very specialised area that requires time, attention and resources.
So what exactly is PCI DSS? The Payment Card Industry Data Security Standard is a set of rules developed in 2004 by Visa International and MasterCard Worldwide and later endorsed by other payment providers, including American Express and Diner's Club. Put simply, it is designed to protect payment providers and merchants from identity theft and credit-card security breaches.
PCI goes to the root of the problem. "First of all, you cannot store sensitive authentication data such as PIN numbers or CVV numbers," explains Ian Reece, security specialist at Integralis. "Second, you must properly encrypt the information you are allowed to keep - for example, the primary account number. And then there is policy. People know you don't leave the window in the server room unlocked. But you need formally defined policies so that they are easily repeatable. Get into a routine to enforce security."
The PCI rules apply to any type of media on which card data is stored - this encompasses hard disk drives, floppy disks, magnetic tape and backup media, as well as receipts displaying the full card number. The latter are often held by merchants as a paper record of the transaction and are used for voucher recovery purposes or as proof of the transaction to respond to a request for information (RFI). The card number must be held in full, which is why it is so important that receipts are stored securely.
Retailers must also take care to physically and electronically secure all other areas where card details may be stored, processed or transmitted. This is crucial because many electronic point-of-sale (EPOS) systems take a copy of the card details and store them unencrypted within their own databases for reconciliation and reporting purposes.
Although confusion about the standard is still widespread, a comprehensive education campaign has been underway for some time. "There are people I've worked with at Visa and MasterCard whose full-time job is to raise the profile of PCI DSS and talk to retailers," says Paul Meadowcroft, head of transaction security at Thales.
The PCI initiative has been criticised by some, including Dave Hogan, chief information officer of the US National Retail Federation, as little more than a money-making racket for credit-card companies, but there can be no doubt that retailers have been found worryingly lacking on security. Recently, security blogger George Ou used the Kismet sniffer tool to prove that many big names high-street stores are still using the outdated WEP encryption standard for data transmission. This comes a year after the TJX debacle, where an insecure wireless network is thought to have allowed criminals to download nearly 100 million credit and debit-card numbers from outside a store.
Infosecurity professionals agree that PCI DSS should be seen as helping retailers rather than being a veiled threat. According to Suheil Shahryar, regional manager at Verisign UK, this even applies to smaller firms who may feel bewildered by the complexity of the rules. "A small company selling pet accessories contacted me after they had an expensive breach," he recalls. "They didn't even know they had been storing customer information on their system. Visa and MasterCard provided some money to help them on the understanding they don't make the same mistake again." In some cases, Shahryar points out, smaller merchants can buy insurance to protect against the expense of an investigation.
PCI DSS comes complete with its own police force. The PCI Security Standards Council trains and certifies qualified security assessors (QSAs) and approved scan vendors (ASVs) to validate compliance at intervals that depend on your level (see box, page 34). Onsite assessments by QSAs are compulsory only for the largest merchants, while levels 2 to 4 complete a self-assessment questionnaire (SAQ). However, everyone must use ASVs, regardless of size.
The introduction of a new set of questionnaires for merchants to use with their PCI assessments could help ease the pain. The revised SAQs, which can be downloaded from www.pcisecuritystandards.org, divide the old questionnaire into four updated versions aimed at the different categories of merchants. The advantage is that many companies will no longer have to answer questions about card-processing and security systems that do not apply to them. The new forms also provide a more detailed search for weak spots in payment-processing software applications.
The new questionnaires are yet another sign of the card industry's increased focus on software security. Late last year, the PCI Council announced it would make Visa's set of recommendations for strong software security, Payment Application Best Practices (PABP), an official part of the DSS standard. This is due to be completed soon, but mandates won't have to be implemented until 2010.
The council is also turning its attention to the security of devices for entering a card's PIN. To gain approval, PIN entry devices must comply with the requirements specified in a set of newly released documents downloadable from the PCI DSS website.
A list of useful websites on the PCI DSS is available at www.scmagazine.com/uk
THE LEGAL POSITION
The bottom line is that PCI DSS must be met by all organisations that accept or store information from credit and debit cards issued by the PCI payment providers. However, it is not actually a law but a contractual obligation that is applied and enforced by the payment providers themselves, using fines and other restrictions.
More specifically, the card brands promote and enforce PCI through contracts with their merchant banks (in the case of Visa and MasterCard) or through their operating agreements with merchants (Discover and Amex).
Higher-level merchants can be fined for non-compliance even if there has been no actual breach. The card associations fine the merchant bank, which in turn passes the fine on to the merchant.
The consequences of non-compliance can be severe. Visa fined TJ Maxx $880,000 (£447,000) for its well-publicised breach last year. Penalties in the UK could range from £100,000 to £300,000. There are no standardised penalties across all the payment brands, and the PCI Council says it has no plans to create any.
However, the fines are not the only threat. "This is a serious matter because of the risk to brand reputation and the organisation's share price," says Mark McMurtrie, marketing director of Postilion. "That's why PCI should be welcomed by organisations as a benchmark, as best practice in keeping information confidential."
Compliance requirements vary according to a merchant's activity level. There are four levels, based on the annual number of card transactions.
Level 1 - Criteria Merchants with more than 6 million transactions a year or those whose data has been compromised in the past
Requirements Annual onsite security audit, quarterly network security scan
Level 2 - Criteria Merchants with 1 million to 6 million transactions a year
Requirements Annual self-assessment questionnaire, quarterly scan by an approved scanning vendor
Level 3 - Criteria Merchants with 20,000 to 1 million transactions a year
Requirements Quarterly scan by an approved scanning vendor, annual self-assessment questionnaire
Level 4 - Criteria Merchants with fewer than 20,000 transactions
Requirements Annual self-assessment questionnaire
Quarterly scan by an approved scanning vendor may be recommended or required, depending on the bank. There is usually no need to report compliance, but it must be maintained nevertheless.
CASE STUDY: BONHAMS AUCTION HOUSE
Bonhams is one of the world's biggest auctioneers of fine art and antiques, overseeing more than 700 sales a year, mainly from its two flagship salerooms in London.
According to network manager Stephen Brett, it was the IT department that first became aware of the PCI DSS requirements. "We assessed where we had shortcomings and planned how to correct those," he recalls. "And we've been slowly working through them."
Much of PCI compliance revolves around the protection of IT data but, as Brett explains, there are some other aspects, for example involving the layout of rooms in the auction building. "Our experience may differ from that of large retailers with a big chain of branches because we don't have that many locations to manage. And an auction house presents an unusual challenge," says Brett.
This is because customers enjoy more freedom of movement in the auction rooms than they would in a shop, he continues. "Sales are on view. People come in, wander around and talk to specialists over a counter. You have to make sure they can't see any information on the screen."
As a level-2 merchant, Bonhams had to ensure all communications were covered electronically. "Most of that was done already. We had been going through a network rebuilding exercise, which prepared us well."
Bonhams had to use an approved scan vendor and hired ProCheckUp to verify that its systems were compliant. "They went a step further and did a complete penetration test to prove the system was secure from hackers," Brett adds.
He says the main difficulty with PCI is that it can be viewed as a time-consuming bureaucratic necessity by senior management. "You have to cover a lot of details, so it's an effort to get it all done on top of all your other work. There is a cost to it and no return on that investment, so it's not terribly high priority in management terms. However, we have got high-level backing us on this, and I think that's important. But it's more like an insurance policy."
For Bonhams, this has involved reorganising office layout and procedures. "PCI forces merchants to think about non-IT related issues that may have escaped managers' attention. That can be as humdrum as converting a room into a lockable cupboard. For us, it's all about balancing customer experience with the highest possible level of security."
1. Build and maintain a secure network Create a firewall to protect cardholder data. Avoid using vendor defaults for passwords and other security parameters.
2. Implement strong access-control measures Limit access to cardholder data on a need-to-know basis and make sure that each user has a unique ID. Also don't forget to restrict physical access to stored cardholder data.
3. Keep less data Storing as little credit-card and other customer data as possible means having less information to lose. It also reduces the scope of assets that fall under PCI regulations and auditing in the first place. Techniques such as tokenisation and truncation allow companies to undertake discovery, fraud analysis, audits, charge-backs and other tasks without storing card numbers.
4. Understand the flow of information Most companies lack documentation laying out how credit-card information flows across their organisation. Unless CIOs have performed a system-wide audit of all data repositories and then perform audits regularly, they have no way of determining where data is stored and transmitted and if they are complying with PCI standards.
5. Encrypt stored data Even if other protection mechanisms fail and an intruder gains access to data, stored information will be unreadable if it is properly encrypted. It should therefore come as no surprise that the latest, uncracked encryption standards are key components of the "layered security" or "defence-in-depth" principle that PCI supports.
6. Tackle application and network vulnerabilities Point-of-sale terminals, web shopping carts and other payment applications automatically generate log files that store track data, CVV2 data, and other credit-card information, even though PCI regulations prohibit this. Merchants must update their software as patches are released.
7. Segment credit-card networks Companies with the least segmented networks suffer most when compromises occur. Out-of-band management, continuity capabilities and backup server capabilities can protect networks from attacks and minimise damage from outages. Always use WPA to encrypt the transmission of cardholder data across open, public networks.
8. Improve security awareness and training People are unpredictable and can subvert controls put into place by process and technology. Many PCI audit failures can be avoided by simply improving security awareness, particularly mistakes related to poor password control, improper data storage and overly permissive usage policies.