News & Articles

Making Your Online Transactions Safer

25th August 2009
Lee Werrell

PCI DSS COMPLIANCE

The anonymous and previously vague and confused face of e-commerce is changing in a big way. In light of credit card cloning, data loss through employee fraud, wireless interception, data stick loss, stolen laptops, copied databases and other operational risks, as well as blatant hacking, the major players have finally decided to take action. Since 2007 the Payment Card Industry Data Security Standards (PCI DSS) has been set as the new standard in security practices for online merchants, telephone contact centres, webmasters or web hosts. For any company that keeps credit or debit card details however stored or transmitted, it is vital to understand the new requirements to ensure your business and your clients´ businesses do not incur penalties from regulators, banking organisations, insurance companies or transaction rates increases.

PCI DSS was developed by the founding brands of the PCI Security Standards Council, including American Express, JCB, Discover, MasterCard and Visa. The PCI Council has established this standard (recently revised) to protect cardholder information. As a vendor, it is critical that you are not only aware of the new requirements, but also understand the tools and practices available to remain in compliance with the new standard.

The standards covered by the PCI Council can be used to help build or augment the security policies and structure for the enterprise, data centres and your customers. This comprehensive set of requirements for security management, policies, procedures, network architecture, software design and other critical protective measures will be used by the wise as a best practices guide to implement and follow.

Although the PCI Council manages the underlying security standards, compliance is set independently by the individual brands. Each brand has its own set of financial penalties per incident, with additional penalties ranging from restrictions to outright loss of use.

A common misconception is that this is an IT issue and best left solely to the technical departments to resolve. In fact, most companies find that this is a multi-discipline exercise best co-ordinated by a risk and compliance function who can then co-ordinate any IT requirements and engagement; governance for policy writing or amendment; operations for current practices and training; HR for new hires security checks; as well as providing feedback to the audit function for reporting to senior management.

There are twelve major requirements to the PCI standard:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect card holder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measure
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

Maintain an Information Security Policy
12. Maintain policies and procedures that address information security.

Application Security

In the latest release of PCI DSS is the requirement that all Web-facing applications be protected against known attacks. Also, further consideration is paid to the vulnerability of the application if someone does get access: How much damage can they do? Historically hosting companies over the years have become very good at protecting the networks and the operating systems from attacks, while the applications themselves have been left vulnerable. Regulation of PCI DSS

The original deadline for compliance with PCI DSS was set as 30th June 2005, the number of certified companies remains low, with even some major organisations not yet PCI DSS certified. This could be due to a previous lack of clarity throughout the industry as to who was responsible for education and enforcement of the standard. This is still a voluntary scheme with no specific regulatory requirement to date except that any security breach may be seen by the regulator as a failure to ensure adequate systems and controls. This could be seen as a breach of FSA Principles for Business 2 & 3.

The banks that sign merchants up as Visa retailers also have a role to play in ensuring that their sponsored merchants are PCI DSS certified. This requirement is set to expand in the near future as the banks attempt to reduce their bad debts, fraud losses and other operational risks from their systems, processes and services. Additionally, members and merchants in turn should only buy payment related services from PCI DSS certified service providers.

One of the major benefits of PCI DSS for card scheme members is that it provides a common benchmark for assessing their data security and that of their business partners. This should result in lower compliance costs and effort, leading to a wider acceptance of standard security requirements for the industry.

Bibliography

Lee Werrell FInstSMM MSI is the Owner and Principal Consultant of CEI Compliance Limited, a Compliance Consultancy. CEI provide a broad range of expertise having worked with governance, risk and compliance functions for a number of years.