Fraud and identity theft are on the rise. The Federal Trade Commission received more than 685,000 complaints of fraud and identity theft in 2005, totaling more than $680 million in stolen assets. The vast majority of these cases stemmed from data breaches associated with credit cards. In response, a federation of companies led by MasterCard Worldwide and Visa International set out to establish consistent data security measures for merchants, banks, and service providers.
This effort resulted in the Payment Card Industry (PCI) Data Security Standard (DSS), a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This standard, launched in 2005 and revised September 2006, provides a comprehensive set of requirements for enhancing payment-account data security. Failure to comply can cost corporations up to $100,000 per incident in fines.
PCI compliance is not just a matter of avoiding fines, it is about good busines: reducing risk, enabling delivery of services, and preserving the trust of customers and partners.
Today, companies affected by the PCI standard are required to conduct a variety of validation activities, including quarterly scans, a self-assessment questionnaire, and an onsite review, depending on the number and types of transactions conducted by the companies. Addressing PCI compliance is not just a matter of avoiding noncompliance fines, it is about good business: reducing risk, enabling delivery of services over an increasing range of customer channels, and preserving the trust of customers and business partners.
The 12-point test
The PCI standard accounts for different transaction volumes, payment
channels, and level of exposure across companies. Companies are
categorized into four different levels. While other regulations such as
the Health Insurance Portability and Accountability Act and the
Sarbanes-Oxley Act are vague in how they must be applied, the PCI
standard lays out 12 specific security requirements with which
companies must comply. These requirements are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update antivirus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
To most IT/security professionals, many of these regulations seem like straightforward commonsense. Surprisingly, however, many organizations have trouble complying. According to a recent study by Visa USA and the United States Chamber of Commerce, most data breaches occur when a merchant or service provider stores sensitive information on a card’s magnetic stripe in violation of the PCI standard. This makes compliance critically important to your enterprise.
Challenges to compliance
While PCI DSS certainly is comprehensive, the list of 12 requirements
leaves 12 possible points of failure. Fail one requirement and you fail
them all. This "all-or-nothing" approach is both a curse and a
blessing. The benefit: enforcing compliance with each of the 12
requirements ensures the most secure possible transmission of data. The
pitfall: especially for smaller companies, total compliance with the
standard can take excessive time and resources to achieve.
The way the standard works now, a merchant or service provider that satisfies 99 percent of the requirements would still receive a failing grade. With this in mind, many experts predict a significant number of organizations may in fact never comply. For example, Gartner, the market research firm, points to this as a key reason why fewer companies than expected have complied as of late 2006. Nevertheless—for now, at least—the standard remains unchanged.
Getting there
In order to prove compliance, payment card organizations require the
use of qualified data security companies (QDSCs) to perform an onsite
audit review. MasterCard and Visa have established a certification
program for vendors to become QDSCs, as well as a program authorizing
companies to provide scanning services. These two credit card giants
also offer certification programs that train qualified data security
practitioners (QDSPs) who perform testing and other security work.
These organizations often offer additional value-added services such as best-practice security assessments, compliance-readiness reviews, system deployment and training, systems integration, and other security- and network-related services. In many cases, businesses also can help themselves by purchasing sophisticated security equipment, configuring it to minimize risk, and implementing a host of policies and protocols that comply with the latest data security standards.
Check Point Software offers a white paper that maps out our suite of solutions that support merchants, financial institutions, and information processors in achieving compliance with the PCI standard. Check Point solutions are comprehensive and integrated, serving as a solid base for PCI compliance while also supporting requirements common to other security regulations. In addition, the solutions deliver fundamental business value by reducing risk, supporting new payment channels, and protecting privacy.