When Visa International, MasterCard International Inc., American Express Co., Discover Financial Services LLC and JCB Co. banded together in 2005 to draft the Payment Card Industry (PCI) Data Security Standard (DSS), they wanted to improve credit card security among merchants, retailers and banks that issue, use and process credit cards. For small and medium-sized businesses (SMBs), the burden to comply can be onerous.
With 12 requirements (see sidebar) PCI DSS compliance strikes fear even among larger companies with established information security departments and staffs equipped for handling compliance.
It's no wonder, then, that an estimated 60% of merchants using credit cards aren't PCI compliant. But noncompliance can be costly, if not fatal, to a business. Noncompliance can result in fines or, at worst, being barred from processing credit cards through a PCI council member.
PCI DDS categories and requirements
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program
Requirement 5: Use and regularly update antivirus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes. Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security.
Source: PCI Security Standards Council
There are three ways an SMB can achieve PCI DSS compliance:
- Follow industry best practices for network and IT security.
- Use tools and services geared toward PCI compliance.
- Align with a larger partner for credit card processing.
Industry best practices
The PCI standard, for all its critics, covers many common-sense approaches to IT security that most SMBs should already be following. These include requirement eight, which requires a unique ID for everyone with computer access, and requirement nine, which places restrictions on physical access to cardholder data. Most authentication systems used by SMBs require unique user IDs and passwords, and servers holding card data are often in isolated locked rooms or facilities.
Other requirements an SMB may already be following include requirement one, which calls for firewalls around credit card data, and requirement two, which calls for changing vendor-supplied default passwords on systems. These are often routinely done by IT and network managers at SMBs.
The toughest requirements for SMBs are requirement three, calling for the protection of credit card data, and requirement four, seeking encryption of data transmitted across networks. Requirement three states that cardholder data can be kept only as long as needed for the business, or for legal and regulatory purposes. But companies like to store data for customer convenience, bringing it up from a database rather than having to ask customers every time they buy something. Under PCI, not only does the transaction have to be encrypted, but the database holding the data must also be encrypted.
In addition, particularly at retailers, wireless devices are used so sales clerks can move around the store helping customers. Wireless networks open a whole new range of access to networks that require PCI compliance under requirements three and four.
An SMB can comply with requirements three and four easily and cheaply by doing two things: isolating the portions of its network that handles card data, and using what are called in PCI parlance "compensating controls," rather than full-blown encryption. By isolating data on the network, only that network segment needs to be scanned and reviewed for PCI DSS compliance. If not, the company's entire network must be compliant, adding costs for the scanning and auditing required for PCI.
Truncating card and account numbers, or obscuring them with one-way hash functions, qualifies as a compensating control for purposes of the standard. Encryption and key management can be costly and require additional hardware for an SMB. Truncating and hashing are cheaper shortcuts.
The second approach covers a broad category of products. There has been some controversy about this, with complaints that vendors are coming out of the woodwork claiming to be PCI saviors. While there isn't a PCI panacea, there are products on the market that can ease the compliance burden.
An interesting technology is tokenization, developed by Shift4 Corp. in Las Vegas. Tokenization replaces the credit card number on the point-of-sale (POS) device at the retailer with a token, or a reference number. The reference number is useless if sniffed in transit, as happened in The TJX Cos.' breach, since it can't be traced back to the cardholder or his or her account. Shift4 sells a driver for POS devices that generates and accepts tokens at a fraction of the cost of the expensive upgrades PCI would require to encrypt data sent and received by POS devices. Since the token isn't the actual card or account number, under PCI it isn't sensitive customer data and doesn't need to be encrypted.
Partner with a large organization for PCI DSS compliance
An SMB can use a third party to process its credit card. But this is recommended only for small retailers; medium-sized businesses will not benefit. This doesn't absolve a storefront from minimum security precautions to protect its customer data. But the headache of being fully compliant with PCI will rest with the service handling the card transactions, not the SMB.
More on compliance
While created for a good reason, there are some criticisms of the standard. One is it's changing too rapidly for companies to remain compliant. They may be compliant this year, but there's talk in the air that the standard is expected to undergo a major revision. Another criticism, along the same lines, is PCI auditors sometimes provide contradictory answers on what constitutes legitimate compliance on a same part of the standard.
About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.