News Stay informed about the latest enterprise technology news and product updates.

PCI DSS compliance requirement looms but lacks punch, critics charge

The PCI DSS 6.6 compliance requirement moves from best practice to requirement June 30. Are you prepared?

In a few days, retailers that accept payment card transactions are required to protect all Web-facing applications against attacks by either installing application-level firewalls in front of Web-facing applications or by doing application code reviews.

The requirement is spelled out in section 6.6 of the Payment Card Industry Data Security Standard (PCI DSS), established by the major credit card companies, including Visa Inc. and MasterCard Inc., to ensure the privacy of customer information. On June 30, the recommendation goes from best practice to compliance requirement.

What does the mandate mean? It means vendors are swooping in with products that promise to automate code review and make you PCI compliant. For example, Solidcore Systems Inc., a change control system provider in Cupertino, Calif., offers an embedded PCI product for point-of-sale (POS) devices that promises to protect against attacks like the Hannaford Bros. Co. breach in March.

More on PCI, security
PCI compliance a good start, but not enough

IT security policies and practices for CIOs 
Research houses are cranking out warnings on the risks of non-compliance. Typical is a study from Pleasanton, Calif.-based Javelin Strategy and Research showing that 40% of consumers change their relationship with a business affected by a security breach. The study also found that 56% of breach victims wisely prefer a solution that prevents fraudulent use of their information, over a credit-monitoring system that notifies them when their information has been stolen.

Of course, security experts are at the ready for comment. The eminently quotable Gartner Inc. security analyst Avivah Litan has observed (everywhere) that most of the Stamford, Conn.-based firm's clients will indeed not be ready by June 30. And that most clients are opting for the application firewall rather than taking on the more onerous job of auditing their applications for flaws and fixing them.

But the important thing to note about the June 30 mandate, say many experts -- including Litan -- is that what is true about 6.6 is what has been true of PCI standards in general: The mandate is insufficient. Neither fix alone -- the firewall or the review code -- is enough to protect consumer data in Web-facing apps against attacks and, consequently, neither is sufficient to protect your company's reputation.

Critics of the PCI compliance standards point to the Hannaford breach, which was PCI-compliant when secret malware installed on servers compromised more than 4 million credit and debit cards.

The PCI rules are written as standards, not laws, but noncompliance may pose legal risks for retailers, nevertheless. David Navetta of InfoSecCompliance LLC, writing in SC Magazine, believes standards such as PCI, set by a private body, could pose more risk than traditional government regulations. He advises merchants to engage their legal teams on PCI compliance.

Still, security expert Joseph Miller, an engagement manager in the technology risk management practice at Jefferson Wells International Inc. in Milwaukee, said the 6.6 requirement is important, even "though it may or may not be enforced by the merchant banks or card brands." (Another hallmark of the PCI standards is that the group hasn't gone after offenders.)

"I think it is good to become PCI compliant, but you need to assure that you have your own best practices in place and test your own processes," Miller said.

He recommends to clients that they definitely take the PCI self-assessment questionnaire but also do their own internal testing. For example, restaurants would want to look at their process for accepting credit cards and use a data diagram that shows the actual path the cardholder data takes into the point-of-sale (POS) system, as well as the optimization of the transaction itself as it goes to the merchant bank or card company for processing, Miller said.

I think it is good to become PCI compliant, but you need to assure that you have your own best practices in place and test your own processes.
Joseph Miller
engagement managerJefferson Wells International Inc.
Test the whole process, Miller said, "and make sure that you are showing evidence that you are protecting cardholder data."

At the core of good practice is the protection of cardholder data, as well as the card's authentication data during the transaction, said Miller, who is a certified PCI assessor. He offers three recommendations for companies that accept payment card transactions for protecting cardholder data:

  • Minimize storage time as much as possible. To do that, "you need to determine in the course of doing credit card transactions how long do I really need to keep the cardholder data," he said. In the hotel industry, where Miller has done considerable consulting, the data needs to be kept for the duration of a guest's stay. There are also regulatory considerations. Nevada, for example, requires retailers and casinos to keep credit transactions for as long as two years, in the event of disputes.
  • Always store the primary account number in unreadable format (masked, except for the last four digits).
  • Encrypt the data if it needs to be stored for any length of time. Encrypt the data while it is transit, using protocols like Secure Sockets Layer and IPsec.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper on Risk and compliance strategies and best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.