A growing number of organizations in both the retail and financial services industries are recognizing the benefits of implementing and adhering to the Payment Card Industry Data Security Standard (PCI DSS). After all, the drawbacks of non-compliance became all too clear late last year when TJX Companies announced that over an 18-month period hackers had compromised the credit and debit cards of nearly 50 million of its customers. However, updated numbers have the breach reportedly compromising 94 million customers.
Merchants and service providers that fail to comply with the payment card security requirements are not only subject to penalties and fines, but also make themselves more vulnerable to cybercriminals and thereby expose their firm's brand and reputation to additional risk. A security breach is bad enough - being breached due to non-compliance is even worse.
Security breaches such as the one TJX suffered are not rare. Many well-known companies have also seen their confidential customer information end up in the wrong hands. Unfortunately, for the merchant and payment card communities, a data breach is no longer a matter of if - but when - one will occur.
According to security experts, the trouble is not that businesses do not have general information security measures in place. What is more likely is that they are not prepared with the aggressive security controls and processes needed to better ensure data integrity in today's online and mobile business world. This is critical to both financial institutions and merchants alike as they look at these retail channels to support top line growth. Furthermore, as additions such as the new PIN Entry Device (PED) security requirements are folded in, and PCI DSS expands, businesses face a growing set of critical elements to address.
To facilitate compliance, organizations must implement a programmatic approach for meeting requirements which will reduce overall risk associated with payment card processing and ensure a more resilient infrastructure. For a growing number of companies, leveraging the expertise of consulting organizations is the most effective and efficient first step in ensuring PCI compliance.
Audit and Report
The updated PCI specifications require organizations to implement significant security controls. The security requirements apply to all system components—which are defined as any network component, server or application included in or connected to the cardholder data environment. This includes firewalls, switches, routers, wireless access points, network appliances and other security devices. Also included are internal and external web applications and a wide range of servers, from web, database, and authentication systems to DNS, mail, proxy and network time protocol servers.
While meeting such requirements is easier said than done, one of the most important activities takes place after some elements of a secure infrastructure have already been implemented—and that is a comprehensive security audit by a certified Qualified Data Security Company (QDSC). Such an audit validates the security posture of systems, processes and procedures used to retain, store or transmit cardholder data.
To that end, specific areas must be examined including enterprise controls and processes, network architecture and configuration, server host hardening and configuration and application security reviews. Audit findings should be compiled in a report that enables the organization to correct open or non-compliant issues. By undergoing an audit, organizations gain clear visibility regarding the risks in their environment and can create a roadmap of prioritized steps to implement compensating controls.
Scan and Remediate
Vulnerability scanning is another critical step toward meeting PCI data security requirements. By leveraging the expertise of QDSC professionals as well as advanced vulnerability scanning tools, organizations can discover online vulnerabilities that could compromise the confidentiality or availability of their cardholder data and expose the organization to substantial risk. A variety of consulting companies offer scanning and assessments that use certified methodologies to meet the requirements of both Visa and MasterCard scanning procedures.
The conclusion of a scanning activity should yield a comprehensive written report which details a description of vulnerabilities and risks, their ratings, a diagnosis of associated issues and guidance on how to address vulnerabilities. The report should also entail a management presentation that covers compliance status, critical findings and strategic recommendations.
Assess and Compare
In an ongoing effort to reduce the risk of fraud or compromised cardholder data caused by a flawed payment application, Visa USA requires certification of any prospective payment application. By working with a Qualified Payment Application Security Professional (QPASP), payment application vendors can receive an objective security assessment of their application best practices compared to those of Visa USA.
Such an assessment often involves a review of the application data flow as well as of the vendor's application development practices and maintenance and a simulation and testing of the organization's payment program. Should the application fall short of meeting standards, the QPASP typically offers a preliminary report back to the organization and provides additional testing and revalidation services once the necessary corrective actions have taken place.
Once the application is shown to incorporate the appropriate security controls to protect cardholder data, the QPASP is able to document the organization's status, and the organization's program can be included on a list of validated payment applications that merchants and service providers use to select secure applications.
Review and Prepare
Self-assessment questionnaires, quarterly network vulnerability scans and on-site audits are just a few of the card-issuer requirements organizations must address to demonstrate compliance with the PCI DSS. However, many organizations face the challenge of where to begin.
This is often the area in which a partnership with QDSC consultants is imperative. These individuals can help the organization prepare for PCI compliance by providing expert advice and gap analysis of existing practices compared to the PCI security standard, including any new additional requirements. Through this process, issues such as potential deficiencies or the lack of appropriate controls are identified and analyzed, and next steps are outlined to enable the organization to make improvements necessary prior to completing their self-assessment questionnaire or conducting an on-site audit.
Typically, a QDSC partner can also help articulate to the company's executive management the objectives, strategies and needs related to meeting PCI requirements. This not only helps direct the organization's readiness activity and strategic planning but it can ultimately significantly reduce the cost of meeting compliance requirements.
Attaining and maintaining compliance with PCI DSS requirements can be a complex endeavor. However, by taking a programmatic approach to compliance and enlisting the support and guidance of certified, experienced experts, organizations that store, process or transmit customer credit card data can reduce overall risk associated with payment card processing and strengthen their own security posture.