If Darren Sitter could offer one piece of advice on passing a compliance audit for the Payment Card Industry Data Security Standard (PCI DSS), it would be simply this: start sooner. His organization, a Level 1 retailer, started getting in line more than six months ahead of the Oct. 31 deadline. But when the company had to replace its certified assessor mid-process because it couldn't make that deadline, things got crazy. Ultimately, his company passed PCI DSS certification after getting a three-month extension, but it was a hand-wringing experience that earned the entire IT staff a three-day reward trip to Mesquite, Nev.
“We were looking at this huge list of 270 questions, in some places asking for the same thing twice,” says Sitter, manager of network services for Maverik Country Stores, a gas station/convenience store chain based in Salt Lake City with 183 locations in the western United States.
By the end of last year, 77 percent of Level 1 (greater than six million annual transactions) and 62 percent of Level 2 merchants (one to six million Visa transactions, or 150,000 to six million MasterCard transactions) had completed their initial security assessments and were validated as PCI compliant, according to Visa. Of those, 23 percent of Level 1 and 30 percent of Level 2 merchants had to work with their card services providers and merchant banks, as Maverik did, for extensions and direction to remediate problems and achieve validation.
“Organizations are dropping a lot of money to get this ‘check the box' PCI compliant ticket,” says Brian Contos, chief security officer of ArcSight, a security management company in Cupertino, Calif.
IT managers at retailers which have achieved compliance say that their organizations have become more secure as part of the process. They've learned how to “x” out customer data transacting through the point-of-sale system and encrypt fields and control access to their databases where data must be stored. More important, they've begun to incorporate regular assessments and annual audits into their security infrastructures, which is ultimately driving better overall security management.
“PCI DSS is driving more regular assessments and other basic security practices, which anybody handling cardholder data should be doing,” says Bev Magda, chief information officer of the Humane Society. “Even though we passed compliance validation, it's nerve-wracking to go through this every year.”
Quarterly scans and annual assessments will be a big part of the retail compliance process going forward, says Bob Russo, general manager of the PCI Security Standards Council. In February, the council made things easier on lower level retailers by delivering self-assessment guidelines that contain from 11 to 38 questions.
Extra donations pouring in after Hurricane Katrina bumped the Humane Society from a Level 3 to Level 2 merchant a few weeks after Magda came on board. Level 2 merchants don't have to hire third-party annual assessments from the pool of 150 PCI Qualified Security Assessors (QSAs), as Level 1 retailers must. But the organization still needed help with the report and the quarterly scans.
Magda turned to QualysGuard PCI compliance tools, which enable her to submit the annual self-assessments online. QualysGuard also conducts the quarterly scans and submits six-page scan reports directly to her merchant bank and American Express once she reviews a report and enters her bank's merchant identification.
For Level 1 merchants, the 270-question annual assessments will remain. They also must have their quarterly scans conducted by one of the 124 PCI DSS approved scanning vendors (ASVs). But never again will the process be as painful as the first time for the 77 percent of merchants that have gone through the initial assessment.
Maverik, for example, has done the hard work of identifying where protected data traverses the network and putting manageable controls around those data sets. Systems touching sensitive data are now managed all the way out to Windows-based point-of-sale controllers at his store locations, using TriGeo's Security Information Management, which includes log management and audit reporting.
Because Level 1 retailers are also required to use ASVs, they're starting to turn to vendors that can provide both. Maverik switched to a larger approved assessor, Trustwave, a PCI DSS compliance services provider based in Chicago, which conducts the annual assessments and quarterly scans and reports with a product, TrustKeeper, that's on the approved scanner list.
Kristofer Laxdal, director of information security and IT service management for Hudson's Bay Company, a Canada-based department store chain, also ran into inadequacies with his first QSA, recounting how his assessor didn't include store visits or examine business processes thoroughly.
“We inherently knew that we needed to take it to the next level and get someone in here who would evaluate the system from the point the credit card leaves the customer's hand until it's no longer in our system,” he says.
More training for QSAs is on Russo's agenda for the PCI Security Standards Council next year. For now, pre-qualified QSAs take a half-day course and pass a written test to earn their certifications. Controlling exactly how the assessments are done, however, isn't possible, says Russo, given that the QSAs come in all sizes and specialty backgrounds.
“Some smaller assessors are hungrier and will work harder for the dollar,” he says. “But you have to weigh that against the experience of the larger assessment companies.”
Laxdal's organization selected Internet Security Systems (now part of IBM) as its QSA and ASV, after reviews and recommendations from NSS Labs, which certifies PCI compliancy products. He also decided the organization would be best served if it used ISS as its managed security services provider. As a result, Laxdal can get a security snapshot through his ISS dashboard while also meeting PCI audit requirements.
In the future, Laxdal said he expects more security complications at retail locations. He points to an interactive window projection system called the Everywhere Interactive Display. With it, customers can touch parts of the window to get their pictures taken and captured in the display, and even email them to friends.
RFID and wireless are already common at store locations, says Richard Rushing, CSO for AirDefense, which performs continuous monitoring of wireless networks for traffic and configuration violations. “One need only pick up an RFID reader and it has all your store information on it,” he says.