PCI DSS can benefit even those companies not processing credit card transactions, reports Stephen Lawton.
For many companies that process credit card data, the requirements of the Payment Card Industry Data Security Standard (PCI DSS) are all too familiar. But should companies that do not process credit cards implement the same data security restrictions?
Today there is a veritable alphabet soup of data security standards to which companies can adhere, but because of its prescriptive nature, PCI DSS seems to be catching on as a viable option for companies that do not take credit cards, experts agree. For example, rather than simply stating that a firewall for web applications needs to be in place, PCI DSS describes in detail exactly what is required and how to configure it.PCI DSS is primarily a contractual agreement between the major credit card companies and enterprises that accept and process credit cards. The standard, defined by the Payment Card Industry Security Standards Council, was put in place as a means of ensuring that personally identifiable information (PII) is protected.
However, some experts argue that PCI should be adopted as a best practice by those not required to comply with the standard. “PCI DSS requires you to continue to monitor [your network],” says Deven Bhatt (right), CISO in the Washington, DC office of Wright Express, a provider of payment processing and information management services. “It's not a project with a start and end date.”
Unlike other standards mandating technology usage – such as ISO 27001, which oftentimes uses vague language, such as “appropriate” – PCI DSS is far more specific and not open to “user interpretation,” Bhatt says. Even small or midsize companies that do not process credit cards should consider implementing PCI DSS, he says, because “even small companies have PII.”
Ensuring compliance with the standard can be done in two ways.
A qualified security assessor (QSA), who has been certified by the PCI Council as being qualified to assess compliance to PCI DSS, can inspect a company and either certify or deny it. For smaller companies, self-certification is an option. For this, a checklist is used to ensure that all of the key components of the standard have been implemented.
However, Frank Kenisky, a San Antonio-based data security consultant and a former CISO, cautions that a self-analysis is sometimes inadequate. Checklist-based analysis of security is not appropriate for an ongoing process, such as protecting corporate data, he says. A checklist might provide basic information, but it does not take into consideration wider-ranging issues about protecting data, including ensuring that the auditing of the security system is done separately from the team that is responsible for the data security itself. “The checklist mentality treats a business like a board game,” he says.
But, steps must be taken to ensure data is protected. Jeff Hall, a director at consultancy RSM McGladrey, says companies should consider PCI DSS as a viable data security foundation, regardless of the kind of data they are protecting. Instead of thinking of cardholder data, just substitute PII or other company-confidential information, he says, adding that virtually every company has some type of confidential assets, be it human resources, financial, trade secrets or a myriad of other data sets, such as Social Security or driver's license numbers.
Much of today's data is attainable on the web, he says. “We make everything so searchable, [even] cretins can search for anything.”
Among the information often searched for by ill-intentioned people is personal and company confidential data, he says. “Competitive information and intellectual property (IP) are as important as PII.” In some companies, he says, IP is siphoned off the server by thieves as soon as it gets there.
Companies of all sizes need to make better decisions about who has access to data, Hall says. If companies make information too accessible or keep PII on servers when it should be archived or destroyed, then they are taking a much greater risk than necessary. Just because a company can do something – like keep data accessible on networked servers – it doesn't mean it should, Hall says.
But, when it comes to implementing precautions, such as those outlined in PCI DSS, many companies balk because they fear the added costs. “It costs a fortune to get the [appropriate] infrastructure in place,” he says.
Open to breach
In addition to aging hardware, some companies are still using older data security practices that can be breached easily. Even the cloud infrastructure of Amazon S3 – the online shopping giant's storage web service – had a backdoor that was breached, Hall says. It was fixed soon after.
Experts agree that implementing a proper risk management plan can help organizations better understand IT security priorities. But, at the same time, tighter budgets are forcing CISOs to squeeze more efficiencies out of a company's security infrastructure. By basing IT security plans on standards like those from the PCI Council, CISOs can go a long way in building a stable foundation for a strong security posture that also accounts for still lingering, industry-wide belt-tightening, say experts.
Hall is a big supporter of standards in general and PCI in particular. “The PCI standards were not developed in a vacuum,” he says in a post on his blog PCI Guru. “They are a consolidation of a lot of other security standards and guidance gained through root cause analysis of security incidents gathered over the years with the express purpose of protecting cardholder data.”
Shawn Chaput, chief architect and executive consultant at Privity Systems, a Vancouver, British Columbia-based management consulting company, agrees that PCI DSS can help companies protect noncredit card data. Companies that are involved in or considering mergers and acquisitions, as well as those with intellectual property or confidential sales leads and human resource data, should consider protecting their information with more than just minimal data security techniques, he says.
But for some, implementing the PCI standard will provide only a minimal data security framework. Some companies should consider more stringent security measures if their risk assessment indicates greater security is required, experts say.
For companies not required to implement PCI DSS, its encryption portion might be one area where savings can be realized, Chaput says. Although, he admits, encryption can be expensive, so many companies, especially smaller ones, might pass on it.However, there are other advantages to compliance. Companies that provide services to enterprises that fall under the PCI DSS requirements might well choose this route for a marketing benefit, says Chaput. He knows of a Canadian company that does processing for a large bank, but does not handle any credit card data, has implemented the PCI standard for its own company. Although it is not required to do so, the company now markets itself as a PCI-compliant data processor for banks, hoping that its adherence to the standard will build its business by attracting companies that must follow compliance mandates.
Get in step
Anton Chuvakin, principal at San Francisco-based Security Warrior Consulting, and the author of several books on data security, says PCI already is the leading data security standard based on the sheer number of companies that accept and process credit cards. While other standards – such as ISO 2700x, the National Institute of Standards and Technology's Federal Information Security Management Act (FISMA) and other mandates associated with federal regulations, such as the Sarbanes-Oxley Act of 2002 or the Health Insurance Portability and Accountability Act (HIPAA) of 1996 – play an important role is setting minimum levels of data security, none are as prescriptive as PCI DSS, he says.Small companies without their own full-time data security staffs will benefit from the specifics of the standard, which details not only what needs to be done to comply but also prescribes how to do it, Chuvakin says. There are a lot of security procedures that smaller companies should do, but instead choose not to, often because they either do not know how to do it or do not have the budget. PCI DSS provides them with a roadmap to effective and industry-accepted security procedures that will improve their data security, Chuvakin says.
Selling the value
The challenge for small and midsize businesses is that many do not necessarily understand what needs to be done to be compliant, they do not know how to implement what they do know and they do not have the IT and security budgets to do the job effectively and efficiently. As well, data security is hardly a stagnant process, but rather a process that is constantly in flux, depending on the whims and cleverness of those trying to steal what a company possesses.
Security best practices from just a few years ago are today becoming mandated by law or part of standards, says Greg Bell (left), global information protection and security lead partner at KPMG in Atlanta. Companies that are required by their contractual agreement to employ PCI DSS have tools to do so, but those that are not required to comply have a proactive framework for data security that can enhance their business operations.Although PCI is designed to protect specific types of credit card data across global networks, the same policies and procedures can safeguard employee, customer or supply chain information, intellectual property or medical records just as efficiently for companies that do not use credit cards, Bell says.
“Most mature organizations have a foundation of blocking and tackling in place [for data security],” he says. The piece that is often missing is a formation of action that explains who does what when a breach or other data loss occurs. That, he says, is the chief benefit of the PCI standard.As companies try to do more with less – such as fewer staff members doing more work across multiple disciplines – many are starting to migrate to more prescriptive security measures. There is no one-size-fits-all for data security, Bell says. One has to build a foundation appropriate for each company.
From the inside
Bell recommends that companies considering using PCI DSS understand their risks and the various vectors from which the risks might arise. Not all risk is due to criminals and hackers, he says. In some cases, the threat could come from employees, partners or perhaps even something as innocuous as a reconfigured server. “Risks are changing faster than the standards,” he says.
So where does that leave an enterprise wanting to adopt some PCI edicts? Emily Mossburg, a principal in the security and privacy practice of Deloitte & Touche, says smaller companies that don't have full-time data security staffs still can benefit from taking advantage of PCI DSS.
Mossburg recommends that all companies employ at least some minimal aspects of the standards. For example, she says it is important to install and maintain a firewall configuration that protects confidential information while blocking attacks from the web. Not all data needs to be on the company's primary network, she says. A segmented network can be used to protect PII and IP. Access control lists also can secure corporate data. While acknowledging the value of the standard, she says companies should consider the kinds of data they transmit before committing to an expensive data encryption program.