For many companies that process credit card data, the requirements of the Payment Card Industry Data Security Standard (PCI DSS) are all too familiar. But should companies that do not process credit cards implement the same data security restrictions?
Today there is a veritable alphabet soup of data security standards to which companies can adhere, but because of its prescriptive nature, PCI DSS seems to be catching on as a viable option for companies that do not take credit cards, experts agree. For example, rather than simply stating that a firewall for web applications needs to be in place, PCI DSS describes in detail exactly what is required and how to configure it.PCI DSS is primarily a contractual agreement between the major credit card companies and enterprises that accept and process credit cards. The standard, defined by the Payment Card Industry Security Standards Council, was put in place as a means of ensuring that personally identifiable information (PII) is protected.
Open to breach
In addition to aging hardware, some companies are still using older data security practices that can be breached easily. Even the cloud infrastructure of Amazon S3 – the online shopping giant's storage web service – had a backdoor that was breached, Hall says. It was fixed soon after.
Experts agree that implementing a proper risk management plan can help organizations better understand IT security priorities. But, at the same time, tighter budgets are forcing CISOs to squeeze more efficiencies out of a company's security infrastructure. By basing IT security plans on standards like those from the PCI Council, CISOs can go a long way in building a stable foundation for a strong security posture that also accounts for still lingering, industry-wide belt-tightening, say experts.
Hall is a big supporter of standards in general and PCI in particular. “The PCI standards were not developed in a vacuum,” he says in a post on his blog PCI Guru. “They are a consolidation of a lot of other security standards and guidance gained through root cause analysis of security incidents gathered over the years with the express purpose of protecting cardholder data.”
Shawn Chaput, chief architect and executive consultant at Privity Systems, a Vancouver, British Columbia-based management consulting company, agrees that PCI DSS can help companies protect noncredit card data. Companies that are involved in or considering mergers and acquisitions, as well as those with intellectual property or confidential sales leads and human resource data, should consider protecting their information with more than just minimal data security techniques, he says.
But for some, implementing the PCI standard will provide only a minimal data security framework. Some companies should consider more stringent security measures if their risk assessment indicates greater security is required, experts say.
For companies not required to implement PCI DSS, its encryption portion might be one area where savings can be realized, Chaput says. Although, he admits, encryption can be expensive, so many companies, especially smaller ones, might pass on it.However, there are other advantages to compliance. Companies that provide services to enterprises that fall under the PCI DSS requirements might well choose this route for a marketing benefit, says Chaput. He knows of a Canadian company that does processing for a large bank, but does not handle any credit card data, has implemented the PCI standard for its own company. Although it is not required to do so, the company now markets itself as a PCI-compliant data processor for banks, hoping that its adherence to the standard will build its business by attracting companies that must follow compliance mandates.
Get in step
Anton Chuvakin, principal at San Francisco-based Security Warrior Consulting, and the author of several books on data security, says PCI already is the leading data security standard based on the sheer number of companies that accept and process credit cards. While other standards – such as ISO 2700x, the National Institute of Standards and Technology's Federal Information Security Management Act (FISMA) and other mandates associated with federal regulations, such as the Sarbanes-Oxley Act of 2002 or the Health Insurance Portability and Accountability Act (HIPAA) of 1996 – play an important role is setting minimum levels of data security, none are as prescriptive as PCI DSS, he says.Small companies without their own full-time data security staffs will benefit from the specifics of the standard, which details not only what needs to be done to comply but also prescribes how to do it, Chuvakin says. There are a lot of security procedures that smaller companies should do, but instead choose not to, often because they either do not know how to do it or do not have the budget. PCI DSS provides them with a roadmap to effective and industry-accepted security procedures that will improve their data security, Chuvakin says.
Selling the value
The challenge for small and midsize businesses is that many do not necessarily understand what needs to be done to be compliant, they do not know how to implement what they do know and they do not have the IT and security budgets to do the job effectively and efficiently. As well, data security is hardly a stagnant process, but rather a process that is constantly in flux, depending on the whims and cleverness of those trying to steal what a company possesses.
Security best practices from just a few years ago are today becoming mandated by law or part of standards, says Greg Bell (left), global information protection and security lead partner at KPMG in Atlanta. Companies that are required by their contractual agreement to employ PCI DSS have tools to do so, but those that are not required to comply have a proactive framework for data security that can enhance their business operations.Although PCI is designed to protect specific types of credit card data across global networks, the same policies and procedures can safeguard employee, customer or supply chain information, intellectual property or medical records just as efficiently for companies that do not use credit cards, Bell says.
“Most mature organizations have a foundation of blocking and tackling in place [for data security],” he says. The piece that is often missing is a formation of action that explains who does what when a breach or other data loss occurs. That, he says, is the chief benefit of the PCI standard.As companies try to do more with less – such as fewer staff members doing more work across multiple disciplines – many are starting to migrate to more prescriptive security measures. There is no one-size-fits-all for data security, Bell says. One has to build a foundation appropriate for each company.
From the inside
Bell recommends that companies considering using PCI DSS understand their risks and the various vectors from which the risks might arise. Not all risk is due to criminals and hackers, he says. In some cases, the threat could come from employees, partners or perhaps even something as innocuous as a reconfigured server. “Risks are changing faster than the standards,” he says.
So where does that leave an enterprise wanting to adopt some PCI edicts? Emily Mossburg, a principal in the security and privacy practice of Deloitte & Touche, says smaller companies that don't have full-time data security staffs still can benefit from taking advantage of PCI DSS.
Mossburg recommends that all companies employ at least some minimal aspects of the standards. For example, she says it is important to install and maintain a firewall configuration that protects confidential information while blocking attacks from the web. Not all data needs to be on the company's primary network, she says. A segmented network can be used to protect PII and IP. Access control lists also can secure corporate data. While acknowledging the value of the standard, she says companies should consider the kinds of data they transmit before committing to an expensive data encryption program.