Blog Central

Keep up to date...
Read blogs submitted by our partners, customers, and vendors.

• Riverbed's Wide-area Data Services (WDS)
• VMware – VMTN
• Sun Microsystems – Blogs
• TechCrunch
• Cisco High Tech Policy Blog

Why PCI Compliance Matters

Volume 2, 2007

Imagine life before payment card processing, where checks and cash were the normal ways to do business. Yet as a simple swipe of plastic offers convenience for both merchants and customers, it also opens the possibility for misuse and accidents. A few well-publicized security breaches reveal that even large companies who take information security seriously may not be guarding their customer information sufficiently.

No business wants to think that its data is insecure. Everyone wants to believe that they store customer information wisely, and that they face few risks of data breaches. Yet the risk of losing control of customer information to hostile attackers or by accident is steep; in the event of a security problem, your business may be liable for damages for each customer affected, as well as the expense and hassle of time-consuming and painful audits.

These risks are real and so are the penalties.

The Payment Card Industry formed the Security Standards Council to address these issues. The result is the September 2007 Data Security Standard version 1.1, or PCI DSS 1.1. The standard lays out the minimum security protocols to which a merchant must adhere to protect customer data. To learn more about the standard, see About the PCI DSS from the PCI Security Standards Council.

The DSS provides reasonable base policies which make good business sense to implement. Adopting these policies can help you improve your overall data security. Adopting these policies is also a condition of your business relationship with payment card organizations. Compliance is not voluntary; it is a requirement for all businesses which accept payment cards. If you are not yet PCI compliant, your business faces risks both in its data security policies and in its contractual obligations.

When you first look over the standard, it may seem to apply mainly to large companies which possess large computer networks. Though such organizations have different security needs than small businesses, compliance is necessary for both types of businesses. PSC's 10 Myths about PCI Compliance (PDF link) observes that brick-and-mortar institutions relying on POS devices are often at higher risk of non-compliance than are businesses relying on e-commerce systems.

At their hearts, each protocol embodies a single principle: store the minimal necessary payment card information and protect it appropriately. Storage and protection are conjoined facets of PCI data security. Together they form interlocking dual levels of protection for your customers--and your business.

Storing Payment Card Information

Every payment card contains several elements of data, each of which fits into two categories: sensitive authentication data and cardholder information.

Sensitive authentication data includes the magnetic stripe data, the CVC2/CVV2/CID code, and the PIN or PIN block. You may not store authentication data after authorizing a transaction.

Cardholder information includes the cardholder's name, the primary account number (or PAN), the service code, and the expiration date of the card. You may store cardholder information after authorizing a transaction. However, if you do store cardholder information, you must encrypt it not only while storing it but when transmitting it across public networks, including the Internet and wireless networks.

If you display the PAN anywhere, including on receipts, you may only display, at most, the first six digits and the final four. Of course, you must also follow relevant privacy laws, which may be more strict about which data you can and cannot store. For example, local regulations may allow you to display only the final four digits.

Protecting Access to Data

The other half of the principle is to limit access to the stored information to the necessary people. These access controls are only partially technical; some portions require sensible business policies and human oversight. In particular, only those employees who need to access stored information as a direct part of their duties should even have access at all. Non-employees should obviously not have access, but employees with job responsibilities completely unconnected to dealing with customers or card agencies should not even have physical access to servers containing stored data.

For example, you must be able to distinguish between your organization's employees and visitors in areas where cardholder data may be available. This means that you must monitor physical access to machines which store this data as well as any network to which these machines connect. Physical access also includes access to hard copies and external media which contain secured information as well--faxes and reports, removable hard drives, and other machines. As with other sensitive information, proper disposal of data is important. The protocols suggest shredding of paper documents and electronic shredding of digital information.

Limiting access to the right people isn't enough, though. You also need to keep good logs on who accesses which data so that you can audit these access procedures. Users must authenticate themselves with unique usernames as well as secure passwords--not just for workers whose jobs require them to use cardholder information, but for workers whose roles require them to access systems which contain cardholder information. This includes system and database administrators as well as other IT roles. The default access level should be no access.

With physical and data access controls in place and enforced, you can log and monitor all access to secure data, including successful and failed accesses. Regular audits and activity logs can help you reconstruct policy breaches as well as to identify standard access patterns and irregularities. The PCI security standard requires daily log reviews, with log data available for one year after its creation.

These policies need to be explicit and clear. Not only must you publish your policies to explain the importance of customer data security, but you need to establish procedures to ensure the security of data and effectiveness of your policies--and then execute these procedures appropriately each day as part of normal job responsibilities. Employees and contractors need clearly defined roles with pre-defined access controls, for example, and user accounts must stay up to date with personnel changes.

Your written policies should also include guidelines to deal with security breaches of all severities. Identify possible problems and potential risks and develop policies to mitigate those risks. Test these plans at least once a year.

Penalties for Non-Compliance

Compliance with the DSS is part of your merchant agreement; it is not optional. Nor is partial compliance possible. You are either compliant or you are not. Failure to adhere to standards which apply to your business and situation can result in fines and losing your merchant account.

You cannot predict when a security breach might happen, and if you're not compliant with the standards, you might not recognize that a breach has already occurred. In this case, when your vendor discovers the breach and your non-compliance, you may face financial damages above and beyond any recompense, including fines of $50 to $90 for each affected card. It only takes 20,000 customers to reach a million dollars in fines, and that doesn't count all of the restitution required by individual banks, nor the cost of annual audits of your security and PCI compliance.

Furthermore, the penalty for a breach and non-compliance may be public disclosure of the breach and your non-compliance. Estimating the cost of goodwill and negative publicity is much more difficult--and imagine what losing your ability to take payment cards until you achieve verified compliance will cost you.

Self-Assessment

To continue your relationship with your vendor, avoid fines, and improve service and security of your customers, start by reviewing the PCI DSS. It lays out in great detail the steps you need to take to handle payment cards securely. From there, review your compliance with the PCI DSS Self-Assessment Questionnaire. Be aware that where you answer "No" to a question, you are not in compliance and must take steps to meet the standard.

Recommend this article Subscribe RSS Feed Print