PCI Security: Reducing Risk, Building Trust
Attaining PCI compliance and securing customer information isn’t a mysterious science. These straightforward tips will help you get there.

By Terry Ramos

There is little doubt that the ongoing announcements of data breaches involving consumer personal financial and credit card information have taken a toll on the growth of both e-commerce and the bottom line of online merchants. Just last year, Forrester Research reported that roughly 30 percent of online consumers refuse to make online purchases, and 50 percent of these potential shoppers cite security concerns and not wanting to divulge credit card information as reasons why.

The direct cost of data breaches for all companies also can be steep. A recent survey by the Computer Security Institute and the FBI revealed that the average data security breach costs a company $380,000. The Payment Card Industry (PCI) Data Security Standard program, led by MasterCard, Visa and all of the major credit card companies, is a commendable effort to help educate merchants about security, and penalize those who hurt the entire industry with lax security efforts that could lead to the theft of cardholder information.

The stakes for anyone selling on the Internet are high and for pure-play electronic retailers, they can be catastrophic. All it takes is a single breach and the damage to a merchant’s brand is irreparable. While those costs caused by lost sales and trust are heavy, so are the potential fines and penalties associated with non-compliance. According to PCI rules, any company found out of compliance faces penalties as high as $500,000 for each incident in which cardholder data is compromised. Also, the card associations may revoke the credit card processing capabilities of non-complying companies.

The requirements for each merchant covered by the standard are tiered, and are based upon transaction volume. For example, a retailer that conducts more than 6 million transactions annually, or any merchant that experienced an account compromise, must perform an on-site PCI security assessment every year, as well as quarterly network security scans. A merchant that processes fewer than 20,000 transactions needs to answer an annual PCI self-assessment questionnaire, along with quarterly scans. In both cases, the vulnerability scans need to be conducted by a qualified security vendor. More details on the standard and requirements are available at: usa.visa.com (choose the “Small Business and Merchants” option, then select “Operations and Risk Management” under “Merchants Accepting Visa”).

Currently, the standards consist of 12 key requirements, each of which contain multiple subcategories that also must be achieved. Here’s an overview of the requirements:

1. Use and properly maintain firewalls to protect cardholder data.
2. Do not rely on hardware and software vendor default system passwords (such as username admin, password admin), and other trite security parameters.
3. Manage all stored data properly, with a data retention and disposal policy.
4. Encrypt all cardholder data and sensitive information when transmitting across public networks.
5. Use anti-virus software and keep it up to date.
6. Develop and maintain secure systems and applications (such as applying the latest security patches).
7. Provide only need-to-know access to protected information.
8. Assign a unique identification number for each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor access to network resources and cardholder data.
11. Test all security systems and processes regularly.
12. Develop and maintain an IT security policy.

Source: Visa

It doesn’t matter how many employees you have, what your annual revenue is, or the number of transactions you conduct annually. No matter what size retailer you happen to be, it’s critical that you view the 12 requirements not as a checklist, but as a viable roadmap to a risk management program. The strategy is to continuously identify all of your IT assets (networks, applications, databases) and their associated vulnerabilities. The next step is to systematically reduce the risks of attack by eliminating the vulnerabilities.

Here’s how to get the job done:

• Identify all of your servers, systems, and databases that handle any cardholder information.
• Be sure that you also spot all of the computers and networks that connect to your organization’s website or servers. These can include network connections from partners, or even the systems of remote employees. It’s a good idea to keep these types of connections to a minimum, as they can be used as launch pads for attack. And be sure to keep these systems secure with higher levels of access controls, encryption and application of software patches.
• Consider such additional areas as appropriate cardholder information access auditing capabilities. PCI is crafted to protect the entire life cycle of cardholder data-from its collection to its processing and ongoing maintenance. You need to ensure that you have the internal tools in place to log all access to this information, and that you can adequately audit who handles what cardholder information, as well as what they did and when.
• The vast majority of successful attacks are levied against systems that were not patched with the latest security updates. That’s why the best defense against both network and application security threats is through the consistent use of PCI-certified vulnerability scanners that can identify all of the applications and devices on your network, spot vulnerabilities that place you at risk to attacks, and provide easy-to-implement remediation information. A list of certified vendors is available at https://sdp.mastercardintl.com/vendors/vendor_list.shtml.

Attaining heightened security and protecting cardholder information is reached by focusing on consistently maintaining the overall security of your business. That’s the essence of the PCI Data Security Standard. And it’s critical that we all do our part to keep security breaches to a minimum. Only then can e-commerce reach its full potential.

Terry Ramos is director of strategic development for Qualys, a leading provider of on-demand vulnerability management and policy compliance solutions. He can be reached at (650) 801-6104, or via e-mail at [email protected].