No matter what type of business you run, from brick and mortar to virtual online, if you accept credit cards, you MUST keep the information that you gather secure. This is more than just something that you have to do to remain compliant with The Payment Card Industry Data Security Standard (PCI DSS).
This is something that you OWE to your customers, regardless of regulatory and industry requirements.
It is your responsibility, it is good business practice, and it also makes good sense.
Credit card fraud and misuse costs businesses billions of dollars annually. The cost per incident may vary, but can typically include:
- Loss of income from fraudulent transactions
- Costs of incident investigation and litigation
- Costs associated with correcting the cause of the breach
- Costs associated with auditing for further compromise and hardening against recurrence
- Costs of reissuing cards to customers
- Loss of reputation, customer confidence and future business
- Fines imposed by credit card companies
- Loss of ability to accept credit cards for payment
How much would your business need to pay out under each of these categories if there is a single breach? Wouldn’t the costs of doing compliance right the first time balance out with the avoidance of that single breach? Attackers continue to target banks and larger businesses, but are expanding their efforts to include smaller businesses while maintaining their focus on credit and debit card fraud. You will spend the money to get it right after that first breach, and may never be able to fully recover your reputation, or to regain the assurance that your network has been returned to a clean and secure state. Once roaches infest a building, it is very difficult to remove them all. Once a network is compromised, it is never again completely your own. The defenders of the network and data need to find every potential weakness, every point of entry, in order to properly defend it. The attackers need only find one.
PCI DSS is probably the most common compliance target. It provides a minimal benchmark for securing customer credit card data, and was developed in 2004 as a collaborative effort between MasterCard, Visa, American Express, Discover, and JCB International. Their efforts have produced the standard that includes requirements for security management, policies, procedures, network architecture, and software design, providing directives and guidelines to help organizations of all sizes to prevent credit card data misuse. All merchants and service providers who store, process and transmit credit card information must perform quarterly self-assessments, as well as vulnerability scans by an Approved Scanning Vendor (ASV), are required to submit periodic updates of their PCI compliance, and are subject to an annual on-site assessment by a third-party Qualified Security Assessor (QSA). This audit is inclusive of ALL systems, including servers, POS systems, and workstations. It also now includes the applications and technical measures, as well as policies and procedures used in the storing, processing and transmission of credit card and card holder information.
The following information is considered sensitive:
- Primary Account Number (PAN)
- Card holder name
- Service code
- Expiration date
- Pin Verification Value (PVV)
- Security code (3 or 4 digit)
According to the standard, the PVV and security code that uniquely identifies the card used at the time of the transaction, should not be stored by merchants or service providers. Ever. The PAN, card holder name, service code and expiration date may be stored.
PCI compliance is not a guarantee of enterprise security. As stated earlier, compliance with the PCI DSS means that the minimum standard for protecting customer and credit card data has been met at a given point in time. In November of 2008, payments processor RBS WorldPay was breached, and attackers gained access to an estimated 1.5 million consumer accounts. In 2009, Heartland Payment Systems disclosed that it had also been breached, exposing an estimated 130 million credit and debit card holders to potential fraud in the largest data compromise reported to date. Heartland maintained it was PCI compliant, but was removed from Visa’s list of PCI compliant vendors until they could be re-assessed.
Many organizations will naturally focus their efforts for protecting card holder information within databases. It’s a good place to start, but should not be the end of the compliance effort, and compliance with PCI DSS should not be the end goal of the security strategy. Breaches like the one in 2009 at Citigroup and the repeated breaches at Pfizer have shown that controlling access to and the sharing of spreadsheets and documents containing card holder information are also a challenge that needs to be addressed.
Sensitive data is often exported out of databases for analysis, used for market or other research, or imported into other applications. 42% of enterprises hold customer data in spreadsheets according to Ventana Research. It is stored in multiple formats, and on various media. It is important to protect not only the database, but also the file shares and sites that house these documents for collaboration as well as the media that it is stored and transported on. Organizations need a comprehensive system for finding PCI information wherever it resides, and also for authorization, access control and auditing of all unstructured & semi-structured data stores.
Determining what systems and data are within scope of PCI is often problematic, and a becomes matter of interpretation. To address this, the PCI Security Standards Council has introduced the Internal Security Assessment (ISA) certification credential. ISA training consists of a four-hour online pre-requisite course and exam covering PCI fundamentals, followed by an in-depth, two-day, instructor-led course and exam. So far, the PCI Council has held eight training sessions globally with more than 210 people participating in the ISA program. Cost savings from the ISA program can provide huge benefits to most organizations. It is much cheaper to have internal employees comply with PCI than using an external QSA. Having an ISA on staff helps the organization to hit the ground running, as all the information produced by the ISA is in the desired format needed by a QSA, reducing billable hours at the client site. Another benefit to organizations comes in terms of leveraging internal expertise. An ISA is really an internal QSA, and drives PCI compliance for the company, understanding the environment much better than an outsider. One final benefit is raising the awareness levels of PCI compliance importance and efforts within the company.
There are five key principles organizations need to address when seeking PCI compliance:
- Continual identification of relevant data
- A process to configure and review logical access controls
- A process to identify and revoke unnecessary access privileges
- Proper separation of duties
- Evidence that these processes are being followed
Many audit regulations now focus on proper access control implementations. Logical access control objectives are based on the principle of least privilege. Appropriate access should only be granted to those individuals required to perform a specific function. Wherever an organisation has permissions to write or read data, a data owner or custodian should be designated to make decisions about who gets access, acceptable use of the data, etc. Decisions about that data should not be left up to IT, who have little organizational context about the data to base such decisions on. Data Owners and custodians need to be involved in the authorisation workflows and reviews for their data.
In order to identify an owner or custodian, IT needs to know who is making use of the data. Analysing usage over time provides actionable intelligence on the likely data owner. Most often, one of the active users is the data owner. If none of the active users is the business owner, they will likely work for the data owner, or know who the data owner is likely to be. Automation should enable users to request access to data, route the requests to the data owner and other appropriate parties, execute the appropriate actions, and track each request.
While all of this activity taken together may seem a totally insurmountable task, there are solutions available to find PCI data, aggregate users and groups, and to gather permissions, access, and content information from directories and file servers. Sophisticated analytics can then be applied to reveal detailed data usage, misuse, and rightful access based on business need.
Using this intelligence, organizations can:
- Continually scan for PCI data
- Identify other sensitive or proprietary information that should be protected
- Protect data by removing overly permissive access controls
- Ensure on-going compliance with automated entitlement reviews and authorization workflows
- Restrict unstructured data access to those with a justifiable business need
- Automatically update access controls to account for changes in roles and server contents
- Track and monitor file access for each and every user
- Alert on behavioural deviations that may signal a possible data breach
Security and compliance responsibility cannot be outsourced or delegated. You can’t just leave it to someone else to take care of for you. You can outsource or delegate the tasks associated with planning, implementing and running the operations, but the responsibility and accountability for the data remain with the organization. The loyalty and trust of your customers should be rewarded by protecting their sensitive information. A breach affects more than just the person whose account has been drained. It can affect your business reputation if the breach can be tracked back to you. It will affect the employees that may need to be let go to recoup your losses. It affects your business partners and the vendors who rely on your business activities. Compliance is important for every link in the chain, don’t be the weakest link. Use PCI DSS compliance as a starting point for securing your business, but don’t stop at doing the minimum.