by: Martin Pladgeman
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) was created as a set of requirements for companies that process, store, or transfer credit card data to make it easier on merchants to adopt sufficient security approved by all credit card companies.
The PCI Security Standards Council develops and maintains the standard. Enforcement of the compliance programs and penalties are established by each individual payment brand.
When evaluating solutions for PCI compliance companies should consult auditors and look for products that offer complete PCI coverage to foresee changes in the standards.
PCI also contains ongoing validation requirements. The most comprehensive requirements include three levels of validation:
1. On-site security audit 2. Self-assessment questionnaire 3. Network scan
The level of validation required, and the frequency of validation efforts, depends upon risk and transaction or account volume.
The Real Cost of a Data Security Breach
Data security breach can cost a company an average of $182 per compromised record in legal fees and other expenses. That’s not including the cost of a damaged reputation, competitive advantage and customers lost due to the breach, and the cost for a lawsuit if charges are pressed. Merchants that store cardholder data also have to worry about the potential fine for non-compliance and the threat of increased fees for transactions.
Here are a few examples of recent major breaches in the retail industry.
TJX
45.6 million credit and debit card numbers were stolen.
DSW Shoe Warehouse
Compromised credit card numbers for about 1.4 million customers and driver’s license information of about 96,000 customers.
Card Systems
Compromised information for 40 million credit card holders.
Marriot International
Compromised credit card information and Social Security numbers of 206, 000 customers and employees.
Polo Ralph Lauren
Compromised 180,000 customer’s credit card information.
Sam’s Club/Wal-Mart
Credit card data belonging to an unspecified number of customers were exposed.
PCI Requirements becoming laws
In May 2007 Minnesota became the first state to make PCI requirements into a state law stating that any company that experiences a data security breach will have to reimburse banks the costs that they incurred blocking and issuing new cards.
12 Steps for PCI Compliance
Below is a list of the 12 requirements of the PCI DSS.
1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security
Merchant and Service Provider Levels and Compliance
Merchant Level Compliance
1. Level 1: Merchants with more than 6 million credit card transactions annually cross all channels, including e-commerce.
Compliance: Annual onsite PCI data security assessment and quarterly network scans.
2. Level 2: Merchant with between 1 and 6 million credit card transactions annually
Compliance: Annual self-assessment and quarterly network scans
3. Level 3: Merchants with between 20,000 and 1,000,000 credit card e-commerce transactions annually.
Compliance: Same as Level 2 Merchants
4. Level 4: Merchants with fewer than 20,000 credit card e-commerce transactions annually Annual self-assessment and annual
Compliance: Annual self assessment and network scans
Service Provider Levels
1. Level 1: All processors and all payment gateways.
Compliance: Annual onsite PCI Data Security assessment and quarterly networks scans
2. Level 2: Any service provider that is not in Level 1 and stores, processes, or transmits more than 1 million credit card accounts/ transactions annually.
Compliance: Same as Level 1 Service Providers
3. Level 3: Any service provider that is not in Level 1 and stores, processes or transmits fewer than 1,000,000 credit card accounts/transactions annually.
Compliance: Annual self-assessment questionnaire and quarterly network scans.
PCI DSS Changes
The PCI Security Standards were updated to address questions about implementation, including:
• Host provider requirements • New requirement that malicious software, such as spyware and adware, are included in anti-virus capabilities. • Requirement for application code review or application firewall. • Requirement for a policy to manage connected entities • Appendix A – PCI DSS Applicability for hosting providers. • Appendix B – Compensating controls.
Visit the standard site [https://http://www.pcisecuritystandards.org/pdfs/pci_summary_of_pci_dss_changes_v1-1.pdf] for more information.
Deadlines/Penalties
The deadline for PCI Compliance has passed. Visa estimates that just 36 percent of Level 1 merchants and 15 percent of Level 2 merchants have complied with PCI.
Effective October 1, 2007, acquirers whose transactions qualify for lower interchange rates must ensure that the merchants generating the transactions are PCI compliant in order to receive this benefit.
In 2006, Visa levied $4.6 million in fines for companies not compliant, up from a 2005 total of $3.4 million. Source: VISA [http://usa.visa.com/about_visa/press_resources/news/press_releases/nr367.html]
A closer look at protecting stored data
Just one compromised backup tape can cost a company their reputation, competitive advantage, and thousands in fines. There’s the cost to notify customers, answer the many calls that are received regarding how and why this breach happened, the cost for loss business as a result of the breach, and so on.
BOSaNOVA’s Q3 storage encryption appliance hardware is one option for securing your backup data. For more information on the Q3, contact BOSaNOVA [http://www.theq3.com/] or email info@theq3.com
About The Author
Martin Pladgeman is President of BOSaNOVA, a leading provider of security solutions, thin clients and network appliances. Their newest solution, the Q3, is a storage encryption appliance that provides complete security for data at rest. For more information, visit http://www.theq3.com or email info@theq3.com. Detailed information on BOSaNOVA Thin Clients and iSeries Connectivity Solutions can be found online at http://www.bosanova.net.
