Your Data: Love It or Lose It
As blissful consumers finished their holiday shopping, the
For the better part of 2007,
“We are pleased with the overwhelming response from issuers and appreciate the cooperation
Part of the settlement requires
PCI isn’t impenetrable to hacker attacks and won’t guarantee data protection. It does, however, set a minimum level of protection and assurance for the governance and safeguard of credit card data handled by any organization that accepts credit card payments. While PCI compliance has risen in the wake of the
“If you show this to any security person out there, they’ll tell you that there are no alien concepts in this and it is nothing new,” says Bob Russo, general manager for the PCI Security Standards Council, the payment card industry’s outreach arm. “These are best practices in the industry—not just payment card security, but security in general. Whenever somebody says, ‘This is what you should do,’ there is always pushback.”
While 2007 was a record year for both security breaches and compromised data,
As new deadlines approach and more merchants and retailers fall under PCI’s regulatory scope,
Putting PCI Into Practice
While it is unclear how much it would have cost
PCI isn’t a radical reinvention of security schema; rather, it’s a codification of security best practices, many of which should be used regularly by organizations of any stature. The dozen PCI requirements include such standard security practices as installing and maintaining a firewall, encrypting credit card data when transmitted over public networks, restricting access to sensitive data, routinely testing security measures, and installing and regularly updating antivirus software (see “PCI Toolbox,” p.33).
PCI costs are heavily reliant on the security measures already in place before compliance efforts begin. Gartner estimates that Level 1 merchants—those processing more than six million credit card transactions a year—have spent about $568,000 on average to meet PCI standards (for more on PCI levels, see “PCI’s Big Umbrella,” p.32). Javelin estimates that 30 percent to 40 percent of PCI compliance spending is dedicated to reprocessing and re-engineering a merchant’s security infrastructure and determining where sensitive data is being stored. Documenting compliance efforts and security measures alone consume much of the cost.
“If you have a basic information security program in place, broadly speaking, you’re following what PCI says you ought to be doing, because you’ve got [a set] of good procedures,” says Michael Barrett, chief information security officer at online payment service PayPal, a division of eBay. “Passing PCI is mostly a question of demonstrating compliance. So it’s mostly fishing out documentation and making sure that when your operations people run quarterly scans, they keep those logs so you can later show them to the auditors.”
This was the case for Hughes Network Systems, which acts as a managed-services provider for BP Corp. North America, Blockbuster, Yum! Brands and other major merchant brands. Hughes’ clients demanded the provider adopt PCI standards to ensure their own compliance. Much of Hughes’ security infrastructure was already compliant, but certain tweaks needed to be made with transport encryption over untrusted, public networks, says Matt Kenyon, the company’s senior director of network operations and security.
“From the main front-door security, if you will, it didn’t change much,” Kenyon says. “But PCI has some specific mandates about encryption on the actual transport. So we added some new architectures to put further encryption on top of what we already had, and on our base transport, to get up to spec on compliance.”
Beyond that, the most resource-intensive part of complying was getting ready for the auditors, a process for which Hughes enlisted the help of
“We already had documents and policies and procedures,” Kenyon says, “but in order to get through the PCI compliance, what
Even with security methods already in place, many organizations have still needed to make major infrastructure changes to meet specific PCI standards. For example, Bwin, a European gambling site, had to rebuild its payment infrastructure to more cleanly organize and segment it from the rest of Bwin’s systems. It was an intensive 10-month process.
“We took the whole payment infrastructure out of the Bwin infrastructure and rebuilt it,” says Oliver Eckel, Bwin’s head of corporate security. “The big challenge was to do it in a PCI-compliant way, which basically was a really big task on the documentation side.”
Of course, department stores, restaurants and e-commerce portals are affected by PCI compliance requirements. Also under the PCI umbrella are movie theaters, sports stadiums, museums and hospitals. Even an organization such as the National Aquarium in
“The benefit of PCI is that it usually helps in freeing up dollars for what were perceived as risk points that you couldn’t necessarily get the budget for in the past,” says Hans Keller, the aquarium’s chief technical officer.
Prior to getting a call from the bank about PCI, Keller and his staff had been hoping to pick up a security information management system to fill in some holes within the aquarium’s security program, but they couldn’t convince management to allocate the cash. PCI changed the situation, and now the organization is running the TriGeo Information Manager System, which greatly aided its compliance effort.
“When you look at the PCI standards, for the most part 90 percent of those things are things that companies should be doing anyway,” Keller says. “Most of the areas we were already fairly well compliant with, but there were six or seven areas where we weren’t compliant, and TriGeo perfectly plugged all those holes.”
Making the Compliance Case
TJX’s disinclination to undertake the costs to execute meaningful security improvements vividly illustrates the push-pull relationship credit card processors such as Visa, MasterCard and American Express have had with merchants since the uniform data security standards were first established in 2004.
According to Gartner research analyst Avivah Litan, compliance pushback is common at most organizations, which view security as a cost center—or a drain on revenue and profit because it offers no appreciable return on investment. “Unless you’ve been contacted by your bank and you’ve got a deadline and someone’s breathing down your neck, you’re not going to spend extra on security,” Litan says.
Ever since the payment card industry first released its set of security standards, credit card companies have been walking a fine line between maintaining client satisfaction and cardholder security.
“They are as dependent on the retailers as the retailers are dependent on them,” says PayPal’s Barrett, who serves on the PCI Security Standards Council’s advisory board. “The only thing they can do is essentially what they’ve been doing, which is [considering] how you cajole the industry into complying. How do you shame them? How do you persuade them financially, by either giving them credits where appropriate, or giving them debits where appropriate?”
Since 2005, some of that leverage has been attained through fines levied by the card companies onto bank processors, which then pass the cost down to those merchants in PCI violation. Visa is the only company that has publicized the extent of its enforcement efforts: The company reportedly dinged its merchant members for a total of $3.4 million in 2005 and $4.6 million in 2006.
Until recently, though, these fees were mostly a blunt weapon against the most egregious offenders. According to a Gartner analysis, the majority of past years’ fines were levied in the most extreme cases—either as a result of a breach or because the company was still storing sensitive data from cards’ magnetic strips that could give criminals the means to manufacture counterfeit cards. Instead, the payment card companies have tried to target much of their effort toward education and awareness campaigns.
In September 2006, the card companies rolled out the PCI Security Standards Council in conjunction with its first major refresh of the standard, PCI
In October 2007, Visa reported that compliance rates among Level 1 merchants had jumped from 36 percent in December 2006 to 65 percent. Among Level 2 merchants, compliance had risen from 15 percent to 43 percent during the same time period. All told, these vendors make up two-thirds of Visa’s transaction volume.
While a high level of noncompliance remains, it is clear that the card companies are making headway.
“There is unanimous agreement among all affected players in the PCI space that there have been considerable improvements in PCI education, outreach, communication and standardization of requirements,” said Javelin strategy and research analysts in a November 2007 paper on PCI compliance. “Two years ago, merchants were focused on why they needed to comply. Now, the majority of merchants are more concerned about how they can become PCI-compliant and successfully expedite the process.”
“The court filings and proceedings surrounding the
Nevertheless, ambiguity, high costs, and fear of inhibiting productivity, as was the case with
Technically, Compliance Is Tough
PCI mandates security measures that any merchant should already have in place. Nevertheless, compliance is fleeting among larger retailers and other organizations because of the complexity of security technology and the difficulties of increasing security without impeding productivity and operations.
“From the folks I’ve talked to, I would say there are just pieces that aren’t in compliance for most large merchants,” says Diana Kelley, head of the security division of technology analyst firm Burton Group. “There will be a couple of things that were flagged on the audit, and those things may be very difficult for them to fix.”
In many cases, Kelley says, PCI compliance is an issue of dealing with legacy systems that are difficult to harden without breaking. According to VeriSign, a provider of security services and digital certificates, most organizations fail the third PCI requirement: full database encryption. Many older databases need to be restructured to accommodate full encryption, an arduous process that Gartner says could take up to two years to complete.
“These systems are usually business critical; retailers can’t withstand that kind of performance hit,” says Phil Neray, vice president of marketing at Guardium, a database security company.
The payment card industry is not unsympathetic to such technical challenges. PCI allows for a compensating control that lets an organization install database monitoring in combination with medium-level encryption until it can employ full database encryption.
“The benefit is that it doesn’t require any changes to your database or your applications,” Neray says.
Even if affected organizations do everything they can to comply with PCI, they still can’t control their vendors. This has become one of the major PCI compliance issues: vendors failing to provide PCI-compliant products and services, making it more difficult for organizations to receive certification.
The National Aquarium’s PCI compliance was delayed until January because of its ticketing vendor, Paciolan. Although Paciolan released updates last year that brought its venue ticket purchasing systems into compliance, the early version of those updates broke a number of the aquarium’s systems. As a result, the organization had to wait for fixes from its vendor to become compliant.
A service provider could pose similar problems. Considering that Hughes, as a managed services provider, is only one of nine
In addition to the standards themselves, some believe the auditing ecosystem developed by the PCI Security Standards Council needs improvement.
According to the council’s requirements, the annual on-site audit review “is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is stored, processed or transmitted.”
The typical audit includes not only a review of security logs, IT procedures and the like, but also a penetration test of systems that handle cardholder data. The entire audit process can take anywhere from a couple of days to many months, depending on how many problems the auditor flags and how long it takes for the business to correct deficiencies.
The difficulty is that there aren’t many auditors certified by the council to conduct these assessments, and the guidelines are nebulous enough to be open to interpretation.
“The real challenge is to find a more standardized way of [determining] how the qualified security assessors work—how this whole ecosystem works,” says Rani Osnat, vice president of marketing at database security firm Sentrigo. “Because the problem right now is that you may have three different PCI-accredited auditors do a PCI audit for you, and you could get three different results.”
Standard Not Set in Stone
The PCI Security Standards Council has got its work cut out. Not only will it need to help laggards over the last hump, but it must maintain the standards so they’ll keep up with the most recent threats.
“It’s a changing landscape, and the hackers are getting smarter,” Russo says. “Will the standard ever be complete? I doubt it. It’s more of a journey than a destination.”
Although the council has yet to release specifics, most insiders expect a new PCI standard update involving the encryption of personal identification number (PIN) entry devices, the establishment of payment application best practices, and tweaks to the self-assessment questionnaires for Level 3 and Level 4 merchants. But merchants shouldn’t be wary, Russo says, since all changes will be made with ample contributions from advisory board members from all parts of the payment card lifecycle.
“Contrary to popular belief, it is not our intent to bring out a new standard to put everybody out of compliance,” Russo says. “And we don’t sit in an ivory tower and pick this out of the air; it’s all based on real-world experience from participating organizations.”
The real goal, Russo says, is to keep cardholders safe. And while most security gurus would agree that PCI isn’t a silver bullet, it will go a long way toward shielding retailers’ records from the bad guys.
Unfortunately, this lesson wasn’t learned soon enough to prevent the
True, WEP wireless security was the first point of penetration in the
Perhaps one of the biggest problems
“PCI is helping to set a minimum standard,” says Hughes’ Kenyon. “I think what it really has done is [act as] a vehicle for education, more than anything else—to really get the message down past the IT department to senior managers.”
PayPal’s Barrett believes that early resistance was mostly a byproduct of culture shock. Many retailers and other organizations that accept credit cards weren’t accustomed to having a third party mandate security controls—sometimes involving expensive upgrades.
“I think what you’re seeing is simply the fact that as a culture, as a sort of retail payments culture, there hasn’t been enough collective attention to this,” Barrett says. “And whenever you change culture, it always takes several years, and it’s always accompanied by lots of wailing and gnashing of teeth. But I don’t think any of that says either it’s the wrong thing to do or it undercuts the inevitability of the journey we’re on, because I do think in a few years we’re going to look back at this and say, ‘What the heck was all the fuss about?’”