Subscribe

The truth about PCI... Adam Evans, NetIQ

By Adam Evans
Johannesburg, 20 Mar 2008

With organisations in 2007 having fallen victim to major data breaches, how does a merchant or retailer make sure they are not held liable for customer credit card details being lost or stolen, and how can they keep up to date with the latest security practices?

Organisations increasingly need to secure this critical data in such a way that it not only complies with the latest regulations but also has the least financial and operational impact on their business. It is vital that they are able to leverage these efforts to maximise the return on investment.

The security breach at TJX which operates clothes retailers TJ Maxx in the US and TK Maxx in the UK was thought to have led to the theft of at least 45.7 million credit and debit card records; it turned the threat of a data breach into a reality for all retailers and merchants.

Safeguarding customer data should be a priority for anyone taking payment by credit or debit cards. However, there continues to be a lack of security in the industry, which needs to be addressed if retailers are to maintain both profit levels and consumer confidence.

<B>ITWeb</B> <B>Security Summit 2008</B>

Security Summit Solution CentreNetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximize IT service delivery and efficiency. Jointly displaying with partner 10NetICT Solutions, they are display sponsors at the ITWeb 2008 Security Summit.
Click here for info on the 2008 ITWeb Security Summit.

The Times recently reported that identity fraud is still one of the fastest growing areas of crime and has cost banks more then £212 million and affected 1.7 million people in 2007. If retailers and merchants fail to secure their customer's personal data, these figures will only continue to increase.

The problem has been compounded by the ever-growing popularity of real-time unencrypted communications like Web mail and even instant messaging which means it is becoming easier for criminals to hack into a network unnoticed.

The recent cases of data security breaches, such as that in the US by GE Money which lost an unencrypted tape containing 650 000 retail customer details, highlights that organisations worldwide are not safeguarding the personal data the way they should. What's more, the problem is a global one and if a retailer's system is hacked into in one country, the card details of customers worldwide are at risk simply because of the way customer data is stored.

Expensive breaches

Organisations that fall victim to a customer credit data breach are liable for large fines and could even face having their credit processing capabilities stopped by their credit card company. The threat of such fines and of losing credit processing capabilities has become the main driving force compelling many organisations in the UK to invest considerable time and resources into complying with PCI Data Security Standard (PCI DSS).

Originally introduced in January 2005, the PCI DSS standard was designed to help organisations with security management, policies, procedures, network architecture, software design and other critical protective measures.

PCI DSS was developed by the five major credit card brands to harmonise existing security programmes into a single standard to give guidance to organisations to help minimise the threat of fraud and secure the processing of sensitive cardholder data. PCI DSS consists of 12 general requirements, organised into six related groups, which are called the 'control objectives'.

The PCI DSS standard was introduced not only to safeguard the financial risks to a business but also to protect a merchant or retailer's brand value. Public awareness has increased due to the growing number of attacks aimed at stealing confidential data and if a customer feels their personal card details are not safe, then they will take their loyalty elsewhere.

Compliance with the PCI DSS is compulsory for organisations that store, process and transmit cardholder data. However, a significant proportion of organisations remain non-compliant with the standard. There are many reasons for this but one main cause is the acceptance of the risks associated with non-compliance. This reason is the one that is of most concern to the payment brands and will ultimately be addressed by the levying of penalties.

PCI DSS is viewed in the context of an insurance policy as opposed to a lock on the front door. Both of these serve the same purpose, which is to protect against the risk of loss but the mechanism of implementation is completely different. Where an insurance policy seeks to reimburse loss, locks reduce the exposure to risk. In this context, compliance with the PCI DSS should be embraced as a way to secure brand value and provide a competitive edge.

Difficult requirements

Covering a wide area of security such as physical security, encryption and access control, means that being compliant with the standard represents a significant long-term commitment of resources. However, a recent report distributed at the National Retail Federation (NRF) Annual Convention, estimated that the cost to merchants and retailers of not meeting PCI requirements and being liable for a customer data breach, could be 20 times greater than the cost of compliance.

Requirements for the PCI DSS standard range from the relatively simple task of ensuring that anti-virus software is kept up-to-date to the more complex and demanding procedural changes such as tracking and monitoring access to network resources and cardholder data.

One of the most difficult requirements to implement and enforce is that which stipulates merchants and retailers must eliminate vendor-supplied passwords. Implementation of this requirement requires a substantial commitment in terms of time and resources and will involve several teams, which can impact on many systems within the organisation's network. It's hardly surprising then, that according to an October 2007 Wall Street Journal article, PCI DSS compliance rates were initially low.

Organisations that seek to comply with PCI DSS start by scoping the cardholder data environment (CDE) and then reviewing the components in the environment, including all communication to and from the CDE and physical access. Results are then measured against the PCI DSS requirements to identify the areas where compliance is not met (gap analysis). A remediation plan is then drawn up to identify the activities needed to close all of the "gaps". Once completed, the organisation is assessed for compliance with the PCI DSS. Smaller organisations are allowed to complete a self assessment questionnaire while much larger organisations must validate their compliance via an onsite audit by a PCI Qualified Security Assessor (QSA).

Ensuring that all the processes and procedures that fall into the PCI DSS scope are in place to maintain compliance is a necessity and usually requires a systematic and often automated set of procedures to be established. These procedures must also be clearly documented and visible for a QSA to ensure compliance is being maintained at a satisfactory level. While most organisations report initial compliance between 12 to 18 months, maintaining compliance with the PCI DSS standard is an ongoing activity.

Achieving compliance

Organisations that seek to achieve compliance with the 12 PCI DSS requirements are finding that their compliance efforts are providing much broader benefits than they may initially have expected. Indeed, such benefits can cover many areas of the organisation, not just those areas concerned with the handling of credit card information.

According to a recent report by the Aberdeen Group about protecting cardholder data, organisations that have already taken the necessary steps to achieve compliance with PCI DSS found that the standard actually represents an excellent model for protecting all their critical data and systems. As such, they are seeing far greater potential return on investment (ROI) than they had originally anticipated.

ROI can be delivered by the avoidance of penalties and the financial benefits gained through reducing the risk of data breaches. Compliance with PCI DSS can be used to reduce the costs of implementing new standards or any other regulations as it helps to create more efficient operational processes within the organisation through the investment that has been made in new tools and technology.

While no single vendor can provide all the necessary tools to enable complete PCI DSS compliance, the good news is that technology is now available to be able to provide a foundation upon which an organisation can build a suitable and efficient compliance programme.

The tools, solutions and security knowledge these vendors offer can help an organisation achieve compliance with the PCI DSS standard in a shorter time scale than if they were to independently attain compliance. Vendors can advise on the best solutions available to secure an organisation's information, systems and processes, or to enable the better utilisation of existing security policies and technology. However, compliance should always start by engaging with a QSA that will provide certification as PCI DSS has elements that can be interpreted in many different ways.

Rapid ROI

To ease the implementation, tools are now available which can be used to readily discover network assets, assess them for known vulnerabilities and, in the case of PCI DSS requirement two, ensure vendor defaults are not being used.

Tools are also available which can report on compliance with security configuration standards, such as the Centre for Internet Security benchmarks that are recommended by PCI DSS.

In areas such as vulnerability detection, security information and event management, privilege management, and documenting all the processes involved, management tools can provide exceptional benefits to organisations not only seeking to reach compliance quickly but to continue to benefit from those efforts beyond the compliance deadlines.

PCI DSS has brought many changes; however, vendors are committing themselves to developing more advanced security management tools that provide rapid ROI and are constantly creating ways of integrating these tools into existing operational management systems.

Using a well-planned, well-organised approach, organisations can aim to attain PCI DSS compliance in a way which delivers long-term benefits to their brand, internal processes and most importantly to customers.

Share

Adam Evans, Senior Security Specialist, NetIQ UK Ltd

Evans has over 16 years experience in the IT industry and has specialised in the IT security software sector for the last eight years. He has extensive experience working with large corporate organisations to help implement security policies and procedures in conjunction with technology that achieves the lowest possible exposure to risk without compromising the user experience. He is accredited as a Qualified Security Assessor by the PCI Security Council and utilises his extensive experience to help customers comply with the PCI DSS v1.1 standard.