PCI data protection mandates expanding
The PCI Security Standards Council hopes that bringing industry standards under a single umbrella will help plug merchant data security gaps.
In summary:
| • | The retail security group extends its reach with expanding PCI standards. |
| • | Version 1.2 of PCI DSS, due in October, raises the bar on credit card security. |
| • | The PCI SSC ensures card brands are in synch on merchant security requirements. |
While merchants bemoan the cost of complying with myriad data protection standards (see Payment card protection: A costly work in progress), the payment card industry is trying to streamline its requirements, even as it extends its reach to payment application developers and providers as well as manufacturers of PIN entry devices.
The PCI Security Standards Council (PCI SSC), an entity jointly owned by American Express, Discover, JCB, MasterCard Worldwide, and Visa International, recently announced two more standards that are joining the PCI Data Security Standard (PCI DSS) under its purview: the Payment Application Data Security Standard (PA DSS) and the PIN Entry Devices (PED) Security Requirements.
Previously, the PED Security Requirements had been managed by various card brands to ensure the security of PIN entry devices, and Visa oversaw a version of the PA DSS, called PA Best Practices, to certify the security of payment applications. Having standards administered separately by multiple entities was confusing—and potentially costly—for merchants of all sizes.
"Adding these standards to the council's portfolio ensures that all card brands will be in synch and accepting of either approved PEDs or approved payment applications. This will make it easier for the merchant that uses this equipment or software, and for the vendors that provide and manufacture the software and hardware," says Bob Russo, general manager of the PCI SSC.
Here is a snapshot of each standard and what merchants need to know:
PCI DSS: Version 1.2 of the standard, due out in October 2008, is aimed at any entity that stores, processes, and/or transmits cardholder data. It lists 12 best practices for assessing, remediating, and reporting on network and application vulnerabilities. While the new version does not add any requirements, it does clarify the scope of the standard and offers more flexibility in how organizations can meet the standard's mandates. PCI DSS requires organizations to create a secure infrastructure by installing and maintaining firewalls and to protect data by encrypting transmissions across open, public networks. It also advocates the use of vulnerability management tools, strong access control measures, and ongoing monitoring and testing of networks. Finally, it requires that all entities that accept payment cards have and enforce an information security policy.
Merchants are subject to different reporting requirements depending on the number of transactions they process per year. For instance, Level 1 organizations, which process more than 6 million transactions per year, have greater PCI DSS compliance demands than Level 4 organizations, which process fewer than 20,000 transactions per year. Level 1 must have an audit regularly conducted by a third party, whereas Level 2, 3 and 4 merchants can submit a self-assessment questionnaire.
Mark Kraynak, senior director of strategic marketing at Redwood Shores, California-based Imperva, a security software vendor and Microsoft Technology Partner, says midsize merchants often make the mistake of doing the least possible to achieve compliance. "They want a checklist that satisfies the auditor and then they want to be done. That's the wrong approach," he says.
Kraynak recommends that retailers make a genuine and ongoing effort to follow the spirit of PCI DSS because it will help them put the tools and processes in place that they'll need to truly secure their network. "You'll know who's accessing your data, including privileged users, when they do something suspicious, and how to mitigate that risk," he says.
He adds that PCI DSS provides a solid foundation to comply with other mandates such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, because it is far more prescriptive.
PA DSS: This standard was originally developed by Visa to ensure that payment applications weren't vulnerable. However, the payment card industry determined this is a critical enough area that it should come under the PCI SSC. The standard is tricky for midsize merchants because it's targeted at software developers and integrators of applications that store, process, and/or transmit payment cardholder data as part of authorization or settlement. However, Kraynak says midsize merchants should still take time to understand the standard's requirements so they can make sure their in-house applications as well as their third-party software and services are compliant.
For instance, the PA DSS says that payment applications cannot retain full magnetic-stripe data or store cardholder data on a server connected to the Internet. Also, it requires developers and providers to offer secure password features, test applications to detect and address vulnerabilities, and log application activity.
Russo agrees that midsize retailers should familiarize themselves with the full list of requirements as well as the list of approved vendors the council provides on its partner site at Visa.com. "The payment application is often the weakest link, so the onus is on merchants to go back to the vendors and providers and put pressure on them to make their products compliant," he says.
PCI PED: While often overlooked, PIN entry devices are a key to holistic cardholder data security. In fact, when the PCI SSC brought the PED under its directive, the council added specifications for unattended payment terminals and host security. "There are a lot of problems with the security in point-of-sale devices that are accepting PIN-based transactions," Russo says.
The new standard mandates that hardware devices undergo a rigorous testing and approval program to ensure that sensitive cardholder account data is secure at all points in the transaction process. The addition of unattended payment terminals and hardware security modules to the PED fold represents the last piece to the data security puzzle. "There are a lot of potential issues with the security of point-of-sale devices themselves. There are so many types of kiosks out there accepting PIN-based transactions that they need to have standards too," Russo says. He encourages midsize merchants to review the manufacturer requirements that the council has put forth, including making sure that their devices feature physical security so they cannot be stolen from their location, and logical security to prevent unauthorized modifications.
The merchant is responsible
Now that the council has brought these standards together, it should be easier for merchants to carry out the mission of protecting cardholder data, which is increasingly falling squarely on their shoulders.
"As merchants, you not only have to secure cardholder data in your possession, you also have to do due diligence on the technology and providers you’re using. You're responsible for the entire chain of trust, so you have to be cognizant that if something goes wrong on those systems, you're responsible," Russo says.
 | Sandra Gittlen is a regular contributor to Momentum, the midsize business center newsletter. |
