As a consultant, you get to view the grim expanse of industry regulation more than most. Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA) and of course the topic of this article, Payment Card Industry Data Security Standard (PCI DSS).
A relatively new addition to the regulatory flak that targets businesses, the goal of these standards is to push merchants and service providers to tighten their security and move toward a global security standard.
PCI was pulled together by Visa and MasterCard with JCB, Discover and American Express joining forces later on in 2006. What is refreshing about PCI DSS is it’s disconnect from a government mandate.
The standards derive their authority from the big service providers (Visa, MasterCard, etc.) that enforce the PCI DSS with a mix of "carrot and stick" incentives.
Behind every regulation or standard lies the bones of incidents which gave rise to them and PCI DSS is no different. Beginning in 2005 TJX, the holding company for TJ Maxx, Marshalls, HomeGoods, suffered a card data breach of epic proportions.
For 18 months, fraudsters hacked into 1000's of local TJX stories via the weak WEP encryption and stole over 100 million credit card numbers and card holder personal information.
The incident cost TJX over 118 million dollars (conservatively) and untold amount damage to its public image. Of course, this was one major event out of many that occurred around that time period, providing the impetus for PCI DSS.
While the big players getting breached take center stage, 70 percent of fraudulent activity happens at the smaller merchants and service providers.
Smaller IT budgets, pressing business concerns and general lack of awareness about PCI all work against smaller firms.
However, the standards and penalties still apply to those entities. This includes merchants or service providers who only process one credit card transaction.
Non-compliance is a bad bet to roll the dice on when you can be fined up to $500,000 per incident. Then, tack on $90 to $302 per record breached, add some awful public relations, lawsuits and stir.
On the positive side of the ROI equation, compliance with PCI DSS provides what is called "Safe Harbor". Basically a "Get Out of Jail Free" card from many of the fines or penalties levied by PCI, as long as the firm breached was compliant at the time of the incident. The reverse image of "Safe Harbor" is the "Death Penalty".
If PCI determines that the merchant was so negligent in their security practices it will prevent them from ever accepting credit cards again; bad news since even soda machines take credit cards now.
So, what are the mandated security standards? Well, there are twelve of them and they span 74 pages of the .PDF provided by the PCI Security Council. However, we are going to shoot for brevity, so here is the list.
1) Install and maintain a firewall configuration to protect data. 2) Do not use vendor-supplied defaults for system passwords and other security parameters. 3) Protect stored data. 4) Encrypt transmission of cardholder data and sensitive information across public networks. 5) Use and regularly update anti-virus software. 6) Develop and maintain secure systems and applications. 7) Restrict access to data by business need-to-know. 8) Assign a unique ID to each person with computer access. 9) Restrict physical access to cardholder data. 10) Track and monitor all access to network resources and cardholder data. 11) Regularly test security systems and processes. 12) Maintain a policy that addresses information security.
While the list sounds very reasonable, it represents a 60,000 foot view of the actual work required. To successfully implement even one of these items requires a significant investment of resources on behalf of the service provider or merchant.
Each standard also interlocks with another to make a more secure whole. An organization would probably not pass the PCI audit process if each standard was implemented in a vacuum.
Did I say audit? Why yes I did. In order to verify that the merchant or service provider complies with the PCI DSS, a third-party certified (ASV) vendor is required to determine compliance. If this sounds like a tune you’ve heard before, you have.
HIPAA and SOX compliance also contain similar third-party audit requirements. Also, no standard comes complete without the copious amounts of required paperwork thrown in the mix.
After all is said and done, is it really worth it? I believe that it is. While the danger with any standard is that they morph into a “checklist” designed to meet compliance, PCI DSS at least puts the impetuous to address security into merchants or service providers.
Security has generally been paid lip-service until very recently; with identity theft and fraud becoming more than background noise. While nowhere near the “perfect” solution and with numerous loopholes, PCI DSS draws attention to the appropriate areas and provides a framework to improve upon in the future.
Speaking of future action, the state of Washington recently passed a (HB 1149) designed to protect consumers and financial institutions from fraudulent activity. Basically it holds merchants or service providers liable for customer/business losses if they do not comply with PCI DSS or have non-encrypted card data.
Thirty-Eight other states have data breach laws on the books, with varying levels of liability and penalties. Security leadership within merchants and service providers take note and understand that security isn’t just an IT problem, but a critical business issue.