PCI Security Standards Council: Building Trust
Dec 12, 2006 4:00 AM PT
With the formation of the PCI Security Standards Council, multichannel merchants, online retailers, consultants, payment processors, and virtually every organization that touches online payments should find it much easier to comply with the PCI Data Security Standard (DSS).
The newly formed council also will make it possible for merchants, acquiring banks and others to have a voice in helping to craft the standard as it goes forward.
The PCI DSS was a critical first step for the payment industry to attempt to bring increased trust and security to consumers who want to make online purchases. While the initial efforts put forth by MasterCard and Visa went a long way, there was still confusion concerning all the requirements that had to be met in order to satisfy the major credit card providers.
On the Same Page
For example, while MasterCard had a global payment processing security program, Visa ran a regional program. Now, a single, clear, unified security standard has been endorsed by all of the major card issuers: American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.
The Council has set out to:
- Protect cardholder information through a global, industry-wide data security standard.
- Help to reduce the costs and time required for PCI DSS compliance.
- Maintain a list of qualified data security solution providers.
- Lead training and education, and provide a streamlined process for certifying Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV), establishing a single source of approval recognized by all five of the founding members.
- Provide a transparent forum where all stakeholders in the process can offer their feedback and input into the ongoing development, enhancement and dissemination of data security standards.
It's especially good news that the Council now will include active participation from everyone involved in the online payment system, including merchants, financial institutions and payment processors.
The founding payment companies will constitute one-third of the organization; the remaining two-thirds will be elected to the Advisory Board from within the ranks of participating organizations.
For the first time, if merchants believe, for instance, that parts of the standard are growing too onerous, they'll have a direct line of communication to the council to find a solution, and perhaps collaboratively develop a way to improve the program.
Framework in Place
The latest version of the standard, version 1.1, released in September 2006, already provides an excellent framework for protecting credit card data through the use of firewalls, encryption, end-user access controls, and requests that more attention (from Version 1.0) be paid to application security.
Perhaps the greatest challenge to merchants when it comes to PCI compliance is moving away from viewing PCI DSS as a checklist, and building a sustainable PCI compliance program.
The idea here, regardless of the size of an organization, is to build a way to make sure that cardholder information is kept continuously secure by automating as many of the processes as possible. Where many merchants stumble is in developing and maintaining an IT security policy, and regularly testing all security systems and processes.
If you lack the in-house expertise needed to build a sustainable PCI compliance program, consider turning to the help of an outside consultant. Even if not required by PCI, it's a good idea to have your systems thoroughly examined by a PCI-qualified data security vendor.
A qualified consultant can help you examine your trouble areas with fresh eyes, quickly identify the problem and do whatever is necessary to keep all of your systems compliant and secure. The consultant can make sure your firewalls are properly configured, and that all of your data is properly encrypted when traveling across the network, and when stored to disk.
Once your PCI compliance program is in place, the best way to keep all of your systems secure is through ongoing vulnerability scans. For instance, the federally-funded Internet security research organization, the CERT Coordination Center, estimates that 99 percent of all successful attacks are levied against systems that don't have the latest security patches applied, or are not configured properly. This is where a PCI compliance vulnerability scanner will go a long way to keeping systems secure.
The right scanner should also be able to help you to cost-effectively identify all of your IT assets, including network gear, applications, databases, servers, desktops and all of their associated vulnerabilities. The scanner also should help you systematically reduce the risks of attack by eliminating the vulnerabilities, and then automating the process of submitting any required reports to your acquiring banks.
The PCI standard requires quarterly scans, but that's probably not frequent enough to maintain consistent levels of high security. While it is difficult to set firm rules regarding the frequency of scans that will apply to every merchant, it is a decision that must be weighed by how many applications are being run, changes to system configurations and the network, and whether or not your software vendors have recently published patches.
Weekly scans of all Internet-facing devices and applications would be ideal, but biweekly scans may suffice for some. Vulnerability scans should, at the very least, be conducted once a month. Systems and applications change too quickly for anything less.
There are special cases when vulnerability scans should always be conducted -- such as whenever medium- or critically-rated vulnerabilities are discovered in the applications and operating systems you run, and certainly immediately following any changes to the network or applications. When it comes to IT security, change creates risk.
Also, while PCI requires that all externally facing IP addresses, servers, Web applications, and custom applications be scanned, it's also crucial that internal scans be periodically completed on any systems and additional networks that connect to e-commerce and payment systems. Any compromised computer can prove to be an easy stepping-stone to where credit card and customer information is collected.
PCI is crafted to protect the entire life cycle of cardholder data -- from its collection to its processing and ongoing maintenance. You need to ensure that you have the internal tools in place to log all access to this information, and that you can adequately audit who handles what cardholder information, as well as what they did and when.
Tips for Building a Sustainable PCI DSS Compliance Program
- Conduct periodic vulnerability scans, at least once a month.
- Scan systems after every change, such as network configurations or deploying new applications.
- Change passwords every 60 to 90 days.
- Make sure not to use default manufacturer passwords while configuring network devices.
- Be sure to identify where all critical customer information is stored, and pay careful attention to securing these locations.
- Make certain that all remote connections to your network are conducted through a virtual private network and that the systems on the other side are secure, as well.
- Encrypt all credit card and customer sensitive information at rest.
- Test and verify all of your security systems and procedures through annual third-party penetration tests against your infrastructure.
While the PCI Security Data Security Standard has been in effect only a little less than 18 months, it's already helped substantially to lift the security of online merchant payment systems. The newly formed PCI Security Standards Council will go a long way to further the industry's awareness of credit card security, and help to make an excellent program even better. This will, over time, improve consumer trust in e-commerce -- and everyone will benefit if it's successful in that goal alone.
Terry Ramos is director of strategic development at Qualys.