Struggling to Comply With PCI Standards? Start With SSO
Apr 21, 2008 4:00 AM PT
Since 2005, millions of citizens have been affected by reported and unreported data breaches at payment processors, banks and retailers -- but the nation was still stunned when news broke out about the TJX data breach.
This has indeed been a larger problem than most recognize, with some 88 million consumers affected by data breaches in the past two years alone, according to the Privacy Rights Clearinghouse. The only positive outcome of these unforgivable security lapses has been that enterprises large and small are beginning to re-evaluate their security posture.
During the last 10 years, there has been an explosion of Internet-based commerce and a drastic increase in credit and debit card usage in the physical storefront. Despite warnings from security watchdogs and the best efforts of organizations to protect customer data, consumer fraud and identity theft have hit new highs, with attacks becoming more sophisticated and damaging. The number of identity thefts and fraudulent credit card charges reached more than 4 million in the United States alone in 2006, according to the U.S. Department of Justice.
In response to the increased threat, governments around the world have been considering an array of new laws and regulations to systematically combat the problem. In addition, the banking and credit card industries have spearheaded their own initiatives, including the newly revised Payment Card Industry Data Security Standard (PCI DSS).
The increase of data breaches in recent years has created a significant loss of customer confidence -- forcing companies such as American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International to band together to form an independent council designed to recommend sound data security practices that would protect consumer privacy.
This council developed the PCI DSS, the first standard in the industry to focus on improving payment account security throughout the transaction process. The groups created the standard to provide all organizations that deal in credit card transactions with the best tools to combat growing security threats. In addition, the council's recommendations are designed to provide credit card processors, point-of-sale vendors and financial institutions with a concise, cohesive approach to data security. Ultimately, more than one billion global payment card users will benefit from stronger security at all points of the transaction process, lessening the chance of individual data theft.
The goal of the PCI standard is to make electronic commerce universally safer and easier to implement for the banking and electronic credit card industry. To adhere with the new regulations, all merchants in the transaction chain must comply with the same standards, although some allowances are given based on the size of the business. The goal of the PCI committee is to make security compliance achievable by all organizations, regardless of their size.
Complying with new regulations is typically challenging for any business. The new PCI standards are equally -- if not more -- challenging due to the scope of the requirements. Moreover, complying with these new standards in a timely and cost-efficient manner will require that companies look at solutions that are simple to install and administer; cost-effective; not intrusive to the existing network and security environment; and easy for users to work with.
Companies that can demonstrate compliance with the PCI standard and prove they are trustworthy custodians of customer data have the opportunity to build solid customer loyalty. Complying with PCI regulations is challenging because the required security measures span the network and attached systems.
The best way to achieve and maintain PCI compliance is to adopt a strategic and pragmatic approach to locking down their networks, including the ability to centrally manage systems, network services and provide user access to critical systems based on individual access rights.
Sounds easy -- but where should an organization start?
One approach is to start with a single sign-on (SSO) solution. Organizations of all types and sizes are implementing SSO solutions designed to quickly and effectively solve password management and user access issues. SSO solutions allow administrators to implement a clear, straightforward password policy across all SSO-enabled applications based on users' primary authentication, granting users access only to those applications for which they are authorized.
Monitoring User Access
With an SSO solution, organizations can tackle the following recommendations laid forth in the PCI Data Security Standard:
- Build and maintain a secure network;
- Implement strong access control measures;
- Regularly monitor tests and networks; and
- Maintain an information security policy.
Furthermore, SSO enables administrators to track and monitor user access to systems housing cardholder data, provide an audit trail to ensure security and review access policies as new applications are added, old applications are removed, new users are added, or other users are deleted.
As is true any time organizations tighten security and policy, there is the potential for a corresponding increase in user complexity and decrease in productivity. A key to success with any regulatory compliance effort is to accomplish measurable goals using policy and controls that are easy for the users to implement and accept and to complement that with improvements in usability. Users readily accept tighter security policies for the conveniences offered by SSO. Better usability ensures acceptance and compliance, resulting in better security and setting the stage for additional security improvements in the future.
David Ting is cofounder and CTO of Imprivata, which develops enterprise authentication and access management solutions.