Introduction
By now, most IT managers are adequately familiar with the PCI Data Security Standard (PCI DSS) to know that it is a requirement if they want to process credit cards. What frightens many of these managers is that they are wading into this unfamiliar territory and are nervous of the fact that PCI will likely consume a significant amount of their staff’s time and department’s budget.
But even the most expensive PCI project still pales in comparison to the costs of even a single significant data breach. A single breach can costs millions to clean up, and tens of millions of dollars in long-term costs.
TJX Companies is now the poster-child of how to do things wrong when it comes to a breach. Had they had a comprehensive and formal security program in place, which would support their PCI requirements, chances are they would not be in the situation they are in now; facing myriad law suits. TJX violated numerous basic security guidelines, which includes various PCI requirements, all of which has had direct financial impact on its earnings.
The company announced in mid-2007 that it took a $12 million loss, equal to 3 cents per share, because of the loss of more than 40 million credit and debit card numbers that were stolen from its systems over an 18-month period, which is one of the largest customer data breaches to date.
The $12 million in losses was for costs incurred to investigate and contain the intrusion, improve computer security and systems, and communicate with customers, as well as technical, legal, and other fees.
The company also reported that it expects that in the second quarter, it will continue to incur these types of costs related to the intrusion and they estimate that those costs will total 2 cents to 3 cents per share. TJX shows that companies that take PCI seriously are much less likely to have a breach.
Understanding PCI Compliance
Businesses that process credit cards will fall into one of four PCI categories based on their annual processing volumes, namely levels 1 through 4. The different levels maintain the same PCI DSS technical requirements, but vary on proof of validation requirements. PCI DSS categorizes merchants as follows:
The following are the 12 PCI DSS requirements:
1. Install and maintain a firewall configuration to protect data – Note that there are no PCI Compliant firewalls. Rather a merchant must configure the firewall accordingly to protect cardholder data. Every firewall today can do that.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
A quick review of these 12 requirements shows nothing close to being revolutionary. In fact, the PCI DSS is simply basic good computer security.
Security Frameworks
The best way to ensure PCI compliance to is have a security framework in place. A security framework (such as ISO 17799, ITIL, etc.) encompasses the assumptions, concepts, risk values, and security practices underlying an organization’s information security infrastructure. Frameworks are invaluable since today’s enterprise security projects are likely to be more complex than those of years past. In addition, standards and regulations, of which PCI falls into, enable organizations to demonstrate compliance.
Adherence to a recognized security framework can bolster your case that you are in compliance with sweeping and often vaguely defined new laws and regulations like Sarbanes- Oxley. Of course, an effective framework makes PCI compliance significantly easy to gain
Conclusion
PCI, like the fundamentals of information security, is simply focused on attention to detail and risk management. By focusing on those core elements, combined with best practices, your ability to obtain PCI compliance will be significantly increased.