Wednesday, August 27, 2008

PCI, PCI DSS 101

Here's a comprehensive article explaining the Payment Card Industry Security Standards Council requirements pertaining to protecting card holder data.   The article, written by Jeff Kress from NewsFactor.com does a good job putting, what many tend to consider to be a confusing subject,  PCI, into a better perspective.

 
"Any firm that stores, processes or transmits credit card data should comply with security standards or risk great losses. Whether we buy goods online or in a store, credit card purchases are a way of life.  Some may worry about transactions over the Internet, but they generally assume credit card data and related personal information with merchants are secure. But are they?

According to analysts, financial fraud surpassed all forms of computer losses in 2007. The most noted credit card loss was with TJX (parent company of HomeSense and Winners) in 2006. The security breach resulted in the loss of 45 million credit- and debit-card numbers. The TJX losses reportedly will exceed US$1 billion. The breach was due to inadequate security controls. In addition, TJX may have also lost customers' personal information such as drivers' license numbers. The problem is that TJX is not alone: many merchants have inadequate controls to protect credit card information.

To address financial fraud, major credit card companies created an organization, the Payment Card Industry Standards Council (PCI). Its goal was to set standards to enhance the security of credit card payment data. The result is the Payment Card Industry Data Security Standard. (PCIDSS)

Merchants that store, process or transmit cardholder data must comply with the PCI standard. Reports indicate that larger-merchant compliance is improving. On January 22, 2008, Visa reported that as of the end of 2007, 77 percent of large merchants and 62 percent of medium-sized merchants were PCI compliant.  These are big improvements compared with the previous year, when less than 20 percent of large and medium- sized merchants were deemed compliant. These two categories represent approximately two-thirds of Visa's transaction volume. However, smaller merchants and government agencies are slower in adhering to PCI requirements.

PCI requires merchants to verify compliance with the data security standard. A merchant's credit card transaction volume determines what compliance validation steps are followed. Larger merchants are required to have annual on-site audits and network scans performed quarterly by certified assessors. Smaller merchants may only be required to do self-assessments. The merchant levels differ between the credit card companies so one should refer to the merchant agreement for specific requirements. Although compliance validation requirements differ, all merchants that store, process or transmit cardholder data, regardless of size, are required to comply with all aspects of the PCI standard. Failure to do so may result in a merchant being fined and/or terminated from the processing services.

Not complying with PCI requirements can be costly. If a merchant's systems are breached, the merchant is responsible for all costs associated with inappropriately used credit cards. The merchant is also required to pay all costs associated with informing consumers, canceling outstanding credit cards, issuing new credit cards and forensic audit costs. Analysts have set the costs of credit card breaches at between $100 and $300 per credit card record. A breach can result in a loss of merchant reputation, lost customers or customer lawsuits. Credit card companies can also issue fines for noncompliance even if no breach is detected. To prevent such costs, merchants need to comply with the PCI standard.

PCI Standard's Objectives


Build and maintain a secure network. Most merchants think their credit card systems are secure. But in the context of PCI, what is a credit card system? The PCI standard considers any network, server or application connected to the systems that store, process or transmit to be the credit card systems. PCI compliance on such a large scale can be difficult to achieve. The solution is to set up the credit card systems so they are isolated from other merchant systems.

The PCI standard identifies two primary requirements for building and maintaining a secure network. The first is to install and maintain a firewall configuration to protect cardholder data. Firewalls must protect all credit card systems from external access. In addition, the PCI standard identifies the need to change vendor-supplied defaults for system passwords. Systems that have not changed default settings and vendor-installed passwords are common compliance violations.

Protect cardholder data: Keep cardholder data stored to a minimum. Stored credit card information needs to be protected using strong encryption standards. A common violation occurs when merchants store the magnetic stripe data from a credit card. The data contains all the information a criminal needs. Such information should never be stored. PCI information suggests that most merchants are unaware that their systems were storing the complete magnetic stripe data.

Maintain a vulnerability management program: It is important to protect systems against such threats as a computer virus. Also, follow appropriate processes for making changes to systems. Merchants that collect credit card information from e-commerce Web sites need strong security processes to develop and monitor the Web sites. Weaknesses include missing and outdated security patches. Also, Web applications often have weaknesses that are accessible by anyone on the Internet.

Implement strong access control measures: Limit access to cardholder information on a need-to-know basis. Bad practices such as group sharing of user accounts, not changing passwords regularly or not having minimum password standards are not acceptable. Other weaknesses include inadequate access controls due to improperly installed merchant point-of-sale equipment. While credit cards are typically stored on systems, the PCI standard requires strong physical controls in merchant facilities.

Regularly monitor and test networks: Merchants need to track and monitor all access to network resources and cardholder data. This requires logging and monitoring systems on a timely basis. All credit card systems need to be regularly tested. The requirements in the PCI standard are explicit and detailed. For example, perform vulnerability assessments at least quarterly or after any significant change to the network. Test credit card systems annually. This includes annual penetration testing on both the network and application layer. The standard also requires effective intrusion detection systems to alert staff to possible security breaches.  A lack of effective monitoring is a weakness. Merchants often find it difficult to meet the PCI standard requirements for monitoring and testing its network. Segmenting the network to isolate the credit card systems will reduce the time and costs associated with meeting these requirements.

Maintain an information security policy: Merchants need a strong security policy that sets the tone for the whole company. Staff awareness processes need to ensure employees are aware of their responsibilities. Many security breaches are caused by staff who are unaware of their role in keeping the company's data secure.

So what happens if a merchant can't meet a specific PCI requirement? The standard allows merchants to implement compensating controls. Merchants need to show that the compensating control effectively mitigates the risk addressed by the PCI standard.

The PCI Data security Standard sets security and monitoring requirements that far exceed some merchants' existing capabilities. Smaller merchants would like to have the standard reduced to reflect their size. However, for now, merchants that store, process or transmit cardholder data must comply with the standard.

There are many articles on PCI and the Data security Standard. However, the best source for guidance and materials is the Payment Card Industry Security Standards Council Web site at: https://www.pcisecuritystandards.org/index.htm. Merchants should also refer to their respective merchant agreements for guidance.

A common misconception is that smaller vendors are not required to be PCI compliant. Some think not being compliant is OK as long as they continue to make progress. That's what credit card firms reportedly told TJX before it was breached. That did not prevent TJX from facing losses that could reach billions of dollars. So make sure you and your clients take steps to protect credit card data before harm occurs to your firm or clients' reputation, before customers are lost and before fines and litigation start."

Several Million for $150...Hop Aboard the PCI Express!

There's PCI, and then there's just plain ole' PC.  What are several million records doing on a laptop in the first place?  And why would the National Bank of Scotland employ a "third party" archiving company that sells it's used laptops containing personal data on eBay?  I found a good article on PCI and I'll post it next, but first this amazing faux pas...
  
When Andrew Chapman bought a PC on eBay for about $150, he didn't expect the added bonus -- the personal records of millions of customers of a major international bank.

Chapman says he found "several million" personal records on the PC. The records, which belonged to the National Bank of Scotland, its NatWest subsidiary, and American Express, had been stored on the machine by a third-party archiving company, according to news reports about the eBay purchase of the National Bank of Scotland data. 

The data includes account details, and in some cases, customers' signatures, mobile phone numbers, and mothers' maiden names, Chapman says.  Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. "The information was in back-up CDs and in ISO files, so it would have been possibly quite easy to find if you know something about computers," he said.

A spokeswoman for data processing company Mail Source, which is part of the archiving firm Graphic Data, said it was investigating how the computer equipment had been removed from a secure location. "The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed," she said.   Spokespeople for Graphic Data, the banks, American Express, eBay, and U.K. law enforcement agencies all expressed concern about the incident and said they would begin an investigation as soon as Chapman gives the computer back to Graphic Data.

30% of Canadian Back to School Shoppers To Do It Online

In what looks to be an unabashed plug of Verified by Visa, the payments industry behemoth recently polled online shopping plans of Canadiens and found the following:

TORONTO, ONTARIO, Aug 27, 2008 (MARKET WIRE via COMTEX)

Almost one-third of Canadians in need of books, computers and back-to-school supplies will avoid the hustle and bustle of traditional shops in favour of the World Wide Web this year.

According to an August 2008 survey commissioned by Visa Canada(i), 13 percent of Canadians are planning to shop online between now and Labour Day and, of those, 40 percent plan to spend more online than in the same period last year.

With the average estimated online spend before Labour Day totalling $881, survey respondents said they were turning to the Internet because of its convenience (41 percent), better prices (41 percent) and superior selection than brick-and-mortar retailers (31 percent).


While restocking backpacks and lockers is one reason to turn to the computer, Canadians shopping online also planned to purchase travel (45 percent), computers or electronics (41 percent) as well as fall and winter clothing (32 percent).

"It's interesting to see the variety of goods Canadians plan to buy online," said Zack Fuerstenberg, Director, New Channels, Visa Canada. "Last year when we conducted similar research, half of respondents were only planning to purchase books."

Fuerstenberg continued by pointing out that the categories of merchandise most attractive to online shoppers are mirrored by the types of merchants that participate in the Verified by Visa(R) program. "Air Canada, Dell, Best Buy, Future Shop, West Jet, Via Rail, Telus and Aldo are all participating in the program along with 2,000 other participating Canadian merchants."

The Verified by Visa service, which is supported by Visa-issuing financial institutions and participating merchants, works through the use of a personal password and helps ensure that purchases made online with a Visa(R) card are made by the actual cardholder. Free for consumers, the Verified by Visa program has been adopted by more than 200,000 merchants and 378 million Visa cardholders around the world. Canadian Visa cardholders can sign up for this program at their Visa card issuer's website, through visa.ca or when shopping at participating merchant websites.

The Verified by Visa service is just one of Visa's multiple layers of security in the eCommerce channel. Another layer that helps protect online merchants and cardholders shopping via the Web is the "three-digit code," or CVV2, which is the number printed on the signature panel on the back of a Visa card. It helps to prove to the merchant that the cardholder has the card in his or her possession when ordering online or over the phone. AVS, or the Address Verification Service, helps ensure that the person making a purchase with a Visa card is the same person who receives the Visa card's monthly statement. Merchants begin the process by matching the address provided by the cardholder during check-out to the billing address the Visa card issuer has on file.

(i)For the Visa Back-to-School Shopping Survey, a total of 1005 respondents were interviewed during the period between August 6th - 10th, 2008. The margin of error is +/-3.09% at 95%.

Disqus for ePayment News