It’s amazing what the carrot of $20 million in incentives—or the stick of millions in potential fines—can do for an IT-security standard.
On Dec. 12, 2005, Visa USA announced that it would either handsomely reward or seriously punish scores of major banks and card processors, depending on how well they prodded 1,200 U.S. retailers to comply with the Payment Card Industry Data Security Standard (quickly abbreviated to PCI compliance).
The banks and card processors—known in the business as “acquiring banks”—have until the end of this year to comply. Acquirers can reap up to $50,000 for bringing merchants on board early, or pay Visa as much as $25,000 a month in late fees. The targets, so-called Level 1 and Level 2 merchants, generate more than 1 million transactions annually, representing the largest retail businesses in the land and two-thirds of all Visa transactions.
In a world where security standards seem to emanate from laws, such as Sarbanes-Oxley, or voluntary organizations, such as the Information Systems Audit and Control Assocation (known for its involvement with the COBIT standard) or the International Association for Standardization (which developed ISO 17799 standard and others), PCI is an interesting case. Here, the elephants of the payment business—Visa, MasterCard, Discover, American Express, and JCB—are forcing a detailed and uncompromising standard across a diverse array of businesses.
Breaches of credit-card security are among the worst things that can happen to retailer and consumer alike, and companies are understandably loath to discuss such events. But Denver-based fast-food chain Chipotle Mexican Grill’s 2005 annual report offers a window into the costs that such breaches can cause. Until August 2004, Chipotle’s card-processing software had stored the full range of data kept on a card’s magnetic stripe: customer name, card number, expiration date, and more. With such data, a thief could create a brand new, entirely convincing credit card.
By February 2006, Chipotle’s acquiring bank had reported roughly 2,000 fraudulent charges against accounts of Chipotle customers, for $1.3 million. Visa and MasterCard fined Chipotle (either directly or through its acquiring bank) an additional $1.7 million. Legal fees racked up another $1.3 million. The intangible costs—the loss of faith in the merchant, card issuer, and payment network—were anyone’s guess.
Perez
PCI compliance would have avoided all that, according to Eduardo Perez, vice president of payment system risk at Visa USA. “First and foremost, we want to prevent the compromise of full-track data. That’s the most coveted by criminals and that’s the data we want to make sure merchants don’t store,” he says. The key message of PCI, is “Don’t store it if you don’t need it.”
But some very rational business reasons exist not to delete cardholder data, says Kathleen Nugent, vice president of business development for Paymetric, which makes electronic-payment software that integrates into enterprise systems such as SAP. Visa and MasterCard charge lower fees for transactions including the card verification number or an address verification, she explains. With business-to-business orders involving multiple deliveries—and thus multiple credit-card transactions for a single order (you don’t pay until they ship, after all)—deleting such verification data can mean higher costs for a merchant.
Implementing PCI Security
The standard, available at PCISecurityStandards.org, is more prescriptive than most, says Don Roeber, director of IT internal audit at Chase Paymentech, the world’s largest merchant acquirer.
“Sarbanes Oxley says, ‘Thou shall control access to info.’ PCI says, ‘This is basically how you’re going to do it,’” Roeber explains. “PCI is brass tacks whenever you are storing credit card data.”
POINTERS
The key points to remember about PCI compliance are:
If you don’t need it, don’t store it.
Industry players with sufficient leverage can force major security improvements down the food chain.
Encrypt sensitive data at any point it might be accessible to an intruder.
For example, PCI demands that certain card data be encrypted, truncated, or otherwise rendered unreadable anytime it is exposed to possible hacking—that is, whenever stored, processed, or transmitted. Achieving that level of security isn’t easy, Roeber says. Some companies are able to segregate card-processing functions from their other systems, substituting a firewall for encryption. Most, he says, aren’t so lucky.
The biggest hurdle in PCI compliance has been encryption, which Roeber describes as “expensive and cumbersome to implement and, from an overhead standpoint on infrastructure, a lot of tuning has to be done.” Performance issues have been a particular problem at big-box retailers with the highest transaction volumes, he says. Merchants also face challenges including the PCI standard’s demand for extensive audit logging so that breaches can be traced, as well as intrusion detection, prevention, and file-integrity monitoring, he adds.
Carney
Mark Carney, director of strategic solutions for FishNet Security, a qualified security assessor for the PCI standard, says some merchants have much different problems. He tells of one client that believed its cardholder data was stored in Australia, Ireland, and the United States, but discovered it in Brazil and Canada also.
“Even large organizations may not know where their cardholder data is,” Carney warns.
PCI is not a cure-all for data security. For example, Roeber says, a merchant can be PCI compliant with unencrypted address data, so long as the card number is indecipherable—but that violates the Gramm-Leach-Bliley Act.
On the bright side, Roeber adds: “If you are fully compliant with the PCI data security standard, there’s not a lot of extra work you’ll have to [do to] satisfy Sarbanes Oxley or SEC regulations.”
Brewer
Cass Brewer, research director for the IT Compliance Institute, agrees that PCI is robust. “Vulnerability scans, penetration tests, encryption, network protection, changing passwords, system defaults—these are all common sense and almost universal security requirements for any number of security standards and regulations that companies in other industries are using to protect their corporate data,” she says.
For merchants that base their IT security on COBIT or ISO 17799, there’s no need to scrap their work in favor of PCI, either. “They just need to make sure their policies also comply with PCI, and in many cases that’s a given,” she says.
And PCI, although unabashedly payment-focused, could spread to other industries, protecting Social Security rather than credit-card numbers. “The principles within the PCI DSS can apply to other sensitive data,” Visa’s Perez says. “We get constant feedback on that point.”
No comments yet