Updating PCI Compliance to Thwart Breaches

Breaches of consumers’ personal information are quickly becoming one of the biggest operational risks facing any business conducting electronic commerce. How big? The Federal Trade Commission estimates that breaches of “PCI” hit 9 million Americans and cost about $52 billion—annually.

With so many PCI security breaches making headlines, you can’t help but question how effective most PCI compliance programs actually are. The massive breaches at Heartland Payment Systems in 2009 and at TJX Cos. in 2006 are only two examples, which underscore the need for even more stringent methods to safeguard customer confidential data. A recent Ponemon Institute survey of 43 businesses that had experienced a data breach found that 84 percent had multiple breaches; nearly all cases (88 percent) involved insider negligence.

Weaknesses like that, combined with the lack of any federally mandated privacy standard, have created a policy vacuum that states are trying to fill individually. That, in turn, has created a complex web of standards where the most stringent state rules become the de facto guide for businesses doing interstate commerce. Massachusetts passed one of the toughest state laws for PCI compliance in 2008, officially called 201 CMR 17.00. After several extensions, Massachusetts has set implementation of its new law for March 1 of this year. And Nevada has now one-upped Massachusetts as the “toughest state data security law” by passing a state law mandating PCI compliance effective Jan. 1, 2010.

The Massachusetts law applies to all organizations that own or license personal information about a resident of the state. Like other state laws, it aims to protect the security and confidentiality of personal customer information against unauthorized access. “Personal information” is defined as a resident’s first and last name or first initial and last name in combination with one or more of the following: Social Security number; driver’s license number or state-issued identification card number; financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. The exclusion: “personal information” shall not include information lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.

So let’s translate that law into your compliance program. Broadly speaking, businesses with private customer information must develop, implement, and maintain a risk-based information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards. Additionally, the law mandates computer security requirements, including robust access controls and encryption methodology.

The foundation for any compliance program should begin with an assessment of how PCI is used, stored, and handled (including access by external users of your data). An inventory of the storage and user population of PCI data helps you determine the scope of exposure and evaluating the controls currently in place. For example, compliance officers should verify that the users are authorized and required to handle PCI. The data should be stored in a secure manner regardless of the medium and accessible only by authorized users. Take precautions to handle PCI data using secure or encrypted applications to prevent inadvertent transmission to unauthorized users.

Most companies have already implemented basic encryption protections such as password-protected access to company laptops and cell phones; if you don’t do that yet, start. Controls supporting PCI data must be monitored on a regular basis due to changes in new business relationships, vendors, and electronic means of communicating between customers and third-party service providers. Compliance officers must also extend their risk-assessment programs beyond the borders of their own firm to include monitoring the SAS 70 reports provided by vendors or other third parties who have off-site access to your data. For example, if you ship company records to a records management firm, you should ensure that it has adequate controls for access, handling, retention, and disposal of PCI data.

Protocols around the reporting of breaches not only should address regulatory requirements; they should ensure that the breach is contained and remediated as quickly as possible.

Ironically, new state laws that are now mandating regulatory Written Information Security Programs (“WISPs”) aren’t much more comprehensive than what currently exists in most firms’ information security policies and procedures. The irony is that Chief Information Security Officers haven’t been able to enforce compliance with their own policies either, due to complacency about how businesses use this data or limitations in technology that undercut safe and secure handling and secure access of personal customer data.

As an example, many businesses have several sub-contractor relationships where PCI is shared. These sub-contractors may be providing additional services on behalf of the company or may be part of an outsourced service the original firm could no longer handle. When this information is transported using unencrypted e-mail, minor breaches routinely occur. Another example is the use of secure Websites between a vendor firm and the parent firm, where access controls are not verifiable by the parent. The parent firm is responsible and liable for the access controls of the vendor, even when vendor controls aren’t as stringent as the parent’s.

Oversight of sub-contractor relationships typically stops with the execution of contractual language holding the vendor responsible for compliance. Unfortunately, responsibility for ensuring compliance cannot be delegated to the sub-contractor. Conducting on-site visits, reviewing procedures, performing spot checks, and developing compliance performance metrics with vendors helps to ensure that vendors are paying attention to your PCI. Take all these steps.

Overcoming in-house complacency in handling customer data is particularly challenging, partly because business today is so complex; e-mail, fax transmission, Websites, social networking, and other electronic media, while improving efficiency, also all create exposure to internal threats of unauthorized transmission or worse. Creating a comprehensive plan requires cooperation and trade-offs between cost, convenience, and compliance. Smart storage systems are now being implemented across large firms that create secure environments for sharing with authorized internal users. These “smart stores” incorporate records management procedures for access, retention, and disposal. The use of smart stores reduces the need for e-mailing sensitive data between parties, since they allow easy access from one central location.

Performing surprise compliance reviews and implementing clean-desk policies does raise awareness of the importance of protecting PCI data. But I’ve found that you develop real, sustainable performance only when you combine these stern measures with incentives that reinforce the importance of PCI. Don’t underestimate the significance of having fun and awarding a department for the best use of encryption or most creative controls for protecting PCI data.

All that being said, inadvertent breaches do occur even with the most conscientious compliance programs. When you experience a PCI breach (notice I did not say “if you experience”), everyone involved must understand the importance of timely escalation and response to the event. Protocols around the reporting of breaches not only should address regulatory requirements; they should ensure that the breach is contained and remediated as quickly as possible.

Information Security Officers must begin to educate senior management about the need for a more robust solution to protect PCI. Developing a response to the increasing regulatory requirements is just the first step to setting up defenses to protect customer information. Industry groups must get together with vendors to develop more uniform and easy-to-implement technology solutions, both within and across firms and between trusted business partners who need to share this data.

Risk assessments of PCI data must be comprehensive. Review how PCI is used, with whom the information is shared, where the information is stored, and how the data is moved between users. Monitoring of PCI data must be continuous due to the rapid changes in business process and in response to customer demands for doing business. There are no easy answers today, but now is the time to redouble efforts to prepare for one of the greatest threats to your business in the new millennium.