This article can also be found in the Premium Editorial Download "Information Security magazine: What's your biggest information security concern?."
Download it now to read this article plus other related content.
They lay out the missteps of others so you can be spared a similar fate.
Roger Nebel has seen plenty of payment card industry security violations in his day, but one retail client's transgressions were the worst.
The trouble started with the retailer's checkout counter machines, where customers swipe their credit cards, recalls Nebel, director of strategic security for Washington D.C.-based FTI Consulting. The client used two versions of the point-of-sale system in various locations--an older version that didn't encrypt cardholder data, and a newer version that did.
Then, the retailer's POS device vendor used a well-known Web-based program to remotely manage several systems with a common user ID and password. Meanwhile, the client failed to log activity on the systems, there was no security monitoring in general, and several sites lacked adequate antivirus software.
The environment was ripe for the picking, and one or more thieves eventually lifted credit card data from several locations using a Trojan horse program.
"This business took every wrong turn you can take," Nebel says. "There was an insufficient management presence, a lack of IT leadership and no strategic planning, and the technology they were using was ancient." The retailer also failed to make sure that the vendor was taking appropriate security measures on its end, he adds.
Nebel's client is an extreme example, but when it comes to the challenge of meeting
Under the standard, level 1 businesses--those that process more than six million credit card transactions a year--are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Level 2 and 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and have an approved vendor conduct quarterly network scans.
The standard sets out 12 basic security requirements, including encryption, access controls and firewalls. Penal-ties for noncompliance include fines of up to $500,000, increased auditing requirements and even losing the ability to process credit card transactions.
When reviewing what merchants are doing to protect their customers' credit card data, auditors typically find the following problems:
- Inconsistent encryption across a company's computer system: The encryption protects credit card data as it travels through one part of the network, but not as it travels through another.
- No network activity logs, which make it nearly impossible to spot someone trying to access credit card data.
- Unnecessary storage of credit card data and, making matters worse, failure to isolate the data from less secure parts of the network.
- No regular scans for software vulnerabilities and abnormal activity.
- Compliance complacency after the mandates for Sarbanes-Oxley and HIPAA have been met.
Nebel has spent several months working with half a dozen companies on their PCI compliance. Some are large retailers, while others have approached his firm because they've suffered a security breach, or the Securities and Exchange Commission (SEC) is investigating them.
"We're called in to do a PCI audit when something bad has happened and a company is in trouble," he says.
Joseph Krause has also seen his share of troubled clients as senior security engineer for Chicago-based AmbironTrustWave, one of the largest auditing firms in the world. He says the company is working with about 300 service-provider clients--organizations that process, store and transmit cardholder data. Add in the merchants and everyone else, and his firm is dealing with about 30,000 clients just on PCI compliance. For at least two of his large-customers, the path to compliance has been especially difficult.
"A couple of larger companies needed a significant redesign of their IT infrastructure just so they could address the PCI controls," Krause says. "The biggest factor is encryption. If you can't encrypt your data, you have to isolate it."
Companies bound by multiple regulations and industry standards have had a particularly tough time, he says, because controls that are sufficient for one or two regulations won't necessarily cut it under PCI.
"Companies nowadays are dealing with many different compliance regimes with different data sets," Krause says. "HIPAA couldn't care less about credit card numbers. An encryption solution that operates on the systems where HR data is housed and works for HIPAA doesn't apply to PCI."
For others, he says, it can be a nightmare pinpointing every corner of the network where credit card data can travel.
"In the higher education world, having a grip on that is an impossible task because it's a Wild West environment," Krause says. "You may have some student setting up [an unsanctioned] side business in his dorm room that takes credit cards, or a professor selling a book he wrote. Then there's the cafeteria, where independent food vendors are taking credit cards--they are all operating on the institution's network in some fashion."
Another PCI auditor--Kenneth Rowe, principal of Scottsdale, Ariz.-based Chief Security Officers--says that many of his clients have good controls in place but lack the proper documentation. Some have no written security policy, while others have no audit trail. Then there are clients who don't grasp the need to have their networks more segmented so that data stored in one part of the network is protected from other parts, where potentially malicious users may lurk.
"If you wall off the area where your credit card data is kept, hackers won't be as successful because they won't find as much fish floating in the ocean," he says.
Even with the right amount of encryption and network segmentation, the auditors agree that retailers shouldn't store credit card data unless it's absolutely necessary.
"We're really trying to get companies not to store this data," Rowe says. "If you don't store it, you don't have to worry about encrypting it."
Jennifer Mack, an auditor with Herndon, Va.-based Cybertrust, shares that sentiment: "I tell people to understand the nature of the sensitive information they have; and, whether its healthcare data or credit card data, I tell them to get rid of it. Don't store it, or, if you have to, make sure it's secure."
|Checklist for PCI Do's & Don'ts|
A Retailer's Experience
Like many of the auditors' clients, David Fournier has suffered his share of PCI-related headaches. As senior information security analyst for a Scarborough, Maine-based retailer with more than 100 stores throughout New England, he's in charge of the company's PCI compliance efforts.
The company processes approximately 2 million credit card transactions per month and hired an auditor to help ensure that it's keeping adequate track of where credit card data travels on the network, and that it's encrypted every step of the way.
"One of the biggest challenges was to understand how our checkout counter computer software handles credit card data, and how to secure it to the auditor's satisfaction," Fournier says. "It's not an in-house application, so we really had to work with the vendor and figure out what the security controls were."
Eventually, the company had to ask the vendor to make encryption enhancements and eliminate some of the credit card data it was storing. "Once the data is sent to the payment processor, we don't need to hang on to it anymore," he says.
Another challenge was trying to interpret the specific requirements of PCI and get an exact fix on all the necessary technological and cultural changes.
"We've been through the requirements of Sarbanes-Oxley, which is vague, and the PCI standard seemed cut-and-dry at first," Fournier says. But when he talked to his auditor, he found that things were a lot more complicated.
The auditor took special note of the company's use of wireless technology: "No credit card transactions go over the wireless, but wireless is always a red flag to auditors, so we did some tightening and segmentation of the wireless environment to further isolate it from the rest of the network," Fournier says.
He also learned that his company needed a more defined process for vulnerability scanning, which prompted it to buy a new tool. "We did some small-scale, in-house stuff, but it wasn't to the scale of what PCI demanded. We still have a small staff, so to do what PCI wanted, we needed a vulnerability scanning tool that was more automated."
Words of Wisdom
Fournier's story shows that, while PCI compliance is a tough nut for many retailers to crack, most are able to work with auditors to eventually achieve compliance.
"More companies are getting a grip on where their data is going and on ensuring that only certain people can access it," says Cybertrust's Mack, adding that clients are also getting better at writing security policies.
Chief's Rowe says he has worked with companies to develop a list of best practices that will help not only with PCI compliance, but with other standards and regulations. His first order of business with a new client is fact-finding; from there, he draws up a list of the identified weaknesses that a company needs to correct and offers advice on how the issues can be addressed.
The auditors agree that companies will be in good shape if they're following such basic best practices as having a security policy that's backed 100 percent by upper management, a solid patch management process, up-to-date antivirus protection, firewalls and--if possible--an intrusion detection system. And, of course, clients are advised to segment their networks and store as little credit card data as possible, encrypting whatever must be saved.
"I tell clients that it's not an easy process, and it's an educational experience," Ambiron's Krause says. "If you are not familiar with information security, you won't get it. We really work to help them understand the notion of security and how the PCI rules apply."
Meanwhile, James DeLuccia, an independent auditor based in Atlanta, says he urges his clients not to rely on just one auditing organization. "I tell them to rotate the auditors so they'll have fresh perspectives and get a second opinion," he says.
Along the way, auditors encounter retailers and others who gripe about the high cost of compliance. Some even claim that auditors are in league with security vendors, and that compliance in general is a big scam designed to force businesses into spending more on security.
Auditors say they've dealt with their fair share of curmudgeons, but that most clients understand the necessity of these standards and genuinely want to do what's best to secure their customers' sensitive information.
"While this can be an expensive process, most people understand that these standards and regulations are in response to white-collar crime," and not a gouging effort, FTI Consulting's Nebel says.
DeLuccia doesn't doubt that, in the past, some auditors have had an agenda to promote certain vendors and products, but he doesn't think that's as much of an issue today. There are also more companies capable of conducting audits today, and there are more Web sites with information on alternative technologies that merchants can use if they can't afford a specific security tool, he says.
"Before, there were fewer companies capable of auditing," he says. "Now, Visa and MasterCard have authorized many more assessors. More parties involved means more transparency."
While the number of certified PCI assessors is growing, joining the ranks is no small feat: It's an expensive and time-consuming process.
Auditors must be certified, a process often handled by Visa but recently taken over by a newly formed PCI standard oversight group. (See "PCI Version 1.1".)
|PCI Version 1.1|
|Click here for an overview of the PCI Version 1.1 standard (PDF).|
Cybertrust went through a rigorous application process and is required to renew its certifications every year, whether it's for the company as a whole or the individual auditors, Mack says. As part of the certification process, auditors must take a two-day training course and pass an exam.
"You have to apply and fill out an application, all your people need background checks, and we had to double our insurance coverage to meet Visa's requirement," Rowe says of his company's experience. Once his firm's application was approved and it paid the initial $20,000 fee, it had to pay another $500 for each employee sent to PCI training.
Between the initial fee, training fees, travel expenses and insurance hike, Rowe estimates his company spent $50,000 to be certified. "It'll be another $20,000 to $25,000 a year to maintain it," he says, adding that some companies have dropped out of the auditing businesses because of the cost and liability.
For Rowe's company, the profit has far outpaced the expense, making it worth the effort. "It pays for itself, and it's a good moneymaker," he says.
Befriend Your Auditor
While some merchants may have a testy relationship with their auditors, Fournier says it doesn't have to be that way-- he had a good working relationship with his auditor, and he believes that his company's security is stronger today as a result.
"Have a good relationship with your auditor because that's how you'll gain the most information," Fournier says. "It's going to take some budgeting, and there's some technology that'll cost money. But, it'll get you to where you need to be."
This was first published in December 2006