With the goal of reducing fraud, the credit card associations' PCI standard scores points for clarity.
Credit-card fraud losses:
Complying with a straightforward standard:
Source: Privacy Rights Clearinghouse, number of accounts compromised since ChoicePoint breach in February 2005; The Nilson Report, $1.05 billion in credit-card fraud in 2004.
Getting corporate executives to approve money for security projects can be like pulling teeth. But when Erik Goldoff, IT systems manager at The Honeybaked Ham Company, explained to the company's top brass the steep penalties for not complying with the Payment Card Industry Data Security Standard, dollars earmarked for security soon flowed.
"From down in IT, it's very difficult to get any cost approved that doesn't generate revenue," says Goldoff. "If there is not some substantial return, [a project] may get sidelined or pushed to the next fiscal year."
The Norcross, Ga.-based specialty meat retailer is among the thousands of companies working to comply with the standard--more commonly known as PCI--created by credit card associations. Nearly a year after the deadline for PCI compliance, many large companies are well along in the implementation of IT security measures designed to protect cardholder information. At least five million U.S. merchants are affected by PCI, according to Visa U.S.A.
Similar to regulatory requirements such as SOX and HIPAA but not legally binding, the standard has gotten the attention of C-level executives and spurred infosecurity spending. Yet unlike some legislative attempts to mandate cybersecurity, PCI wins praise from security experts for providing specific requirements on encrypting data, implementing access controls and configuring firewalls.
"PCI tells you exactly what you have to do," says Alan Paller, director of research at the SANS Institute.
As of June 30, 2005, merchants at levels 1, 2 and 3 (based on the number of credit card transactions processed annually) were required by credit card associations to implement the procedures documented in the PCI requirements, or risk being slapped with thousands of dollars in fines--or worse, losing the ability to process customers' credit card transactions.
That's a pain point organizations of all sizes can relate to. "Everyone who processes credit cards lives or dies on that income--churches, schools, government, retailers," says Paller.
PCI requires companies that store, process and transmit credit card holders' information to devise information security policies, harden and routinely test network security hardware and software, and keep security products updated with vendor-distributed patches. PCI also mandates quarterly network scans and annual network audits, depending on a company's level.
To date, of the level 1 merchants tracked by Visa (which generate about half of all Visa transactions), "over 90 percent have gone through [a PCI] audit and are now engaged in remediation issues found in the audit," says Visa U.S.A.'s Jennifer Fischer, a senior information security analyst at the Foster City, Calif.-based credit card giant. Level 1 includes any organization processing more than 6 million Visa transactions per year. She acknowledges that "there is a lot of work that needs to be done to comply [with PCI]"; many businesses are still in the process of coming into compliance.
Christine Elliott, a spokeswoman for American Express, says the company is in close talks with its merchants about PCI compliance. "They understand the importance of data security and are working aggressively to protect it," she says. "It's their own brand and the cachet that goes with it [that's at stake should a breach occur]."
Archrivals in any other context, credit card companies are aligned behind PCI to the relief of IT security and privacy personnel who must guard credit card data. PCI, in effect, takes precedence over earlier efforts like the Card-holder Information Security Program, established by Visa in 2001, and MasterCard's Site Data Protection program. In 2004, Visa and MasterCard combined their programs and created the PCI guidelines; American Express, Diners Club and Discover Card endorsements soon followed.
Getting On Board
Honeybaked Ham's Goldoff says that the company had deployed firewalls at each of its 400 retail, corporate-owned and franchise locations, but had not made use of intrusion detection at every site. "An IDS will tell you you're getting hit, but you'll also get a slew of false positives," he notes.
Keeping PCI requirements in mind, Honeybaked Ham went a step further and purchased Top Layer Networks' IPS, which Goldoff says can "block a lot more sophisticated attacks than our firewall by recognizing certain exploit characteristics."
The company also embarked on an eight-month, company-wide personnel and policy training program related to PCI. "Our HR and operations teams had everybody at the table," he says.
Overall, Goldoff says a number of the items required by PCI "would be considered low-hanging fruit" by IT security personnel, while other items "take concerted effort."
For Accor North America, which operates more than 1,200 hotel properties including Sofitel and Motel 6, PCI was a catalyst for a major data encryption project. PCI compliance--along with assuring customers that the company keeps its information secure--is a priority for Accor.
"What we want to do is make sure that any system we use to store or transmit credit card information has the highest level of encryption we can apply," says Harvey Ewing, Accor's senior director of IT security. "The biggest issue with that is key management."
Accor installed RSA Security's Key Manager software to manage encryption keys across its properties, regardless of operating system or back-end database, and to easily apply encryption to legacy applications and infrastructure.
Ewing agrees that PCI helps win funding from corporate management for security projects. "It's one thing for the security department to let executives know the benefits of encrypting data and how that's going to protect the company," he says. "But when it's reinforced by a standard like PCI, that's a lot of leverage when you're requesting the funds."
12-step Program for Compliance
Unlike some government regulations, the PCI standard is praised for its clarity. Here are the 12 basic requirements.
Whether it's mandating encryption or intrusion detection, eliminating vendor-supplied passwords, or ensuring that antivirus audit logs are kept current, PCI's clarity has won many converts. The standard sets out 12 requirements, which are detailed in multiple sub-requirements.
"[PCI is] very specific, clear and pragmatic," says Lynn Goodendorf, CISSP and vice president of information privacy protection at Intercontinental Hotels Group's U.S. headquarters in Atlanta. "People who have worked with traditional technology standards might not be happy because PCI doesn't meet a lot of the historical criteria to be called a standard. You can give it a different name, but PCI does seem to be very [useful] in terms of strengthening data security."
PCI is a common-sense approach to security, says Jennifer Mack, Cybertrust director of compliance product management. Customers "are loving PCI because now they have some driver to force their company into spending," she adds.
Barak Engel, CSO at LoyaltyLab, a San Francisco-based company that serves as its clients' outsourced CRM application, says PCI's clarity helps with encryption. "Everybody talks about encryption, and people have come to view encryption as a magic bullet. Deploying encryption properly is something the PCI standard provides a lot of detail on. It gives you solid and specific guidelines," he says.
Self-regulation of the sort PCI represents beats federal oversight, according to PCI implementers and observers.
"Most [other] regulations in the U.S. and other countries are written in broad language to allow for differences in various industries and business size," Goodendorf says. "This makes it difficult to impose technical specifications on technology vendors and to have a high level of confidence that compliance is adequate."
Plus, standards are generally easier to update over time than laws, she adds.
PCI also could lay to rest some ambiguity generated by the 1999 passage of GLBA, a piece of legislation that pushed banks, insurance companies and other financial institutions to protect consumers' financial information. GLBA's vague wording raised questions among other kinds of companies that collect consumers' private financial data, including credit card information, about the proper procedures they ought to implement to secure that data.
SANS's Paller notes that PCI is the only standard or regulation "at a low enough level to actually make a difference. Every other standard in security is at the 10,000-foot level."
Not everyone agrees on PCI's effectiveness. Earlier this year, Gartner Group released a report critical of PCI, noting that the standard "is too broad in scope, too detailed in some areas and not enough detailed in others.... That standard reads like a 'Best Practices Security Manual,' which, while laudable, goes beyond the immediate goal of protecting cardholder data."
Certainly, PCI is not a one-size-fits-all proposition, notes LoyaltyLab's Engel. "Each environment has certain quirks that need to be addressed." For example, by complying with PCI, LoyaltyLab is able to assure that its customers--such as 1-800-FLOWERS--had peace of mind that their customers' credit card data is secure, Engel says. In turn, the company had to identify a hosting provider who would be willing to "play ball with us," in part by agreeing to virtually separate LoyaltyLab's corporate network from the hosted environment. "Our list of requirements was a little bit longer," Engel says, but managed hosting provider RackSpace met the criteria.
How to Survive a PCI Audit
While neither attaining nor assessing PCI compliance is any small feat, IT security professionals say there are steps you can take to make the audit process less burdensome.
PCI stipulates that all Level 1 merchants--those who process more than six million credit card transactions per year--must do a yearly on-site audit of their security systems and procedures. The assessment may be conducted by internal staff (and must include a signoff from a C-level officer) or by a third party.
Some steps are a matter of common sense. Organize your documentation, advises Lynn Goodendorf, CISSP and vice president of information privacy protection at Intercontinental Hotels Group. "Identify in advance the key contacts internally who will need to meet with the auditors."
Some mandate a proactive stance. "My number-one recommendation is to evaluate and assess your adherence to PCI," says Russell Rowe, president and founder of Chief Security Officers, a Scottsdale, Ariz.-based consulting firm authorized by Visa to assess companies' PCI compliance. "Remediation activities should be initiated to cure any deficiencies before the auditors arrive on-site."
It also helps to approach audits--and compliance in general--"with a risk-analysis mind-set," notes Barak Engel, CSO of LoyaltyLab, a PCI-compliant provider of outsourced CRM applications.
Think like an auditor, Engel says: "Figure out where the risk is." He cites a company that began a lengthy credit card encryption process as part of its PCI compliance, only to stop to consider whether it actually needed to store the numbers in as many places around the network as it had. Unable to justify storing the data on multiple servers, IT consolidated the information, shrinking the encryption project drastically and making it easier for auditors to verify the information was secure.
Another critical point underscored by Rowe: Ensure that under no circumstances do you store cards' security codes--the last three digits on credit cards' signature panel.
Organizations categorized below level 1 aren't required to do an audit, but some nevertheless hire an outside auditor to verify PCI compliance, Rowe says. "Insiders can be under pressure not to report bad news."
His company works with clients on setting the scope of the PCI audit, which Rowe says is often the trickiest part. For example, a sampling of credit card security procedures may be sufficient to verify compliance for a merchant with a couple thousand stores, each storing card data but on a common point-of-sale system. Yet, if each store has a different POS system, an audit will take much longer--each store's security procedures have to be checked and validated, he says.
CSO has made its share of tough recommendations to clients. "The most unpopular is [advising a company] to segregate POS networks from other corporate networks," Rowe says. "This can significantly reduce the scope of a PCI audit, but typically involves significant work on the IT side to implement."
--AMY ROGERS NAZAROV
Though PCI compliance is not enforced legally, Adam Hils, director of security strategies at Top Layer Networks, believes that "Visa, MasterCard and Diners Club want people to trust their brands. If a million consumers have their data stolen, they will look for someone to blame."
What's more, Hils adds, meeting these compliance standards is good for merchants' business because protecting customers' data will ensure their loyalty.
From the credit card associations' perspective, the banks issuing the cards are key partners in disseminating information about PCI, ensuring that merchants are taking steps to comply with PCI and enforcing PCI compliance, noted officials with Visa and American Express. (MasterCard would not comment.)
"Our merchant banks are really merchant liaisons," says Visa's Fischer. "They hold the relationship with the merchant. They educate their merchants and make sure they are going through the appropriate validation actions."
And yet, Fischer says, it's the merchant banks that are likely to feel the pain of enforcement first. "We could penalize them if their merchants are not complying with PCI," she says. To that end, some banks are sending out fine schedules to merchants that have not demonstrated PCI compliance by set dates, says Cybertrust's Mack.
In terms of firmly bringing a merchant in line with credit card companies' expectations, the first step would be a consultative one, says American Express' Elliott. "It may be as simple as a merchant not understanding what is involved [with PCI compliance] and not knowing where to go to resource something. On a case-by-case basis, there are remediation steps we can take."
Terminating support for American Express transactions "would be a last resort," Elliot says. She refused to comment on any specific terminations that the company has undertaken.
Like Elliott, Fischer would only say that Visa has "terminated relationships with merchants, and we have levied financial penalties against merchants. Once a penalty is levied, we are expecting that they are going to comply."
Visa and MasterCard threatened to terminate CardSystems Solutions as an approved Visa processor last year after a breach exposed 40 million credit cards. But they never severed ties with the third-party payment processor (since acquired by Pay By Touch), according to Eric Bachman, chief operating officer at Pay By Touch. After the breach, CardSystems "spent millions of dollars fixing the security of its system," he says. "In the end, CardSystems went above and beyond in meeting the security requirements of [Visa and Master-Card]." He adds that card companies don't want to see merchants shut down.
However, the threat of termination and financial penalties from credit card companies have made executives sit up and take notice. "That $500,000-per-incident [penalty fee] certainly caught my attention," says Intercontinental's Goodendorf.
Aside from PCI-related penalties, companies clearly want to avoid the embarrassment of a security breach such as the DSW Shoe Warehouse imbroglio that allowed attackers to access more than 1.4 million customers' credit card numbers and other sensitive financial data. California's SB 1386 has forced companies to disclose breaches affecting the state's residents; other states have followed with similar laws.
And, credit cards are a favorite target for online thieves. In March, the U.S. Secret Service announced 22 arrests from an undercover operation targeting Inter-net fraud; most of the charges were related to credit card fraud.
PCI is an equalizer of sorts among companies with established IT personnel and procedures in place, and smaller entities that process much fewer credit card transactions each year.
"[The standard] is taking companies that have traditionally been involved in the area of delivering products and services, and getting them much more involved in IT security," says Ed Kountz, a senior analyst at Jupiter Research.
Merchants that process 150,000 to six million online credit card transactions per year are classified as level 2, while those handling 20,000 to 150,000 e-commerce card transactions annually are designated level 3. All others fall into level 4.
It's the smaller companies who process fewer than 150,000 transactions per year that are most likely to drag their feet on PCI compliance, preferring instead to have a "wait-and-see" attitude, notes Russell Rowe, president and founder of Chief Security Officers, a Scottsdale, Ariz.-based company authorized by Visa to perform PCI assessments.
SANS's Paller concurred. "A lot of people are waiting to see what happens if they don't [comply]," he says. "It's a little like HIPAA when it was first passed; 'let's find out who is hurt'" before expending the time and energy to comply.
In that regard, LoyaltyLab is an anomaly. Engel designed the company's security policies and network to be PCI-compliant--and then some--from the ground up. "We have had background checks from employee number one, and we do segregation of duty, which you just don't find in many small companies." For example, LoyaltyLab's database administrator is not permitted to decrypt stored credit card numbers.
Engel recognizes he had the luxury of designing the system rather than retro-fitting an older system for PCI compliance: "It proves yet again the notion that it costs a heck of a lot less to design something securely than to make it secure as an afterthought."
Are Changes Afoot For PCI?
While PCI is lauded for its clarity, there are still questions in terms of meeting the standard's requirements.
"We specifically get questions around scanning, pen testing, encryption and audit logging," says Jennifer Mack, director of compliance product management for Cybertrust, an authorized PCI auditor. "We told [the credit card associations] that companies would like more interpretation on these."
Barak Engel, CSO at LoyaltyLab, believes the encryption requirements are straightforward, but hopes for some clarification in terms of scope. Do retailers have to encrypt store cash cards that carry no personally identifiable information? Right now the answer is "probably not," which is saying just as much as "better safe than sorry."
Many of these concerns have been reported to the credit card issuers and auditors say there will be updates to the standard this summer.
Among possible changes, vulnerability scans will be recommended for level 4 merchants on a quarterly rather than an annual basis, as determined by the merchant's acquirers. "VISA and MasterCard are communicating this out to the banks," says Mack.
Lastly, the credit card associations may create a fifth tier that will group together merchants that have 1 million to 6 million online credit card transactions per year. Currently, level 2 is defined 150,000 to 6 million transactions per year.
More Requirements Ahead?
In the future, companies may have more to deal with than PCI and regulations like GLBA when it comes to protecting consumers' data.
For example, HR 3140--which would expand the protection of "sensitive consumer information" in part by requiring financial institutions, reporting agencies and other organizations to notify consumers of data-security breaches--was among several bills introduced last year by Rep. Melissa Bean (D-Ill.). Sens. Dianne Feinstein (D-Calif.) and Bill Nelson (D-Fla.) are among those who introduced bills that would require consumers be notified if sensitive data is compromised. The proposed legislation includes--but is not limited to--the protection of credit card information.
"We haven't seen the last of federal or state legislation that will pertain to keeping consumer data secure.... It's going to be more and more important for us to be proactive in our approach to meeting today's standards, such as PCI, and ones we believe are heading for the industry in the future," Accor's Ewing says.
However, given the "relatively slow-moving process" of law-making, many organizations are hopeful that PCI will forestall additional legislation--at least temporarily, says Jupiter's Kountz. "There's a feeling that [state and federal bodies] could take a simple problem and make it more complex, and many would like to avoid that if at all possible," he notes.
In the absence of additional legislation, security professionals are applying their own expertise--guided by PCI and refined by their organizations' specific needs--to secure the credit card transactions on which their revenue depends. Well-publicized security breaches not only drive home the alarming possibility that it could happen to you, but are also motivation to ensure that it doesn't, says Honeybaked Ham's Goldoff.
"Fear and ethics"--the ethical obligation to take care of customers' data as vigilantly as you would your own--"make us very protective," he says.