This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
How to Survive a PCI Audit
While neither attaining nor assessing PCI compliance is any small feat, IT security professionals say there are steps you can take to make the audit process less burdensome.
PCI stipulates that all Level 1 merchants--those who process more than six million credit card transactions per year--must do a yearly on-site audit of their security systems and procedures. The assessment may be conducted by internal staff (and must include a signoff from a C-level officer) or by a third party.
Some steps are a matter of common sense. Organize your documentation, advises Lynn Goodendorf, CISSP and vice president of information privacy protection at Intercontinental Hotels Group. "Identify in advance the key contacts internally who will need to meet with the auditors."
Some mandate a proactive stance. "My number-one recommendation is to evaluate and assess your adherence to PCI," says Russell Rowe, president and founder of Chief Security Officers, a Scottsdale, Ariz.-based consulting firm authorized by Visa to assess companies' PCI compliance. "Remediation activities should be initiated to cure any deficiencies before the auditors arrive on-site."
It also helps to approach audits--and compliance in general--"with a risk-analysis mind-set," notes Barak Engel, CSO of LoyaltyLab, a PCI-compliant provider of outsourced CRM applications.
Think like an auditor, Engel says: "Figure out where the risk is." He cites a company that began a lengthy credit card encryption process as part of its PCI compliance, only to stop to consider whether it actually needed to store the numbers in as many places around the network as it had. Unable to justify storing the data on multiple servers, IT consolidated the information, shrinking the encryption project drastically and making it easier for auditors to verify the information was secure.
Another critical point underscored by Rowe: Ensure that under no circumstances do you store cards' security codes--the last three digits on credit cards' signature panel.
Organizations categorized below level 1 aren't required to do an audit, but some nevertheless hire an outside auditor to verify PCI compliance, Rowe says. "Insiders can be under pressure not to report bad news."
His company works with clients on setting the scope of the PCI audit, which Rowe says is often the trickiest part. For example, a sampling of credit card security procedures may be sufficient to verify compliance for a merchant with a couple thousand stores, each storing card data but on a common point-of-sale system. Yet, if each store has a different POS system, an audit will take much longer--each store's security procedures have to be checked and validated, he says.
CSO has made its share of tough recommendations to clients. "The most unpopular is [advising a company] to segregate POS networks from other corporate networks," Rowe says. "This can significantly reduce the scope of a PCI audit, but typically involves significant work on the IT side to implement."
--AMY ROGERS NAZAROV
Though PCI compliance is not enforced legally, Adam Hils, director of security strategies at Top Layer Networks, believes that "Visa, MasterCard and Diners Club want people to trust their brands. If a million consumers have their data stolen, they will look for someone to blame."
What's more, Hils adds, meeting these compliance standards is good for merchants' business because protecting customers' data will ensure their loyalty.
From the credit card associations' perspective, the banks issuing the cards are key partners in disseminating information about PCI, ensuring that merchants are taking steps to comply with PCI and enforcing PCI compliance, noted officials with Visa and American Express. (MasterCard would not comment.)
"Our merchant banks are really merchant liaisons," says Visa's Fischer. "They hold the relationship with the merchant. They educate their merchants and make sure they are going through the appropriate validation actions."
And yet, Fischer says, it's the merchant banks that are likely to feel the pain of enforcement first. "We could penalize them if their merchants are not complying with PCI," she says. To that end, some banks are sending out fine schedules to merchants that have not demonstrated PCI compliance by set dates, says Cybertrust's Mack.
In terms of firmly bringing a merchant in line with credit card companies' expectations, the first step would be a consultative one, says American Express' Elliott. "It may be as simple as a merchant not understanding what is involved [with PCI compliance] and not knowing where to go to resource something. On a case-by-case basis, there are remediation steps we can take."
Terminating support for American Express transactions "would be a last resort," Elliot says. She refused to comment on any specific terminations that the company has undertaken.
Like Elliott, Fischer would only say that Visa has "terminated relationships with merchants, and we have levied financial penalties against merchants. Once a penalty is levied, we are expecting that they are going to comply."
Visa and MasterCard threatened to terminate CardSystems Solutions as an approved Visa processor last year after a breach exposed 40 million credit cards. But they never severed ties with the third-party payment processor (since acquired by Pay By Touch), according to Eric Bachman, chief operating officer at Pay By Touch. After the breach, CardSystems "spent millions of dollars fixing the security of its system," he says. "In the end, CardSystems went above and beyond in meeting the security requirements of [Visa and Master-Card]." He adds that card companies don't want to see merchants shut down.
However, the threat of termination and financial penalties from credit card companies have made executives sit up and take notice. "That $500,000-per-incident [penalty fee] certainly caught my attention," says Intercontinental's Goodendorf.
Aside from PCI-related penalties, companies clearly want to avoid the embarrassment of a security breach such as the DSW Shoe Warehouse imbroglio that allowed attackers to access more than 1.4 million customers' credit card numbers and other sensitive financial data. California's SB 1386 has forced companies to disclose breaches affecting the state's residents; other states have followed with similar laws.
And, credit cards are a favorite target for online thieves. In March, the U.S. Secret Service announced 22 arrests from an undercover operation targeting Inter-net fraud; most of the charges were related to credit card fraud.
This was first published in May 2006