Experts: Easing standards like PCI DSS a bad idea

By Bill Brenner, Senior News Writer 09 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

On the one hand, the retailer must do their job. But the point-of-sale vendor and service providers must also work together to protect people. Baron Unbehagen, vice president of marketing and alliances, Postilion Inc.

Bedford, Mass.-based RSA, the security division of EMC, held the event at the Roosevelt Hotel so customers could gather to share their experiences and offer tips. The event is named after RSA's eFraudNetwork, a database of known fraud on the Internet. During a roundtable discussion on identity fraud, panelists were asked if industry standards and government regulations should be relaxed to help more companies comply.

During a recent conference focused on PCI DSS, First Data CISO Phil Mellinger, who developed the precursor to the current rules, called for an overhaul of PCI DSS to eliminate subjectivity and ease restrictions to help more merchants comply.

But the panelists at RSA's event said too much is at stake to relax some of the rules just because heeding them is hard. Whether it's PCI DSS or any number of government regulations, simply striving for compliance will lessen the likelihood of attackers pilfering credit card data from corporate networks, they said, citing such incidents as the data breach at Framingham, Mass.-based TJX Companies Inc. In that incident, at least 45.7 million credit and debit card holders were exposed to identity fraud.

PCI DSS: First Data security chief calls for PCI DSS changes: Phil Mellinger, CISO of credit card processing giant First Data Corp. is calling for changes to the standards to speed adoption, ease restrictions and eliminate ambiguous language. Visa hopes encouragement improves lagging PCI DSS adoption: With deadlines looming, Visa is launching an education campaign to address the more than 60% of merchants that fail to meet the PCI Data Security Standards. PCI compliance after the TJX data breach: The massive TJX data breach reinforced the need for stricter controls when handling credit card information. In this tip, Joel Dubin reexamines the need for the PCI Data Security Standard and advises how to ease the PCI compliance burden. PCI DSS auditors see lessons in TJX data breach: Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But they say there are lessons to be learned from TJX's mistakes.

Kevin Dougherty, senior vice president of information services at Orlando, Fla.-based CFE Federal Credit Union, and Baron Unbehagen, vice president of marketing and alliances at Postilion, a Norcross, Ga.-based vendor of integrated solutions for self-service banking and payment processing, agreed it's easy for companies to complain when they're forced down the path to compliance. But, Dougherty said, "It's our responsibility to meet the bar that's been set."

From a service provider standpoint, Unbehagen said, "Priority one is for the provider to do as much as possible to deliver solutions that are compliant out of the box with PCI DSS and other standards."

Dougherty has seen the impact of identity fraud up close. He said his credit union turned to RSA for help last year after it suffered a "vicious" phishing and denial-of-service attack. Cleaning up the aftermath has been a painful process, he said. For example, the organization has had to spend about $100,000 to re-issue compromised credit cards. It was the right thing to do, Dougherty said, but it was a big financial drain.

"It was a scary time," he said. "Until you're living and dealing with it, you don't know what it's like."

He said the experience has taught him that companies need to vigorously monitor transactions and have the necessary security tools in place to detect fraudulent activity. He warned that the problem will keep getting bigger. And if companies can't detect when large amounts of money are being sucked out of a customer's account, nobody will trust them enough to do business with them.

"Trust is everything," Dougherty said. "The customer trusts us to protect them."

Unbehagen acknowledged that while retailers need to do their part in protecting customer data, companies like his must bear responsibility as well.

"It's a shared responsibility," Unbehagen said. "On the one hand, the retailer must do their job. But the point-of-sale vendor and service providers must also work together to protect people."

Panelists agreed that working together means forging relationships with such law enforcement agencies as the FBI, and stepping up efforts to educate customers on the risks they face.

"When we were hit with the phishing attack, 19-year-olds, 55-year-olds and senior citizens were affected," Dougherty said. "We all need to do a better job educating the public on what the criminals are doing to target them." He noted that retired senior citizens are paying a heavy price from such attacks and that "we have to educate them so the rug isn't pulled out from under them."

He said his credit union is trying to help people by offering seminars on Internet fraud.

One thing that will make people more aware and build more trust is if more fraudsters are found and prosecuted, said Thomas Grasso Jr., supervisory special agent with the FBI's National Cyber-Forensics and Training Alliance.

"The more thieves we catch and prosecute, the better," he said. "We've found that the same people tend to be involved in these attacks and when they can steal money they'll keep coming back for more. Our experience is that businesses really want to help us find these guys."

Catching and prosecuting them, he said, is as important to security as patch management.

Tags: PCI Data Security Standard,  Disk Encryption and File Encryption,  Data Privacy and Protection,  Enterprise Data Governance,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption? Data Privacy and Protection Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary