PCI Council hears complaints, suggestions for changes

By Robert Westervelt, News Editor 21 Jun 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security has been a priority for credit processor Zoot Enterprises Inc., which taps up to 15 data sources for its financial customers to render a decision on a mortgage application or credit card.

Burton Group Catalyst Conference 2007 Our staff members are reporting directly from this year's Burton Group Catalyst Conference. For the latest news and updates, check out our exclusive event coverage.

At Bozeman, Mont.-based Zoot, consumers are scored based on criteria set by a bank or lender; Zoot makes a decision on the type of loan or credit card in as fast as three seconds.

From the first entry point into the system, Zoot uses multifactor authentication and a user logs into an encrypted Web site to conduct business. Data flows strictly through an encrypted tunnel at all times.

"Once you get inside our system we actually have multiple layers of encryption," said Tony Rosanova, chief technology officer at Zoot.

Zoot is not yet compliant with PCI DSS. Like many companies undergoing the rigorous compliance process, Zoot must overcome many hurdles. In its final stages of PCI certification, the company has been trying to juggle its speedy credit decision response time with compliance needs.

"PCI has truly supported the concept that data classification is critically important so that you spend your money and your energy securing areas that need to be secured," Rosanova said. "Having visibility and making sure that you classify all your systems consistent with your data classification policy and the security requirements that exist are real challenges."

Being a small and agile company has been helpful, Rosanova said, as it can be difficult for large companies with legacy systems to quickly make the required changes.

"It is more far reaching than anything that's ever been required and it is requiring application changes and corporate changes to deal with that data," he said. "You have to protect sensitive data all the way to the data field level, which is a substantially different undertaking."

At the Burton Group Catalyst Conference, Steven Adler, program director of Data Governance Solutions for IBM and chairman of the Data Governance Council, will discuss how to implement successful long-term data governance programs and best practices. Adler has been working to understand the issues surrounding data compliance and data protection problems. In a recent interview, Adler said there is no one-solution-fits-all approach.

"Some companies come at it this from a metadata perspective and quickly recognize the poor quality of their data," Adler said. "Companies can no longer leave it to security pros to manage data security. They need a broader group of people to understand the issues and act appropriately to mitigate risk. It helps increase the value of data within an organization and gets more people to protect it."

While Zoot isn't one of the businesses complaining about PCI DSS, it is common to hear from merchants frustrated with the standard. The PCI Security Standards Council, which was set up to oversee the standard, is finalizing its advisory board and is reviewing feedback on various ways to improve the standard and relieve frustrated merchants, said Robert M. Russo, the Council's newly appointed general manager.

Russo, who has deep roots in the credit card industry, is running day-to-day operations of the Council. He recently told SearchSecurity.com that the Council plans to present the results of its feedback at a community meeting on PCI DSS set for September in Toronto.

"When we get further feedback from that meeting we'll decide how to evolve the standard and where it's going to go," Russo said. "The one thing that [merchants] are all in agreement on is that [the standard] is one of the better things out there and they're not trying to dumb it down but make it better."

For more on PCI DSS Seana Pitt, chairperson of the PCI Security Standards Council, recently spoke with Senior News Writer Bill Brenner about how the council is updating the standard to deal with new challenges. Hear what the blogosphere has to say about easing PCI DSS.

Thus far, merchants have voiced concerns about improving the wireless criteria within PCI DSS, Russo said. Also, IT security pros continue to request guidance on application-based security to guard against SQL injection and cross site scripting attacks, he said.

At industry conferences, companies have shared other frustrations with the current standard. Other merchants have been confused by compensating controls—which show that a merchant is meeting a portion of the standard, such as data encryption, with current security protections. But auditors, who must sign off on specific compensating controls, have interpreted the rules differently, some merchants have said. Others have reported that some auditors are also in the business of selling specific products designed, they say, to make the merchant compliant with the standard.

"Auditors have no business selling a fix-all designed to bring a company into compliance," said Diana Kelley, vice president and service director at Midvale, Utah-based Burton Group. "There's no such thing."

Despite these frustrations, Russo called the standard a milestone for the industry. The standard is the best effort by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International to reach a common set of criteria that all companies should strive to achieve to protect sensitive information, he said.

"Until they formed this council last September, they were and still are, five of the toughest competitors that you could imagine," Russo said. "Getting them all in the same room to sit down and agree on anything was a miracle."

Enforcement will be left to each individual credit card brand. Though the standard is strict, Russo said, data security should have always been the sole priority of any company that processes credit cards.

Zoot frequently conducts internal and external audits to determine if they are meeting security procedures. The company collects every keystroke on every system and validates the data to ensure only appropriate employees are accessing the data.

For companies like Zoot, data protection is critical to its business, but meeting the standard has been an uphill battle.

"It is on an order of magnitude more difficult to become PCI compliant than most of the audits that most of us have ever had to experience, because it goes so much deeper," Rosanova said. "The struggle and challenge is to make sure that we mitigate risk without extraordinary expenses and without inhibiting our ability to do our job and be a value to our clients."

Tags: PCI Data Security Standard,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard PCI management: The case for Web application firewalls MasterCard increases PCI compliance requirements for some merchants PCI compliance requirement 1: Firewalls PCI compliance requirement 2: Defaults PCI compliance requirement 5: Antivirus PCI compliance requirement 4: Encrypt transmissions PCI compliance requirement 3: Protect data PCI compliance requirement 6: Systems and applications PCI compliance requirement 8: Unique IDs PCI compliance requirement 10: Auditing Enterprise Data Governance Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks How to Secure Cloud Computing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary