InFocus: Security and PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance is not a destination. It is a never-ending journey once you embark on it. To use Shon Harris’s words “Security is a marathon to be run at a consistent and continual pace. It is not a short sprint, and it is not for those who lack dedication or discipline.”

It true that companies that have been found to be PCI compliant in the past have had their payment card environment compromised in the same year of their compliance. Why? An information technology environment is constantly changing--it is never static. There are new vulnerabilities that are discovered everyday, and people that are ready to exploit these vulnerabilities are always on the move. They never stop.

The largest known compromise to financial data to date involves CardSystems Inc. (a large third party credit card processor in the United States), who according to some reports was compliant in 2004 but in 2005, 40 million accounts were compromised under their watch. Further investigation revealed that CardSystems failed to provide reasonable and appropriate security for sensitive consumer information. They paid dearly for this mistake--extinction.

Visa states that a PCI review or audit represents only a “snapshot” of security in place at the time of the review, and does not guarantee that those security controls remain in place after the review is complete. Furthermore, these reviews do not cover proprietary software solutions that may be used or sold by these companies. Having a fully compliant report in June 2005 does not guarantee that you are still compliant in July 2005 because a lot would have changed in your environment in just one month.

This means that from the moment the PCI assessors leave, you have to proactively review your people, technology and processes over again. The hackers are not resting, so you cannot. You need to have the dedication and the discipline to stay on course. The on-site audit or self-assessment is required be completed every year. This is an opportunity for companies to adopt a continuous audit approach. The attitude should be--this year’s audit is done, it’s time to get our controls in place for the next audit. The period in between the audit should be used as a pre-assessment period, assessing the changes to the environment and closing any new gap that is found. One of the objectives of PCI is to ensure that a consistent “standard of care” is used to protect payment account, transaction and authentication data. The keyword here is consistency.

Another very important factor to consider in the PCI compliance race is the quality of the Report on Compliance (ROC) that has been issued to a company by the assessor. While the experience and reputation of the Qualified Data Security Company (QDSC) is important, what is more important is the qualification and experience of the actual individual assessors. Companies should take a proactive approach in making sure that the assessors carrying out the audit are knowledgeable and have expertise in the subject at hand.

While Visa has a process in place to assess the quality of a ROC that has been issued to a service provider (organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers), it will take some time before they review every ROC that has been submitted to them. Merchants (businesses that accept credit card payments from their customer in exchange for service provided or items sold) submit their ROCs to the Visa member (organizations with direct relationship to Visa) that signed them up. Having a false sense of security is the worst thing that can happen to a company.

One other very important piece of the PCI compliance is security scans, both external and internal. There are companies out there that are offering $100 scans. You should stop and think--you get what you pay for. What is the depth of the scans being offered? Yes, you can have a fully compliant report but are you really compliant?

While PCI security solutions might not be cheap, loss or theft of customers’ credit card account information is even more expensive. A company might be subject to penalties such as fines both from Visa and the FTC; they face loss of revenue, company reputation and competitive edge. Some companies have had to close their businesses because of restrictions that Visa and other credit card companies placed on them after an incident.

There is a safe harbor that protects members from Visa fines in the event of a compromise. According to Visa, to attain safe harbor status:

1. A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
2. A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
3. It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.

A fully compliant PCI “Report on Compliance” is not a guarantee that you will never be subject to an attack again nor is it an insurance against hackers. Hacking activities are not only on the rise but hackers are getting more sophisticated day by day. They have recently attacked established companies like AT&T, CardSystems and many other big names. No company is immune. Companies must be consistent and thorough in their approach to data security. They must always remember that they are under a contractual agreement with the credit card companies to keep the consumer data secure. They must be ready to prove that they have exercised “due care” to the data that have been entrusted to their care at all times.

Ola Olafunmiloye is a Security Consultant with Lucent Worldwide Services' Security and Reliability Practice in North America.