PCI DDS 101 A Journey, Not A Destination

Almost everybody has a credit card, and most people have more than one card. Between 1995 and 2006, the number of cards in circulation almost doubled. Unfortunately, credit card fraud has increased just as rapidly. In the U.S. alone, card issuers lost $1.24 billion to fraud in 2006, up 9.3% from $1.14 billion in 2005. Globally, fraud costs card issuers an enormous $48 billion. To put that amount in perspective, it’s more than the GDP of the oil- rich Gulf state of Oman.

Real world. Real cases.

High-profile cases from recent years include:

• February 18, 2005
  Bank of America announced that more than 1.2 million customer records had been lost.
• June 16, 2005
  CardSystems was sued in a series of class actions which claimed it had failed to protect the personal information of more than 40 million customers. Both Visa and American Express prohibited CardSystems from processing any further transactions, which effectively brought its business to a halt. CardSystems faced collapse but was eventually bought-out by another company.
• January 31, 2006
  The Boston Globe and The Worcester Telegram and Gazette exposed 240,000 credit and debit card records as well as routing information for personal checks which had been printed on recycled paper used in wrapping newspaper bundles for distribution.
• February 9, 2006
  It was revealed that approximately 200,000 debit card accounts had been disclosed by unidentified retailers. These included accounts related to bank and credit union acquirers nationwide, including Wells Fargo and CitiBank.
• January 12, 2007
  MoneyGram confirmed that a company server had been unlawfully accessed exposing personal information, including names, addresses and bank account numbers, of around 79,000 customers.
• January 17, 2007
  TJX Companies Inc. admitted that one of its systems had been unlawfully accessed and that at least 45.7 million credit and debit card numbers had been exposed. TJX is facing around 20 class action lawsuits and has been billed $590,000 by the HarbourOne Credit Union – $90,000 in respect of the cost of the replacement of cards and $500,000 in respect of compensation for damage to its reputation.

Credit card fraud harms consumers, it harms card issuers and it harms businesses. While consumers can normally recover their losses from card issuers and card issuers can pass their losses onto consumers, businesses have no such get-out-of-jail-free card. And, as demonstrated by the CardSystems case, credit card fraud can have catastrophic consequences for a business.
Such high profile cases have propelled security matters to center stage and brought about a new industry-wide global security program: the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS: history and background

In 2004, American Express, Discover, JBC, MasterCard and Visa joined forces to form the Payment Card Industry Security Standard Council (PCI SSC) with a mission to “enhance payment account security by fostering broad adoption of the PCI Security Standard.” To this end, Visa’s AIS and CISP programs and MasterCard’s SDP program were consolidated and updated to form the PCI DSS. The DSS provides a common framework intended to enhance the security of cardholder information throughout its lifecycle. Any business which stores, processes or transmits Primary Account Numbers (PAN’s) must comply with PCI DSS. The PCI SSC does not enforce compliance, instead that responsibility rests with the individual card issuers. While all businesses must comply with the PCI DSS, compliance requirements and the date by which compliance must be achieved vary according to the card issuer and the “Merchant Level” (see chart, following page). For most businesses, compliance is already mandatory. For all others, the compliance dates are fast approaching.
Non-compliance with PCI DSS can be extremely costly: a non-compliant businesses may incur a substantial fine and/or be prohibited from processing card transactions. Either could have a considerable impact on a business.
The SSC will monitor trends and emerging threats and update the DSS as necessary, so businesses must stay abreast of the latest requirements. That said, the non-static nature of the DSS should not present businesses with too much of a problem as the SSC anticipate that the DSS shall be amended only once per year.
The SSC is pushing hard to raise awareness of PCI DSS requirements. “The SSC is driving an aggressive program of educational activities around the Data Security Standard. We are participating in industry events, speaking at panels and conferences. Council leaders are meeting one on one with trade groups and industry associations, participating in webinars and evangelizing through the media,” said spokesperson Ella Nevill. But despite the efforts of the PCI SSC, many businesses have yet to validate their compliance. Recent surveys have shown that only about 50% of businesses currently comply with the DSS. Small businesses have been the slowest to react with only around 20% having so far achieved compliance.
To date, credit card issuers have been reasonably tolerant of the situation. The deadlines for compliance have been extended and only relatively few businesses have been subject to sanctions. But with fraud costing $48 billion per year, card issuers are likely to become increasingly insistent on compliance and increasingly likely to impose sanctions on businesses which do not comply.
So, what must a business do in order to comply with the PCI DSS?

The anatomy of the PCI DSS

The PCI DSS comprises 12 security requirements, subdivided into 6 categories:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters
• Requirement 3: Protect stored car holder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

• Requirement 5: Use and regularly update anti-virus software or programs
• Requirement 6: Develop and maintain secure systems and applications
• Implement strong access control measures
• Requirement 7: Restrict access to cardholder data by business need- to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an information security policy

• Requirement 12: Maintain a policy that addresses information security for employees and contractors

This represents only an overview of the PCI DSS requirements. For more detailed information, go to https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

Merchant Levels and validation requirements

While all businesses must comply with the PCI DSS, it is important to note that the requirements for validation vary according to “Merchant Level”. The “Merchant Level” is determined by the number of transactions which a business processes during a year and by its exposure to risk. To complicate matters, the “Merchant Level” is not consistently defined across all card brands, but can be summarized as follows:

For detailed and specific information in relation to “Merchant Levels” and validation dates, businesses should consult with the relevant card issuer or acquiring bank.
Businesses must meet the expense of validation themselves; it’s not an expense which is covered by the credit card issuers. Should a QSA identify a problem which results in non-compliance, a business will need to remedy that problem before the QSA will reassess and confirm compliance. It is, therefore, in businesses best interests to ensure compliance in advance of the QSA conducting the initial assessment. For each day that a business is not validated as DSS-compliant, it is exposed to the risk of sanctions by card issuers – and, of course, to the risk of the data which it processes and holds being compromised.
For a list of PCI-approved QSA’s and NSV’s, see www.pcisecuritystandards.org
DSS-compliance is not only mandatory for retailers; it’s mandatory for third party service providers and acquiring banks must be compliant too. In fact, it is the responsibility of acquiring banks to ensure the businesses that they represent are DSS-compliant.

The importance of compliance

The PCI DSS is not a new concept. For years, card issuers have operated and enforced their own codes of conduct. Visa had the Cardholder Information Security Program (CISP), American Express had the Data Security Operating Program (DSOP), MasterCard had the Site Data Protection (SDP) program and Discover had the Discover Card Information and Security Compliance (DISC) program. While compliance with these programs was mandatory, many businesses remained non- compliant. This was partly due to the fact that card issuers were reluctant to take enforcement action as this would invariably have a negative impact on business relationships.
So, what’s different about the PCI DSS? Why should a business which failed to comply with the CISP, DSOP, SDP or DISC programs expend the time and resources necessary to become DSS-compliant? There are actually a number of reasons. Firstly, compliance makes good businesses sense. The loss of data can be exceptionally damaging, but proactively implementing a solid set of security protocols can prevent it from happening. Secondly, the marketplace and political climate have changed. In Minnesota, a bill was recently passed which put the requirements of the PCI DSS into law. Texas and other states are considering similar enactments. And credit unions and non-profits are lobbying for legislation which will enable them to recover the cost of issuing replacement credit cards from the retailer whose systems were breached. Thirdly, the cost of fraud is reaching an unbearable level and both consumers and legislators are demanding that credit card companies take action. The likely result of all this? Card issuers will probably now be far more inclined to impose sanctions in order to force businesses to comply.

Easing the pain of compliance

Ensuring the security of customer data can both enhance customer confidence and help maintain bottom line. The PCI DSS was introduced in order to raise the bar for cardholder data security, and achieving compliance should be high on the agenda of organizations that carry out business transactions involving the use of credit cards.
Implementing software tools for log management, vulnerability management, security scanning and endpoint security will go a long way towards helping you achieve compliance. However, the story does not end there. Just because a merchant receives a PCI stamp of approval, he simply cannot sit back and relax.
PCI compliance is but the beginning of a continuous process that requires regular monitoring of the security health status of the merchant’s network. PCI DSS is not a one-off certification that stops with the Qualified Security Assessor (QSA) confirming you are compliant, as some merchants may think. Becoming PCI compliant means that you have reached an acceptable level of security on your network but it does not mean that from then onwards your network is secure and cannot be breached. Maintaining PCI DSS compliancy status is just as, if not more, important.
PCI DSS compliance is a long-term journey, not a destination. And this is something that all merchants need to understand irrespective of size or business.
It is a cost of doing business, granted. Yet, the cost of compliance is lower than having to pay $500,000 in fines and losing your goodwill and credibility if your network is breached!