We have just two months before systems will need to be proven data-secure. Direct commerce order management systems that accept credit card numbers for order payment must be compliant with data security standards established by the Payment Card Industry Security Standards Council (PCI SSC) by July 1.
These regulations, embodied in the Payment Application Data Security Standard (PA-DSS), apply to all order management systems used in a call center where credit card payment is accepted. The exception is if the card data is entered directly into a third-party module dedicated exclusively to payment processing, or into a hosted solution with no data maintained locally.
PA-DSS also applies to e-commerce shopping carts unless they are completely external to, and not interfaced with, the e-commerce platform.
Details of the security standard, well known by now in the industry, can be found at the official PCI Website: PCIsecuritystandards.org.
What you won’t find there are the “workarounds” that most vendors have fallen back on to avoid having to pay an official “qualified security assessor” (QSA) many thousands of dollars to vet their systems. After receiving QSA approval, they have to spend another $1,750 for a listing fee charged by the PCI-DSS to include them on the officially approved vendor list on the PCI-DSS Website.
Here are some specifics on the workaround, as well as trends and changes you need to be aware of before the compliance deadline.
- WORRISOME WORKAROUNDS
Chief among the workarounds is the promise many vendors make that they have done everything necessary to comply with PA-DSS — even though they don’t have the third-party documentation to prove it. Since the purpose of PA-DSS compliance is to make sure that the merchants who use the system won’t fail PCI compliance because of weaknesses in security in the vendor’s software, in theory this should suffice.
In practice, if a merchant is required to use a QSA to confirm PCI compliance (only “Level 1” merchants processing more than 6 million credit card transactions a year must use a QSA), that may not fly. But for Levels 2, 3 and 4 — the majority of direct merchants — it can and does.
Here’s the rub: If a merchant’s system is breached, the “forensic” assessment that the PCI SSC imposes will immediately reveal noncompliance of the vendor’s system, exposing the merchant to even more penalties, and the possible loss of the merchant account — the right to accept credit cards. End of business, end of story.
But even merchants who do everything “by the book” can fall afoul of security. According to Larry Wine, CEO of secure payment integration and tokenization technologies provider Paymetric, “Many of the companies victimized by data breaches in the past several years were, in fact, found to be PCI-compliant prior to the breach. When the breach occurred, they had unwittingly fallen out of compliance.” Even something as simple as failing to maintain daily security log files can invalidate PCI compliance.
- QSA SHOPPING
PCI TRAINING AVAILABLE
Another workaround used by system vendors is QSA shopping, a tactic also pursued by some Level 1 merchants. The way this game is played is to interview QSA candidate firms to get a feel for their experience with similar companies — a smart move even if you are not trying to game the system.
Reading between the lines, it is quite possible to judge how lenient a QSA is likely to be; those deemed too rigid or strict will be dropped from consideration.
Not a workaround, but a legitimate strategy for managing both PA-DSS and PCI compliance is “tokenization.” This process substitutes a string of characters for the credit card number, and can be related back to the credit card data only by the payment processor or another third party, not by the merchant or the software vendor.
While tokenization (or a related approach called “end-to-end encryption”) offers excellent security and protection against data breaches, one must be careful about exactly how they are implemented. If a credit card number is entered into a system en route to encryption or tokenization, even if it is not stored there, this can put the system “in scope.” So as always, the devil is in the details.
- SELF-ASSESSMENT CHANGES
There are some changes on the horizon for PCI self-assessments. Starting Feb. 1, 2011, Level 1 merchants will be able to submit self-assessment questionnaires for on-site security audits rather than having the audit administered by a third party.
Likewise, starting July 1, 2011, Level 2 merchants (processing between 1 million and 6 million credit card transactions per year), will be required to have on-site security audits, although they may be self-administered.
In both cases, self-administered audits must be done by a staff member who has received training by PCI SSC-approved trainers.
- THE PRIORITIZED APPROACH
Finally, the PCI SSC has introduced a set of specially formatted materials (a spreadsheet and a PDF file) to help merchants better manage the PCI-DSS process. Called the prioritized approach, it provides six security milestones that will help merchants and other organizations incrementally protect against the highest risk factors and escalating threats first while on the road to PCI DSS compliance.
The prioritized approach and its milestones are intended to provide the following benefits:
- A “roadmap” that an organization can use to address its risks in priority order
- A pragmatic approach that allows for “quick wins”
- Support for financial and operational planning
- Objective and measurable progress indicators
- Support for consistency among qualified security assessors
The prioritized approach was devised after analyzing data from actual breaches and feedback from QSAs, forensic investigators and the PCI Security Standards Council Board of Advisors were analyzed.
The six milestones:
- Remove sensitive authentication data from your servers and limit data retention.
- Protect the perimeter, internal and wireless networks.
- Secure payment card applications.
- Monitor and control access to your systems.
- Protect stored cardholder data.
- Finalize remaining compliance efforts, and ensure all controls are in place.
The PDF and spreadsheet assign a milestone label to each of the several hundred individual requirements in the PCI DSS document, providing the roadmap for working through the process.
- A CONTINUOUS PROCESS
Finally, it’s important to emphasize that PCI compliance is a continuous process, not something that you have to attend to periodically to satisfy “outside” requirements.
“Assess, remediate, report, repeat” is the PCI mantra. You must not only formulate and maintain an information security policy, you need to stay vigilant about every aspect of your systems and your network, reviewing usage logs daily and running integrity checks on critical data files at least once a week. Most breached systems did not follow those two simple guidelines.
System vulnerabilities don’t go away by themselves. “Vulnerability management” is the systematic and continuous use of specialized security tools and workflow management approaches that help to eliminate exploitable risks.
Most VM methods are as easy as regularly updating antivirus and malware detection software. If you see PCI compliance as an opportunity to do strategic vulnerability management, it becomes a proactive and positive goal, rather than a reactive obligation.
Ernie Schell (firstname.lastname@example.org) is director of the consultancy Marketing Systems Analysis in Ventnor, NJ.
Need more help understanding the ins and outs of PCI-DSS? The PCI Security Standards Council is running a two-day training course next month in Columbus, OH. The course, which takes place June 21-22, is based directly on the PCI SSC Qualified Security Assessor (QSA) training program. Attendees will learn what the QSAs learn so they can better prepare for an on-site PCI DSS assessment. The fee is $995 per person.
For further information and registration visit: https://www.pcisecuritystandards.org/education/training.shtml