There is something odd about the payment card industry (PCI) standard that seems to make relatively smart people instantly dim-witted and complain about its so-called complexity. The irony is that PCI, as the standard is called, is one of the best things to happen to the security of consumer data, yet many think it is as complex as rocket science.
The last decade has seen the growth of security and privacy standards and regulations, from decent standards such as ISO-17799 to abhorrent regulations such as Sarbanes-Oxley. At the same time, billions of dollars of credit card purchases, combined with insecure networks and systems that process consumer data, have placed consumer data at significant risk. Credit card fraud is getting out of control and the losses are becoming too great to bear. The outgrowth of that was the PCI data security standard, or PCI DSS.
Visa, MasterCard, American Express, Diner’s Club, Discover and JCB collaborated to create a new set of standards and require that all merchants and service providers that handle, transmit, store or process information concerning any of these companies’ cards, or related card data, be compliant with them. If they are not compliant, they can face monetary penalties and/or have their card processing privileges terminated by the credit card issuers.
The primary purpose of PCI is to force organizations to embrace common security controls to protect credit card data and reduce fraud and theft. The following are the six primary control areas comprising 12 specific requirements of the PCI DSS:
Build and maintain a secure network
- Install and maintain firewall configurations
- Do not use vendor-supplied or default passwords
Protect cardholder data
- Protect stored data
- Encrypt transmissions of cardholder data across public networks
Maintain a vulnerability management program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to need-to-know
- Assign unique IDs to each person with computer access
- Restrict physical access to cardholder data
Regularly monitor and test networks
- Monitor and track all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an information security policy
- Maintain a policy that addresses information security
A quick review of these 12 items reveals a textbook outline of the fundamentals of information security. They reflect attention to detail and risk management. One can sum up PCI in a single word: pragmatic. It takes a realistic approach to the problems of consumer credit data and applies a common sense set of security solutions. PCI takes a narrow focus on what it attempts to solve, as opposed to Sarbanes-Oxley, which lacks any form of specific detail. PCI is a godsend for the protection of consumer credit card data.
Gordon Rapkin, CEO of security solutions provider Protegrity, notes that “PCI DSS is truly a sensible approach to data security. It’s not an arcane set of rules established by some remote authority; it’s a set of industry best practices that help retailers secure their networks and protect their customers’ privacy. Compliance with the standard brings real benefits; it’s far less costly to prevent attacks than it is to clean up after a breach.”
Given what PCI is trying to accomplish, one would expect it to be welcomed with open arms by the industry. To a degree, it has. But surprisingly, there seems to be a cabal that has made it its duty to attack PCI rather than embrace it. There is nothing complex or mysterious about PCI, yet that appears to be lost on some very smart people.
One recent example: Michael Mathews, chief operating and technology officer at security-services company CynergisTek, wrote an article called PCI Has Lost Its Way, Growing Overly Complex and Costly, for the June 2007 issue of Information Security. Mathews repeatedly stresses the complexity of PCI. But where is it? Each of the 12 main requirements and corresponding specifics are extremely pragmatic and can be classified as information security 101. Mathews writes that because of these and other “complications,” many merchants remain noncompliant to many facets of PCI DSS.
The issue really is that these merchants have created their networks with little to no thought to security and privacy. They have placed minimal controls on their users, given no direction to their application developers, nor documented required procedures for their administrators on how the network should be managed. Merchants are not noncompliant due to PCI DSS; they are noncompliant because they never developed their security programs in the first place.
Mathews also states that unwarranted complexities in the standard are raising the cost of compliance, but does not name any of these complexities. No matter how many times the author uses the word complex, it can’t change the reality that the PCI DSS is practical, not complex.
An additional complaint is that answering the PCI DSS self-assessment questionnaire requires small merchants to hire teams of experts to help them interpret the intent of the questions. The 9-page PCI self-assessment questionnaire is straightforward and requires minimal interpretation. As to teams of experts, that is clearly overkill. Answering the questionnaire can be done by a single consultant in collaboration with the client, for the vast majority of merchants.
In another example, the director of IT at Virgin Entertainment Group told Computerworld that while much of the PCI standard includes good, solid network and security policies, some of it is “over the top” and can be confusing. For someone smart enough to be the director of IT for a leading-edge company like Virgin Entertainment, which places significant importance on IT, it is difficult to understand how he could find PCI confusing.
He also contends that the costs of meeting the requirements do nothing to boost a retail company’s bottom line, with no direct return on investment. Recent events demonstrate otherwise. Had TJX Companies better developed its security posture, it would likely not be facing myriad law suits. TJX violated some of the basic tenets of the PCI DSS, and its insecurity has had a direct negative financial effect. The company announced that in the most recent quarter, it took a $12 million loss, equal to 3 cents per share, because of the loss of more than 40 million credit and debit card numbers stolen from its systems over an 18-month period—one of the largest customer data breaches to date.
The $12 million in losses was for costs incurred to investigate and contain the intrusion, improve computer security and systems and communicate with customers, as well as for technical, legal and other fees. The company also reported that it expects that it will continue to incur these types of costs related to the intrusion in the second quarter and it estimates that those costs will total 2 cents to 3 cents per share.
Besides facing numerous other federal and state lawsuits, the Massachusetts Bankers Association, which represents 207 financial institutions, filed suit against TJX in federal court in Boston in April 2007. In addition, the Securities and Exchange Commission said that complaints seeking class-action designation on behalf of customers were filed in April and May in the federal courts of five additional states: Illinois, Michigan, Missouri, Ohio and Texas.
Such breaches are precisely what PCI comes to prevent. Had TJX followed the principles of PCI and properly secured its systems, it would have had a positive return on the investment, and saved the organization millions of dollars, in addition to significant negative publicity. Absolutely nothing complex about that.
Dave Taylor, president and CEO of the Payment Card Industry Security Vendor Alliance, notes that “the PCI DSS demonstrably benefits card holders, the payment card industry as a whole and individual businesses—it's a comprehensive, sensible security standard built on the shared knowledge of industry leaders and security experts.”
All it takes is one successful hack attack to wipe out years of so called “savings” gleaned from not implementing security. Online crime has become more sophisticated and far better organized over the past several years. No business wants to risk its bottom line or consumer confidence on the hopeful idea that a security breach just won’t happen to them.
The time to take security seriously is before an attack happens, not after. That is precisely what PCI aims to do.
Rather than making excuses about how difficult or costly PCI is, companies need to step up to the plate and start taking security seriously. They need to get a clear roadmap of their priorities and ensure they are accomplished to meet the minimal security requirements.
PCI is the best thing that has happened to consumer data protection in the payment industry in many years. The quicker it is embraced and implemented, the better off we all will be.
Ben Rothke, CISSP, QSA, is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006).