Nearly a year after TJX Companies suffered what is believed to be the largest identity theft \n\nto have hit a retailer, credit card companies are laying down the law for any merchant who \n\ntransacts business with plastic. By New Year's Eve, all businesses that handle between 1 \n\nmillion and 6 million credit card transactions a year (primarily mid-market companies) \n\nmust comply with the payment card industry's new Data Security Standard (PCI DSS).\nRelated Stories\nWhy Should Merchants Keep Credit Card Data?\n\nA Guide to Practical PCI Compliance\n\nFrom CSOonline.com: Navigating the PCI Standard\n\nCompanies that fail to comply with the standard's 12-point specification risk thousands of \n\ndollars in fines (from Visa, $5,000 to $25,000 a month), though it's hard to predict what \n\nnoncompliance will really cost because the penalty structure is complex. Ultimately, Visa, \n\nMasterCard and the other payment card companies could revoke merchants' rights to make \n\ncredit card transactions\u2014a mortal wound for any consumer-oriented business. And yet despite \n\nthe threat of penalties, experts believe that most mid-size companies won't make the \n\ndeadline (larger companies with a higher transaction volume are already supposed to be \n\ncompliant).\n\nCompliance is hardly rocket science\u2014or is it? Directives to use firewalls and change \n\nvendor-supplied default passwords are simply security best practices. But in other areas, \n\nmerchants struggle to interpret the standards, haggling with auditors, consultants and \n\nsometimes the PCI Council itself over exactly how to protect cardholder data. And they often \n\nhave to reach deep into cash-strapped pockets to come up with the funds for conducting a \n\ntop-to-bottom security review.\n\nBrian Shniderman, a director at Deloitte Consulting, estimates that 40 percent to 45 percent \n\nof merchants might need to overhaul everything from access management, ID control and \n\nphysical security, to infrastructure, firewalls and antivirus measures.\n"The industry is not sitting in a stable position with regard to PCI standards," he says.\nLessons from TJX\nVersion 1.1 of the PCI Data Security Standard (PCI DSS 1.1) was on the books in January \n\n2007, when TJX Companies\u2014operator of A.J. Wright, Bob's Stores, HomeGoods, Marshalls and \n\nT.J. Maxx\u2014announced that hackers had breached its network. Estimates of the damage vary, but \n\ndata thieves may have copped anywhere from 45 million to more than 100 million user \n\naccounts, from customer transactions going back to 2003.\n\nAccording to The Wall Street Journal, the thieves may have begun their odyssey in a van \n\nparked near a St. Paul, Minn., Marshalls store, at which they pointed an antenna and picked \n\nup wireless data beamed across the store from registers and handheld scanners. The \n\nintercepted data allowed thieves to hack the main network in Framingham, Mass. and allowed \n\nthem to download megabytes of stored customer records. At least three class-action lawsuits \n\nseeking damages on behalf of customers and banks are pending in federal court. (TJX is \n\nawaiting court approval of a proposed settlement with customers worth an estimated $256 \n\nmillion. On Nov. 30, 2007, the company announced a $40.9 million settlement with Visa \n\nthrough which it would pay banks for their claimed losses, provided banks agree not to \n\npursue further legal action.) \n\nAmong the 11 security deficiencies with which TJX was charged: It failed to comply with the \n\nPCI standards for data and computer security. This global security standard is a product of \n\nthe PCI Security Standards Council, created in September 2006 by the five major card brands: \n\nAmerican Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa. According \n\nto Bob Russo, PCI's general manager, the council's main goal was to create "one answer for \n\nall five brands." It also seeks to educate companies and has taken on the vital tasks of \n\nqualifying and managing the auditors who must certify merchants' compliance (known as \n\nqualified security assessors or QSAs), and qualifying approved scanning vendors (ASVs), who \n\ntest system security by running simulated customer transactions. The council is also \n\nbuilding a lab to test and validate the security of pin-entry devices.\n\nDespite any relief merchants may feel by only being held to one merged standard, DSS remains \n\na throbbing toothache for many CIOs in charge of payment card transaction systems. \n\nCompliance, verified by stated deadlines, is mandatory. The New Year's Eve deadline looms \n\nfor full compliance by mid-market merchants. Fines threaten, but it's hard for merchants to \n\npredict just what they might cost because they are levied by the individual card companies \n\nwho have their own rules and rates (Visa may fine one amount and MasterCard another). \n\nComplicating matters further, these fines are not directly charged to merchants but to their \n\ncard-processing banks. The banks then choose to either pass them along, absorb them or, in \n\nsome cases, even increase them.\n\nOther punitive measures are possible, including having card processing privileges revoked \n\nor, as in the TJX example, justification for lawsuits.\n\nMost analysts agree that the majority of companies are not yet certified, though the exact \n\nnumbers are hard to pin down. In an October news release, Visa announced that 65 percent of \n\nthe largest merchants had been verified as compliant. Shniderman of Deloitte Consulting puts \n\nthe level for midsize merchants at only 40 percent to 45 percent.\nCommon Sense RequiredPayment card industry security standards provide a list of best practices\nBuild and Maintain a Secure NetworkInstall and maintain a firewall.Change vendor-supplied defaults for system passwords and other security parameters.\nProtect Cardholder Data\nProtect stored transaction data.Encrypt data transmitted across open, public networks.\nMaintain a Vulnerability Management Program\nKeep antivirus software updated.Develop and maintain secure systems and applications.\nImplement Strong Access Control Measures\nRestrict access to cardholder data by business need-to-know.Assign a unique ID to each person with computer access.Restrict physical access to cardholder data.\nMonitor and Test Networks\nTrack and monitor all access to network resources and cardholder data.Regularly test security systems and processes.\nMaintain an Information Security Policy\n\n\n\n\nCommon Sense Standards\n\nSo merchants have little choice. But how good is the standard and how bad are the obstacles \n\nto achieving the sought-after verification? Hans Keller, CTO since 1999 of the National \n\nAquarium in Baltimore, says that most of the requirements are common sense. "A lot of pieces \n\nof PCI are things you should be doing." The PCI council's Russo concurs. "There really isn't \n\nanything mysterious about these standards. They are all security best practices."\n\nThose who gritted their teeth over earlier standards, such as Visa's Account Information \n\nSecurity and Cardholder Information Security Program, or MasterCard's Site Data \n\nProtection\u2014and who then found the first version of the PCI security standard \n\nconfusing\u2014should at least find the latest incarnation much improved. Russo says that among \n\nthe issues solved by version 1.1 are inconsistencies in terminology and language. For \n\ninstance, words like the vague "periodically" and "regularly" have been replaced with \n\nspecifics, such as annually, quarterly and monthly . Other changes ironed out distinctions \n\nbetween cardholder data, which merchants store and must protect, and data so sensitive that \n\nit should never be stored.\n\nImplementation Challenges\n\nNeat as that sounds, don't put away the aspirin yet. Unless you run a large business, you'll \n\nface several implementation challenges.\n\n1. Tight budgets. While larger companies (which PCI calls Level 1) often have dedicated \n\nsecurity resources, midsize merchants may find themselves in that jaw-clenching budget bind.\n2. Complex environments. Cathy Hotka, a retail technology consultant, says even mid-market \n\nmerchants may be running more than 500 applications at a time in "highly customized \n\nenvironments with hand-written code" that has been around for years. Old code is often \n\npoorly documented, and even small changes are complicatedjust as they wereto fix the Y2K \n\nbug. The DSS standards are more comprehensive than replacing two-digit years with four-digit \n\nyears, and they constantly change. Hotka compares complying to PCI with "fixing the \n\nwindshield of a plane while it's in the air."\n3. Conflicting interpretations. Individual auditors may interpret the rules differently. \n\n"The auditor you bring in today will tell you something different than the auditor you bring \n\nin next week," says The National Aquarium of Baltimore's Keller. Disagreements can arise \n\nover the proper way to divide up networks and secure them with firewalls.\n\nHow One CIO Is Meeting the PCI Compliance Challenge\n\nThough it qualifies as a small merchant, The National Aquarium in Baltimore (which earns \n\nabout $40.5 million in annual revenue) has encountered most of these mid-level difficulties. \n\nReporting to the CFO, Keller oversees an IT staff of 10. He's responsible for application \n\ndevelopment as well as support for 500 users and 300 PCs. Keller devotes approximately one \n\npercent of his annual $2.5 million IT budget to PCI compliance. (Editor's note: This story was updated on Dec. 14, 2007 to remove incorrect information. Read the correction.) \n\n\nThe aquarium's road to compliance began in September 2006, when its merchant bank asked for \n\nan update. Merchant banks process payment cards and are the middlemen between the payment \n\ncard companies and the merchants.\n\nThe 12 top-level standards quickly subdivide into finer levels of detail. For instance, \n\nRequirement 8: "Assign a Unique ID to Each Person with Computer Access" contains five \n\nsub-steps, with step 8.5 divided into 16 more. In response to this requirement, Keller moved \n\nhis admissionssystem away from one common "extremely restricted" login used by everyone \n\nworking the ticket booth, to separate IDs for each employee. Internally, he now tracks users \n\nby PC as well as by their job function, so that their network access across the system can \n\nbe logged. As required by PCI, passwords change every 90 days. Keller also added an \n\nintrusion detection system and revised information security policies to make them more \n\neasily understandable.\n\nKeller decided to do his own compliance work in-house, but it wasn't his first choice. First \n\nhe approached consultants specializing in PCI DSS, but he had difficulty finding a firm \n\nwilling to take full accountability for its decisions.\n\nMany consultants claim to be working on behalf of PCI, but "none of them will sign next to \n\nyou on your audit questionnaire," explains Keller. "So if they won't stand behind me and \n\nsign on the line in case of a breach, why should I pay them any money in the first place?"\nKeller does use an approved QSA, Fishnet Security, for the quarterly security scans and \n\npenetration testing required by PCI for all merchants with more than 10,000 transactions a \n\nmonth. The results are forwarded to the National Aquarium's merchant bank. As the company \n\ndevelops new applications, the QSA consultant will also analyze the code for security \n\ncompliance as part of the development process. The requirement to test new code has a \n\ndeadline of June 30, 2008.\n\nWhen it came to interpreting the standard, one area in which he and the auditors disagreed \n\nwas with the proper way to secure a proprietary wireless bridge between two buildings.\n"Some [auditors] will say even though there's no credit card traffic passing through that it \n\nstill needs to be segmented off with hardware firewalls. And to me, I cannot see a valid \n\nneed for doing that when the wireless network itself is proprietary. So I think there are \n\nopportunities where the standard can be taken a little bit too far."\n\nDespite the difficulties, Keller seems satisfied with the standard and the process. "PCI \n\ngave us a great security checklist and a great place to start. And by going through the 12 \n\ndifferent requirements, it allowed us to ensure that we have adequate protection around the \n\ndata that we have."\n\nNever-Ending Deadlines\n\nYou'll never be finished with compliance. Even after your company meets the current \n\nstandards and sets up the quarterly cycle of scans and reports, you can expect new \n\nrequirements to address new threats. And with them, new deadlines.\n\nRusso explains that the PCI Council will "make changes in the standard on the fly" as a way \n\nof responding flexibly to new threats. How long merchants will have to respond depends on \n\nthe type of change. A simple patch might be required immediately. Major changes, such as the \n\nnew Web and enterprise application code audit requirement due June 30, 2008, will get \n\ncompanies a year to 18 months' grace period."The object of releasing a new standard is not \n\nto put anyone out of compliance when we release it," assures Russo.\n\nWhile penalties are the stick of PCI, brand confidence may be the carrot. In the event of a \n\nsecurity breach, you have your customers and your brand suffering a tremendous amount of \n\ndamage. Or so runs conventional wisdom.\n\nBut customer confidence proves to be notoriously fickle. Take TJX. Following its data breach \n\ndisclosure, the company reported two consecutive, highly successful quarters. To some \n\nobservers, the fact that TJX has not suffered serious consequences makes the carrot of \n\ncustomer confidence a harder sell. Says Keller: "Think of the PR, especially for an \n\norganization like ours. What if we have this huge data breach? Yet here's TJ Maxx, a \n\nwell-known brand. They have this huge breach and yet they have one of their best quarters \n\never."\n\nShniderman cautions IT leaders to be careful of how they interpret TJX's good fortune. "You \n\ncan read a couple of things into that," he says. "Some consumers are willing to increase \n\ntheir vulnerability to get a good discount," he says.\n\nTJX might have changed their pricing or promotions during the period after the breach, or \n\nthey may simply have addressed the crisis effectively, continues Shniderman. "If you have a \n\nfraud-compromising event, it's a moment of truth. The trust level goes down significantly if \n\nyou don't address it well."\n\nWhether or not customer confidence can be managed after a breach, it's a safe bet that no \n\ncompany wants to suffer one. And while PCI DSS 1.1 will not plug all potential security \n\nleaks, it's now a necessary cost of doing business.\n\nMichael Jackman writes frequently about computer security. Contact him at \n\firstname.lastname@example.org.