There is something odd about the payment card industry (PCI) standard that seems to make relatively smart people instantly dim-witted and complain about its so-called complexity. The irony is that PCI, as the standard is called, is one of the best things to happen to the security of consumer data, yet many think it is as complex as rocket science. \n\nPCI\u2019s Genesis\nThe last decade has seen the growth of security and privacy standards and regulations, from decent standards such as ISO-17799 to abhorrent regulations such as Sarbanes-Oxley. At the same time, billions of dollars of credit card purchases, combined with insecure networks and systems that process consumer data, have placed consumer data at significant risk. Credit card fraud is getting out of control and the losses are becoming too great to bear. The outgrowth of that was the PCI data security standard, or PCI DSS. \nVisa, MasterCard, American Express, Diner\u2019s Club, Discover and JCB collaborated to create a new set of standards and require that all merchants and service providers that handle, transmit, store or process information concerning any of these companies\u2019 cards, or related card data, be compliant with them. If they are not compliant, they can face monetary penalties and\/or have their card processing privileges terminated by the credit card issuers.\nThe primary purpose of PCI is to force organizations to embrace common security controls to protect credit card data and reduce fraud and theft. The following are the six primary control areas comprising 12 specific requirements of the PCI DSS:\n\nBuild and maintain a secure network\n\t\n\tInstall and maintain firewall configurations\n\tDo not use vendor-supplied or default passwords\nProtect cardholder data\n\nProtect stored data\nEncrypt transmissions of cardholder data across public networks\nMaintain a vulnerability management program\n\tUse and regularly update anti-virus software\nDevelop and maintain secure systems and applications\nImplement Strong Access Control Measures\n\t\n\tRestrict access to need-to-know\n\tAssign unique IDs to each person with computer access\n\tRestrict physical access to cardholder data\nRegularly monitor and test networks\n\t\n\tMonitor and track all access to network resources and cardholder data\n\tRegularly test security systems and processes\nMaintain an information security policy\n\nMaintain a policy that addresses information security\nA quick review of these 12 items reveals a textbook outline of the fundamentals of information security. They reflect attention to detail and risk management. One can sum up PCI in a single word: pragmatic. It takes a realistic approach to the problems of consumer credit data and applies a common sense set of security solutions. PCI takes a narrow focus on what it attempts to solve, as opposed to Sarbanes-Oxley, which lacks any form of specific detail. PCI is a godsend for the protection of consumer credit card data.\nGordon Rapkin, CEO of security solutions provider Protegrity, notes that \u201cPCI DSS is truly a sensible approach to data security. It\u2019s not an arcane set of rules established by some remote authority; it\u2019s a set of industry best practices that help retailers secure their networks and protect their customers\u2019 privacy. Compliance with the standard brings real benefits; it\u2019s far less costly to prevent attacks than it is to clean up after a breach.\u201d\n\nThe Backlash\nGiven what PCI is trying to accomplish, one would expect it to be welcomed with open arms by the industry. To a degree, it has. But surprisingly, there seems to be a cabal that has made it its duty to attack PCI rather than embrace it. There is nothing complex or mysterious about PCI, yet that appears to be lost on some very smart people.\nOne recent example: Michael Mathews, chief operating and technology officer at security-services company CynergisTek, wrote an article called PCI Has Lost Its Way, Growing Overly Complex and Costly, for the June 2007 issue of Information Security. Mathews repeatedly stresses the complexity of PCI. But where is it? Each of the 12 main requirements and corresponding specifics are extremely pragmatic and can be classified as information security 101. Mathews writes that because of these and other \u201ccomplications,\u201d many merchants remain noncompliant to many facets of PCI DSS. \nThe issue really is that these merchants have created their networks with little to no thought to security and privacy. They have placed minimal controls on their users, given no direction to their application developers, nor documented required procedures for their administrators on how the network should be managed. Merchants are not noncompliant due to PCI DSS; they are noncompliant because they never developed their security programs in the first place.\nMathews also states that unwarranted complexities in the standard are raising the cost of compliance, but does not name any of these complexities. No matter how many times the author uses the word complex, it can\u2019t change the reality that the PCI DSS is practical, not complex.\nAn additional complaint is that answering the PCI DSS self-assessment questionnaire requires small merchants to hire teams of experts to help them interpret the intent of the questions. The 9-page PCI self-assessment questionnaire is straightforward and requires minimal interpretation. As to teams of experts, that is clearly overkill. Answering the questionnaire can be done by a single consultant in collaboration with the client, for the vast majority of merchants.\nIn another example, the director of IT at Virgin Entertainment Group told Computerworld that while much of the PCI standard includes good, solid network and security policies, some of it is \u201cover the top\u201d and can be confusing. For someone smart enough to be the director of IT for a leading-edge company like Virgin Entertainment, which places significant importance on IT, it is difficult to understand how he could find PCI confusing.\nHe also contends that the costs of meeting the requirements do nothing to boost a retail company\u2019s bottom line, with no direct return on investment. Recent events demonstrate otherwise. Had TJX Companies better developed its security posture, it would likely not be facing myriad law suits. TJX violated some of the basic tenets of the PCI DSS, and its insecurity has had a direct negative financial effect. The company announced that in the most recent quarter, it took a $12 million loss, equal to 3 cents per share, because of the loss of more than 40 million credit and debit card numbers stolen from its systems over an 18-month period\u2014one of the largest customer data breaches to date.\nThe $12 million in losses was for costs incurred to investigate and contain the intrusion, improve computer security and systems and communicate with customers, as well as for technical, legal and other fees. The company also reported that it expects that it will continue to incur these types of costs related to the intrusion in the second quarter and it estimates that those costs will total 2 cents to 3 cents per share.\nBesides facing numerous other federal and state lawsuits, the Massachusetts Bankers Association, which represents 207 financial institutions, filed suit against TJX in federal court in Boston in April 2007. In addition, the Securities and Exchange Commission said that complaints seeking class-action designation on behalf of customers were filed in April and May in the federal courts of five additional states: Illinois, Michigan, Missouri, Ohio and Texas.\nSuch breaches are precisely what PCI comes to prevent. Had TJX followed the principles of PCI and properly secured its systems, it would have had a positive return on the investment, and saved the organization millions of dollars, in addition to significant negative publicity. Absolutely nothing complex about that.\nDave Taylor, president and CEO of the Payment Card Industry Security Vendor Alliance, notes that \u201cthe PCI DSS demonstrably benefits card holders, the payment card industry as a whole and individual businesses\u2014it's a comprehensive, sensible security standard built on the shared knowledge of industry leaders and security experts.\u201d\nAll it takes is one successful hack attack to wipe out years of so called \u201csavings\u201d gleaned from not implementing security. Online crime has become more sophisticated and far better organized over the past several years. No business wants to risk its bottom line or consumer confidence on the hopeful idea that a security breach just won\u2019t happen to them.\nThe time to take security seriously is before an attack happens, not after. That is precisely what PCI aims to do.\n\nConclusion\nRather than making excuses about how difficult or costly PCI is, companies need to step up to the plate and start taking security seriously. They need to get a clear roadmap of their priorities and ensure they are accomplished to meet the minimal security requirements.\nPCI is the best thing that has happened to consumer data protection in the payment industry in many years. The quicker it is embraced and implemented, the better off we all will be.\nBen Rothke, CISSP, QSA, is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know(McGraw-Hill, 2006).