With the burgeoning popularity of online shopping and banking, credit card transactions are flourishing. Consequently, credit card fraud is on the rise. To combat this growing menace, the Payment Card Industry Data Security Standard (PCI DSS) was developed. The standard is mandated by leading credit card institutions like Visa and MasterCard. The article describes key challenges in PCI compliance and how businesses that engage in card payments should protect cardholder data and maintain the highest levels of information security.
With the burgeoning popularity of online shopping and banking, credit card transactions are flourishing. Consequently, credit card fraud is on the rise. Sample this:
- The number of U.S. identity fraud victims in 2009 rose to 11 million adults, up from 10 million in 2008. (Source: Javelin Strategy and Research)
- Credit and debit card fraud was the No. 1 fear of Americans in the midst of the global financial crisis. Concern about fraud superseded that of national security in relation to terrorism and personal safety. (Source: Unisys Security Index)
To combat this growing menace, the Payment Card Industry Data Security Standard (PCI DSS) was developed. The standard is mandated by leading credit card institutions like Visa and MasterCard. It requires businesses that engage in card payments to protect cardholder data and maintain the highest levels of information security. Non-compliance can result in high penalty fees and termination of transaction facilities.
The Ubiquity of Card Fraud
TJX Companies, Inc., is a leading off-price retailer of apparels and home fashions in the United States and worldwide. In 2006, the company's unsecured wireless network was attacked by criminal hackers. Over 45 million credit card numbers were stolen. Forrester estimates that the total financial impact may be over $1 billion.
Security breaches in large companies are serious and sensational. But just as important are the ones those occur among smaller retailers. According to a 2009 study sponsored by the National Retail Foundation, 85% of payment card breaches happen in small businesses, and 81% of companies hit by a breach were not PCI compliant.
The reality of card fraud extends to the online world as well. Consider retail giants like Amazon.com and eBay who deal with millions of customers and products each year. Not only do they service different marketplaces, they also allow thousands of other retailers to sell through their websites. Customer information is at the mercy of a complex network of technology and people spanning continents. In such an environment, the risk of security breaches is always high. Dave Cullinane, Chief Information Security Officer of eBay marketplaces says, “We see over 4 million security attacks annually, not run-of-the-mill but sophisticated attempts to break in.”
The telecommunications industry is just as much at risk. With the recent boom in mobile commerce, more customers are using their cell phones to book tickets, download ring tones, shop online and pay bills - all, through their credit cards.
In the May 2010 U.S. Mobile Consumer Briefing (conducted by the Mobile Marketing Association (MMA) along with Luth Research), it was found that approximately one in five U.S. adult mobile phone owners used their cell phone for mobile commerce in the previous month. Fifty-six percent of mobile content purchases were made through a carrier, and 43 percent used a bank or credit card account for payment.
Clearly, carriers have access to a ton of personally identifiable customer information. Without adequate security, their networks are a ready target for hackers. Not only is customer information then at risk, but so is the carrier's reputation.
The risks are evident. So why don't more businesses hop onto the PCI compliance bandwagon?
The problem is that auditing can be a complex and expensive procedure. There are an overwhelming 180 individual PCI requirements in 12 categories, all written in the language of sophisticated information technology. Meeting these requirements calls for tremendous resources in terms of technology, personnel, time and effort which can be a burden on company finances.
Another problem is that businesses don't comprehend the intricate mechanics of card transactions and consequently, the likelihood of security breaches. Typically, when a card is swiped, transaction details have to be transferred to the acquirer and re-routed to the appropriate issuer, customer accounts have to be verified, and approvals have to be granted. Then begins the batching, funding and settlement process which follows a similar trend. It's a long and winding pathway involving multiple personnel, computers, network access programs, data encryption systems, numeric identifiers and approval codes - all of which have to communicate with each other seamlessly. In such a vast environment, confidential customer information is always at the risk of being accessed by hackers armed with sophisticated technology.
Becoming PCI Compliant
To begin with, merchants must abide by two mandates - quarterly PCI scans on all external-facing IP addresses and a yearly report on compliance. The requirements vary depending on the number of annual credit card transactions conducted by each company. Merchants that conduct more than six million transactions annually fall in Level 1, and require on-site security audits every year, quarterly PCI scans and the submission of an in-depth compliance report.
Merchants falling in Levels 2, 3 and 4 are those who conduct annual card transactions of 1,000,000 to 6,000,000, 20,000 to 1,000,000 and 1 to 20,000 transactions respectively. These merchants are required to submit annual Self-Assessment Questionnaires (SAQ) and perform quarterly PCI Scans.
The scope of the PCI program extends to IT processing systems, network infrastructure, data files, backups, employees and third parties that store or transmit card holder data on the organization's behalf. Compliance requirements include:
- Building and Maintaining a Secure Network
Online businesses constantly expose cardholder data to server threats. Firewalls help block transmissions that fail to meet specified security criteria. They also safeguard networks and connections from unauthorized external threats. Firewall configuration standards must be reviewed on a quarterly basis. Also, router configurations must be secure enough to block IP addresses from intruders. Vendor supplied defaults should not be used for system passwords and other security parameters.
- Protecting Cardholder Data
Business owners that store cardholder information are obligated to protect it. The key is to store it as encrypted data, so that it is indecipherable even to someone who breaks into the database. Additionally, sensitive or confidential information should be stored on separate servers.
- Maintaining a Vulnerability Management Program
Vulnerability exposure can be minimized by regularly updating computer hardware, operating systems and software. Maintaining up-to-date anti-virus software as well as running regular virus scans is also essential.
- Restricting Physical Access to Cardholder Data
Cardholder data should be viewed only by people who absolutely need to use it. Even those individuals need to be provided with a unique ID for tracking purposes. Once the usage of the data is complete, it needs to be terminated.
- Regularly Monitoring and Testing Networks and Security Systems
Scans of security measures and processes, and monitoring and tracking of network access to cardholder data should be conducted regularly to ensure that they can adequately identify and halt unauthorized access attempts.
- Maintaining an Information Security Policy
It is important to draft and implement a company-wide information security policy. Employees and contractors must comply with the policies to safeguard customer information. Strong security policies set the tone for the entire company and keep employees aware of their responsibilities to protect sensitive data.
As technology becomes more multi-layered, security issues are becoming more pressing. Unfortunately some merchants adopt a reactive approach, waiting for the problem to arise before they scramble to implement controls. The risks involved are tremendous.
A better approach would be one that is proactive. Merchants who adhere to PCI requirements from Day 1 are far less likely to encounter security breaches. No doubt compliance is complex. However, proactive merchants can turn towards a solutions provider who will help them meet the requirements of PCI compliance through a range of applications and software.
MetricStream's IT GRC software solution allows organizations to adopt the PCI DSS framework and streamline their key processes for managing IT policies, IT risks, IT compliance and IT audits while enabling multiple stakeholders to have visibility and control.
- Supports library of IT policies for PCI DSS 6 compliance requirements and 12 sub-requirements
- Define controls in the system for PCI DSS compliance requirements at policy’s chapter and sub-chapter level
- Integrate and automate controls with enterprise security systems
- Define assessment checklist for PCI compliance requirements
- Integrate with automated IT audit systems for IT hardware, software and asset compliance assessment process
- Enable proactive issue management through integration with control and audit automation
- Adopt an integrate GRC infrastructure to manage risk based approach for control assessments, audits and issue management
- Generate reports for policy compliance, risk scorecard, assessments and PCI DSS compliance status
- What small Merchants Know and Don't Know About PCI Compliance - A Research Report (august 2009) conducted by Control Scan, National Retail Federation and PCI knowledge base.