If you accept credit cards at your business, the payment card industry has a list of standards that they claim you can’t leave home without.
The PCI Data Security Standard was developed by the major credit card companies – American Express, Discover, JCB, MasterCard and Visa – in order to standardize credit card data protection and help organizations prevent fraud, hacking and various other security issues. Prior to these standards, each card company had their own set of requirements. Compliance with PCI DSS is mandatory for all merchants that accept credit cards by June 30.
“It establishes the baseline and tells retailers, at the very least, what they should have for security,” Francis Ho, executive officer at the Federation of Security Professionals in Toronto, said. “This is going to force all the merchants to stay at the same level.”
The standard sets out 12 basic security requirements, which include maintaining a secure network via firewall, encryption of cardholder data, regular updates of anti-virus software, and strong access control measures. The penalties of noncompliance range from fines of up to US$500,000 to losing the ability to accept credit card transactions.
Retailers and service providers can be validated as compliant with an audit by a PCI DSS Qualified Security Assessor. The standard, which went into effect in June 2005, is now managed by the PCI Security Standards Council, which was instituted by the credit card companies last year.
Avivah Litan, vice-president and research director at Gartner Inc., said that even though the standards are comprehensive, they lack innovation and are overly prescriptive in nature.
“It doesn’t take account of some of the newer security technologies that are evolving, like user activity monitoring, data protection, content monitoring and network behaviour analysis,” Litan said. “There are a lot of innovative security technologies that don’t fit into their prescriptions, which is the trouble you get into when you start prescribing technologies. It’s overly prescriptive in some areas and too broad in other areas, so hardly any company can meet all of their requirements,”
Litan also said the standards needed to provide more direction for retailers without a solid security base.
“With hundreds of sub-requirements, they don’t tell you where to get started,” Litan said. “For example, they aren’t very clear about what part of your network you have to worry about, so when they tell you all your servers are connected to cardholder data, it’s difficult to know what to do because they don’t provide a definition of what constitutes good network segmentation.”
Teranet, which provides access to the Ontario Electronic Land Registration System, was recently validated as a fully compliant service provider with the PCI DSS. This distinction will allow Teranet to provide PCI-compliant services to its clients, which include government agencies and hospitals, while also shielding them from meeting PCI DSS requirements themselves.
The company said that because it had already implemented many PCI standards in their previous security practices, complying with the new standards was a simple process.
“Given the fact that we had already done a lot of the work, it took us roughly six months,” Joe DeSouza, director of development at Teranet, said. “One of the things that we implemented when we first started using credit cards was the encryption of data, and that’s been a philosophy that we’ve kept right through, because we consider that to be very sensitive information.”
Litan said that while more spending in security is always a good thing; she doesn’t feel putting the onus on retailers and service providers is the right answer.
“The credit card companies have shifted all the responsibility for security on the retailers, when they could much more easily change the payment system so it wouldn’t matter if the data’s stolen,” Litan said. “For example, if they required even just a regular static pin on every transaction, it would cut fraud way down.”
DeSouza disagreed, saying that merchants are getting a raw deal and said that companies need to take responsibility for its customers security needs.
“I think security is everyone’s responsibility and that it is layered solution,” DeSouza said. “If you are processing credit card information, then you have an obligation to your customers to protect the data and not transfer over the responsibility to credit card companies to do so.”
Ho, another strong supporter of the standards, said banks and credit card companies have historically been responsible for keeping credit card data protection. He felt that these standards were long overdue.
“Retailers have never been on the hook,” Ho said. “I don’t think the standards are too tough on them. If anything it could be tougher.”