As organizations continue to struggle with implementing the Payment Card Industry Data Security Standard (PCI DSS), the number of recommendations and interpretations of how to implement it continue to spiral. The importance of compliance with the standard is obvious: credit card fraud is a multibillion dollar criminal enterprise, and credit card information is the key commodity that enables these crimes.
However, the details of PCI DSS compliance are still often misunderstood. Listening to security software vendors, in particular, one would think that PCI DSS compliance is simply about buying and implementing the right types of software: Security Information and Event Management (SIEM), Data Loss Prevention (DLP), Network Admission Control (NAC), and Intrusion Detection and Prevention Systems (IDS/IPS) software-and then walking away.
The bad news is that compliance with this important standard requires much more than software. The good news is that, for most organizations, a basic set of requirements-the “must-have’s” of PCI DSS compliance-can help to frame a successful PCI DSS program.
Fundamentally, the PCI DSS standard exists to protect one type of data: cardholder data, a catchall term that includes both visible information found on the credit card (such as the cardholder’s name, card number and expiration date), as well as data encapsulated in the magnetic strip. The standard impacts any organization that stores, processes or transmits any part of cardholder data. Of course, that broad definition includes many different types of organizations, including the following four:
From single-store, brick-and-mortar retail establishments to the largest international retailer, each of these must comply with PCI DSS if they accept credit or debit cards. Fortunately, smaller merchants typically outsource some or all of their technology to service providers. These service providers maintain a large part of the responsibility for ensuring that merchants’ data remains secure according to the PCI DSS standard.
2. Payment processors
A critical component in the chain of credit and debit card use, payment processors are responsible for securely routing card payment requests on behalf of merchants to financial institutions.
3. Financial institutions
These are the issuers of credit and debit cards, who manage the cardholder’s account and are responsible for determining whether or not a transaction should be approved, based on factors such as the cardholder’s available funds, cardholder standing, and unusual or potentially fraudulent recent card activity, etc.
4. Service providers
These are vendors who provide cardholder-related equipment and/or services to merchants and other organizations. Under PCI DSS, service providers are fully responsible for implementing PCI DSS processes and controls on the cardholder data they manage-even if the cardholder is not their direct customer. As a result, many smaller merchants can work with their service provider to help ensure that they achieve and maintain compliance with PCI DSS.
How to Ensure PCI DSS Compliance
How to ensure PCI DSS compliance
So, what are the things that an organization must do to ensure PCI DSS compliance? Although an organization’s needs will vary depending on its size, the types of applications and systems it uses, and the number of card transactions it processes, there are some universal requirements for organizations that need to comply with PCI DSS:
Requirement No. 1: Build a security program
The PCI DSS standard is not designed to be addressed as a series of “checkboxes.” Instead, PCI DSS really lays the framework for an information security program that includes governance, risk management, and both processes and controls.
While many organizations today approach PCI DSS using a checkbox mentality (and many security product vendors are eager to sell their products as “PCI-in-a-box”), the reality is that doing PCI DSS the right way means establishing a security program-not just deploying PCI-related technologies.
Requirement No. 2: Implement both processes and controls
Complying with the PCI DSS standard requires organizations to implement both processes and controls around their use of cardholder data. This includes making sure that the methods they use to receive, process and transmit that data are secure. Processes are essentially repeatable patterns to ensure security, such as ensuring that all visitors to a facility that contains systems that store or transmit cardholder data are logged in and tracked during their visit.
Controls are generally things that can be implemented (often using technology) to ensure the security of cardholder data; for example, establishing minimum password length and complexity requirements. Both processes and controls need to be implemented to comply with PCI DSS; compliance cannot be achieved by simply “throwing technology against the wall to see what sticks.”
Requirement No. 3: Know your assets
The PCI DSS standard applies to any system that either stores or transmits cardholder data. This is an important distinction because, in many environments, the systems that store or process cardholder data are relatively few compared to the overall technology infrastructure.
Consequently, these organizations only have to implement the PCI DSS standard on the infrastructure and systems that actually store, process or transmit cardholder data. By properly segmenting out PCI DSS-affected infrastructure and systems, organizations can more easily ensure compliance by limiting PCI DSS-specific controls and processes to this environment.
Requirement No. 4: Ensure that business partner agreements are in place
Almost every PCI transaction requires exchanging cardholder data with a third party: consumers provide card information to merchants, merchants send cardholder data to payment processors using equipment installed and managed by their service providers, and payment processors query financial institutions as to the legitimacy of card numbers and availability of funds.
This kind of sharing of highly-sensitive data requires that strong, well-defined business partner agreements exist between each of these groups, including guarantees that these third parties comply with the PCI DSS standard.
Employee Training and Awareness are Crucial
Requirement No. 5: Employee training and awareness are crucial
One often-overlooked aspect of PCI DSS is the important need to ensure that employees-from merchants’ retail salespeople to online store customer representatives to anyone else with access to cardholder data-understand how to properly use highly-sensitive cardholder data. Many malicious attackers think of employees as the “weak link in the chain.” They will rely on tactics such as spam, phishing and malicious Web sites (as well as social engineering techniques) to coerce employees into being unwitting players in the theft of credit and debit card information.
Requirement No. 6: Your auditor is your friend
PCI DSS auditors, or Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), exist to help organizations become more secure. Organizations should not be afraid to challenge their auditor if they believe that the auditor is unfairly evaluating processes and controls. But they should also accept it when real weaknesses are discovered by their auditor, and they should work with them to improve their compliance posture (and, by implication, reduce the likelihood of risk).
Requirement No. 7: PCI DSS is a starting point
The PCI DSS standard provides a starting point-a minimum set of processes and controls-that organizations must implement to ensure compliance. However, just like any security regulation, best practice or standard, PCI DSS is no “magic bullet.” Nothing precludes organizations from implementing more stringent processes and controls than what is defined in PCI DSS. In fact, risk-based evaluations should drive whether organizations implement processes and controls that go above and beyond the minimum baselines defined in PCI DSS.
So then, what are the “like-to-have” aspects of PCI DSS compliance? Ultimately, they are the things-processes, controls, technologies and legal agreements-that give the organization a belief that they have reasonably reduced risk. For some organizations, this may mean deeper background checks on prospective employees and intense security training. For others, it may mean extremely detailed business partner agreements that expand on the minimum requirements of PCI DSS.
For still others, it will be more complex encryption or the abandonment of higher-risk technologies such as wireless Internet. For most, it will be some combination of these processes and controls. Regardless of the details, by implementing a program-based approach to PCI DSS compliance, coupled with some basic-but critical-processes and controls, organizations can both reduce their risk and improve security, while ensuring that they are compliant with the PCI DSS.
John Linkous is the IT Security and Governance, Risk and Compliance (GRC) Evangelist at eIQnetworks, Inc. In this multifaceted role, John is responsible for establishing the company’s risk and compliance management product strategy, working with product management and engineering teams to ensure that products meet customer needs.
John has over 15 years of technology management and consulting experience, specializing in enterprise systems management, information security and regulatory compliance, with diversified global clients across a broad range of sectors. His knowledge of information security and compliance issues, ability to communicate and bridge the gaps between technology and business, and his clear writing style have made him a sought-after keynote speaker and author. John is the author of numerous published books and white papers.
Prior to joining eIQnetworks, John was vice president of operations at Sabera. Previously, he was co-founder and partner of a national IT consulting firm, specializing in enterprise infrastructure design and security. Before that, John was CIO of one of the nation’s largest privately-held public relations firms. John began his career as a consultant at the National Aeronautics and Space Administration (NASA). John holds a B.A. degree in History and English Literature from the University of Maryland, and maintains numerous industry technical certifications. He can be reached at [email protected].