PCI compliance after the TJX data breach

PCI DSS is to the credit card industry what Sarbanes-Oxley (SOX) has been to publicly held companies. It's pushing them to comply with the PCI Security Standards Council guidelines, the most recent of which was drafted in September 2006. It forces card issuers and processors to invest in the necessary compliance technology and training or face crippling consequences. Those who don't can be heavily fined or barred from issuing or accepting cards from any council members. And, because the council consists of a consortium of five powerful card companies -- Visa, MasterCard, American Express, Discover and JCB -- not complying can effectively ban a bank from issuing cards or a merchant from accepting them.

PCI DSS is not groundbreaking; it is simply a set of information security standards no different than those at any large bank or publicly held corporation. But it has molded security throughout the credit card industry lifecycle, from how banks issue cards to how retailers accept them.

During the TJX breach, hackers stole an undetermined number of credit card accounts, some of which dated back to 2003; as a result, dozens of banks reported incidents of fraud from the compromised cards. Also, because TJX had stored old account information instead of deleting it, the company violated a PCI requirement, which mandates that a company remove data it no longer needs.

In total, there are twelve PCI DSS-required controls. They cover access management, network security, incident response, network monitoring and testing and information security policies. PCI DSS critics claim, in some cases, that it's too restrictive; it interferes with how companies set up firewalls and antivirus software, for example, and is too vague in other areas like incident response and network monitoring.

Additionally,

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance PCI DSS compliance Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Why financials should pay attention to NERC CIP Infosecurity pro pitfalls RBS WorldPay regains spot on Visa's PCI compliance list Tokenization and PCI compliance Heartland breach cost $12.6 million, CEO says PCI certification isn't always the right answer Heartland gains PCI compliance from Visa The PCI compliance case for source code review

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CISP-PCI  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

these twelve controls are grouped together under six PCI DSS "control objectives." They include:

The standard also requires that PCI compliance be certified by two separate outside consultancies. And with that in mind, numerous consultants now offer PCI compliance services.

Vendors are also placed in one of four risk categories. These risk categories are based on a company's annual credit card transaction volume. Those processing more than six million transactions a year per card plan are classified as level 1; companies processing less than six million but over 150,000 transactions are classified as level 2. Vendors processing 20,000 transactions are classified as level 3 and vendors processing less than 20,000 transactions are classified as level 4.

While this may sound overwhelming, there are some best practices that can ease the PCI compliance burden and actually mesh with a company's existing information security program.

To start, use the two keys for PCI compliance: Remote vulnerability scans and the assessment completions. Remote vulnerability scans should be conducted on a quarterly basis, cover all Internet connections to and from the company, including dedicated ones, like those for Web and email servers. The scans must also be conducted by a PCI Security Standards Council-certified approved scanning vendor (ASV). The assessments must be conducted annually by a qualified security assessor (QSA), which like its ASV counterpart, must be certified by the council. It is important to note that level 1 vendors are also subjected to a site visit in addition to the annual assessment.

When choosing a QSA and ASV for a compliance program, check if they have the technical experience and expertise in the six control areas. A QSA should be able to audit for the 12 controls, while an ASV should have a track record of conducting vulnerability assessments.

There are a lot of major players in the approved list of QSAs and ASVs: Foundstone, Symantec, Cybertrust, LUHRQ, Ernest and Young and KPMG are some common ASVs; QSAs include Symantec, ISS, Remington, and Neohapsis.

To stay compliant, keep complete records of how the required controls are set up, maintained and changed. Internal IT auditors should also use the PCI standard as a point of reference in regular audits to ensure the company remains compliant. It's also a good idea to hold employee training sessions for those who handle credit card data in compliance procedures.

While PCI compliance seems like another IT security headache, most of it is based in established security procedures and policies. And, with a lineup of well-known consultants, compliance can be integrated into a company's existing security program.

About the author:
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP, specializing in Web and application security, and the author of The Little Black Book of Computer Security. As an Ask the Expert panelist, he answers questions on identity management and access control.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.