Jay White had no trouble understanding everything that would be required under the Payment Card Industry's Data Security Standard (PCI DSS). As global information protection architect for Chevron, he has long dealt with the demands of regulatory compliance.
Bound by "every regulatory law ever made," as White put it, Chevron long ago developed a security program based on layers of defensive technology and strict policies for handling data on the network. Doing so put Chevron in a strong position to heed the PCI DSS requirements, and it easily met the Sept. 30 compliance deadline for Level 1 merchants, he said. (Level 2 companies had until the end of December to meet the security requirements.)
A recent report from Mountain View, Calif.-based VeriSign Inc. suggested many companies are still struggling with the demands of PCI DSS. The company based its report on a review of 60 PCI audits it recently conducted for 50 large companies and measured the extent to which companies are meeting more than 230 data security requirements. The company determined that 53% failed to meet key elements of PCI DSS and that companies were coming up short in such areas as regular testing, securing applications, logging and protecting data. The chief point of failure for 48% of customers was that they weren't regularly testing their controls to make sure they work.
White said the report doesn't reflect the reality at Chevron, a San Ramon, Calif.-based energy giant with a presence in 180 countries, 53,000 employees and almost as many contractors. White said the need to protect customer credit card data was well understood long before PCI DSS.
"Our credit-card processing system is hooked into all the major banks and making sure that's protected is our primary focus," he said. "Chevron has over 7,000 points of sale and needs to ensure that when a person is at the gas pump sliding their card, their information is being secured."
To do that, White said the company encrypts any data that is stored, in keeping with most government security regulations and industry standards. The company also relies on two-factor authentication to ensure the network is only accessed by authorized personnel, and it has invested a lot of time and money on backup and recovery systems as well as patch management procedures.
"We did away with user IDs and passwords because they are inherently insecure," White said, noting that Chevron now uses a Smart Badge authentication program based on something the user knows and something the user has. "We moved to two-factor authentication four years ago and lived with that and the user ID and passwords until last year. Doing away with [user IDs and passwords] was a monumental task. We have about 5,000 applications and user IDs and passwords were needed to some extent to access them."
Chevron's patch management system is based on evaluating the criticality of a security update and focusing on the most vital systems first. Any patch affecting the operating system or database is top priority, followed by application fixes. White estimated that it takes 48 hours to deploy patches for 90% of the 70,000 desktops and laptops in Chevron's IT orbit.
With those procedures in place, he said Chevron had no trouble meeting the Sept. 30 PCI DSS deadline. If anything, he said, the PCI DSS compliance project simply validated what the company has been doing for six years. "Before PCI DSS, we had a robust security program," he said. "We were able to quickly align PCI DSS with our own standards. Good security practices will serve you well, no matter what the regulations."
Under PCI DSS, Level 1 businesses -- those that process more than six million credit card transactions a year -- are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Level 2 and 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and have an approved vendor conduct quarterly network scans. The standard sets out 12 basic security requirements, including encryption, access controls and firewalls. Penalties for noncompliance include fines of up to $500,000, increased auditing requirements and even losing the ability to process credit card transactions.
The toughest challenge for many companies has been identifying every part of the network where data rests, said Steve Schlarman, chief compliance strategist for Reston, Va.-based Brabeion Software, a vendor of IT governance, risk and compliance management programs. Schlarman got plenty of first-hand experience working with a number of Fortune 500 companies on security compliance during his time with PricewaterhouseCoopers' advisory practice. Despite the challenges, companies seem to be getting a grip on the problem, he said.
"Once they get a hand on where all their data is, PCI DSS gives them a pretty solid description of what's needed," Schlarman said. "The main struggle now will be sustainability, the ability of companies to maintain and regularly update the PCI DSS processes they have put in place."
Companies should be under no illusion that they're all set with PCI DSS based on the most recent compliance work, he said. The standard will continue to evolve to keep up with new threats and technologies, and that will probably mean regular tweaks for the typical IT shop.
How will PCI DSS evolve for future threats? Schlarman believes an increasing amount of attention will have to be spent on wireless security.
"IT doesn't always have the ability to know where the network stops or where it is going," he said. "Wireless added a whole new dimension to the threat landscape, and the iPhone will add still another dimension."
Someday, he said, people will be able to use their cell phones to make credit card transactions. "That," he said, "will be a big challenge for point-of-sale entities."