Application security may be at the top of the list for financial institutions when it comes to PCI compliance this year. But the economic recession is making it difficult for some information security pros in financial services to get the funding they need to accomplish their goals, experts said.
Shoring up Internet-facing applications is a big focus for financial-services firms this year as they migrate to version 1.2 of the Payment Card Industry Data Security Standard, said Randall Gamby, analyst at research and consulting firm Burton Group. The new version of the PCI standard was released in October.
"Cybercrime is getting too sophisticated. What was secure a year ago may not necessarily be secure today," he said. "They have to go back and re-evaluate their Web front ends to make sure they're secure in this environment."
For financial-services firms that are card issuers or acquirers, oversight of their Level 4 merchants' PCI compliance will be a priority, Gamby said. However, with the federal government paying close attention to financial institutions' spending in the wake of its bailout of the industry, projects -- including PCI -- are undergoing a higher degree of scrutiny, he said.
As a result, even though many organizations view PCI compliance as mandatory, they're reducing funding for PCI projects, which face stiff competition from other business initiatives, he said. For example, a security pro may only get 10% of the funding he or she requests for an application firewall project.
"You need to have very good justifications" for PCI projects, Gamby said. "The internal competition is very difficult."
The economic recession will have an enormous impact on PCI compliance, said Larry Ponemon, founder and chairman of Traverse City, Mich.-based Ponemon Institute, a research firm. "When companies are rich, protecting their brand becomes important, so they invest in security and controls," he said. "But when you're in survival mode, do you fire your workforce or have less security?"
Some companies, including financial-services firms, are cutting their security budgets in half and favoring revenue-generating initiatives because of the economic crisis, he said. "They may be cutting too much and creating too much risk," he added.
Every year, the Ponemon Institute issues a study on the cost of a data breach. According to the 2007 study, data breaches cost companies $197 per compromised customer record compared to $182 in 2006.
Despite tight budgets, Ponemon said financial firms have a number of PCI priorities, including third-party oversight. Many trying to achieve PCI compliance have found that the standard legal contract a vendor signs isn't always adequate protection, so they're looking to ensure the security of business partners who handle cardholder data.
Monitoring of privileged insiders, encryption and mobile security are other top focuses, Ponemon said. "There's going to be more effort on authentication, who has control over the data and how to ensure those people -- the small, elite group of users -- are in fact doing the right thing," he said.
PCI has forced companies to take encryption more seriously while mobile security has become a hot topic in financial services as they look to build new customer relationships and generate more revenue via mobile banking, he said.
Due to the recession, organizations in all industries are prioritizing PCI projects, said David Taylor, founder of the PCI Knowledge Base, an independent research community.
"What they'll do first are those things that have the clearest possible return on investment," he said.
A good example of a project that can help both the bottom line and PCI compliance is automated log management, Taylor said. Companies can spend a lot of time and effort sifting manually through multiple logs while proper analysis of the logs requires the expertise of security professionals who would rather spend their time on other work, he said.
"If you don't automate this, you'll never get it done," Taylor said. PCI compliance can be a good reason for automating log management via a security information management system, he added.
Key management is another project that can be easy to justify on a budget basis, he said. Once a company has met the encryption requirements of PCI DSS, managing the encryption keys can become a problem, making a key management system justifiable, he said.