Tactical Advice

Best Practices for PCI Compliance

PCI, like most information security fundamentals, is simply focused on attention to detail and risk management.
This story appears in the December 2007 issue of BizTech Magazine.
Credit: Yasuhide Fumoto/GettyImages

By now, most IT managers are adequately familiar with the PCI Data Security Standard (PCI DSS) to know it is a requirement if they want to process credit cards. What frightens many of these managers is they are wading into this unfamiliar territory and are nervous about PCI likely consuming a significant amount of their staff’s time and department’s budget.

But even the most expensive PCI project still pales in comparison to the costs of even a single significant data breach. A single breach can cost millions of dollars to clean up and tens of millions of dollars in long-term costs.

TJX Companies, for example, is now the poster child for how to do things wrong when it comes to a breach. The company announced earlier this year that it took a $12 million loss, equal to 3 cents per share, because more than 40 million credit and debit card numbers were stolen from its systems during an 18-month period. That theft is one of the largest reported customer data breaches to date.

The $12 million in losses was for costs incurred to investigate and contain the intrusion, improve computer security and systems, and communicate with customers, as well as technical, legal and other fees. TJX also reported that it would continue incurring these types of costs related to the intrusion.

With a comprehensive and formal security program in place, which would support specific PCI requirements relevant to their business, chances are they would not be in the situation they are in now: facing myriad lawsuits. TJX violated numerous basic security guidelines and various PCI requirements, all of which had a direct financial impact on its earnings.

Understanding PCI Compliance

Businesses that process credit cards will fall into one of four PCI categories based on their annual processing volumes. The different levels maintain the same PCI DSS technical requirements but vary on proof of validation requirements:

Level 1: More than 6 million transactions annually across all channels, including e-commerce.
Requirement: Annual Onsite PCI Data Security Assessment and Quarterly Network Scans.
Level 2: 1 million to just shy of 6 million transactions annually.
Requirement: Annual Self-Assessment and Quarterly Network Scans.
Level 3: 20,000 to 1 million e-commerce transactions annually.
Requirement: Annual Self-Assessment and Quarterly Network Scans.
Level 4: Fewer than 20,000 e-commerce transactions annually, and all merchants across channel up to 1 million Visa transactions annually.
Requirement: Annual Self-Assessment and Annual Network Scans.

The following are the 12 PCI DSS requirements:

  1. Install and maintain a firewall configuration to protect data. Note that there are no PCI-compliant firewalls. PCI Requirement 1.1 is intended to ensure that companies put a firewall configuration policy in place and also develop a configuration test methodology. A merchant must configure the firewall accordingly to protect cardholder data. Most firewalls can be configured for that need.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored data.
  4. Encrypt transmission of cardholder data and sensitive information across public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to data by business need to know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

A quick review of these 12 requirements shows nothing close to being revolutionary. In fact, the PCI DSS is simply basic computer security.

Security Frameworks

The best way to ensure PCI compliance is to have a security framework in place. A security framework (such as ISO 17799 or Information Technology Infrastructure Library) encompasses the assumptions, concepts, risk values and security practices underlying an organization’s information security infrastructure. Frameworks are invaluable because today’s enterprise security projects are likely to be more complex than those of years past. In addition, standards and regulations — the category PCI falls into — enable organizations to demonstrate compliance.

Adherence to a recognized security framework can bolster your case that you are in compliance with sweeping and often vaguely defined new laws and regulations such as Sarbanes-Oxley. Of course, an effective framework makes PCI compliance significantly easy to gain.

PCI Best Practices

This article doesn’t detail all the myriad best practices for PCI compliance. But executing the following steps will ensure your PCI project runs much smoother.

  1. Gap analysis
    • Gap analysis is a natural starting point for any PCI endeavor.
    • Determine whether each requirement is adequately addressed for every in-scope system.
    • The PCI Self-Assessment Questionnaire from the PCI Security Standards Council should be completed. The SAQ is divided into six sections, each focusing on a specific area of security, based on the DSS requirements. After completing the SAQ, you should have a fairly good idea of which controls and tools are in place and which are not.
  2. Policies/procedures
    • Establish policies and procedures to limit the storage and retention time of PCI data.
  3. Data discovery
    • Know exactly where all your relevant PCI data is.
    • Identify all payment acceptance channels, data flows and locations where PCI data is stored.
  4. Create process for data encryption
    • Far too many merchants send unencrypted credit card data via e-mail. Create a program for encrypting data.
  5. Don’t store track data
    • Merchants are prohibited from storing track data. Track data is the information encoded within the magnetic strip on the back of a credit card, which is read by a point-of-sales (POS) system.
    • Some POS systems have been collecting this information without the merchant knowing. Hackers find out what POS systems are storing this information and then target the retailers who use that particular system.
    • Additionally, merchants have misunderstood what information they actually needed in order to process transactions.
    • Most POS vendors with systems that capture and store that information have been scrambling to make sure they and their customers are making the appropriate adjustments to become PCI compliant.
  6. Unsecured wireless
    • Merchants should not use unsecured wireless networks to transmit data.
  7. Training
    • PCI training is a must. Not every staff member needs to be a PCI qualified security assessor (QSA). But they do need a formal training program on what they have to do to ensure they are handling credit card data in a manner that supports the PCI requirements.
  8. POS modification
    • POS systems can be the Achilles heel of a PCI effort.
    • Ensure that POS devices are not storing full card data, especially Card Validation Value/Code.
    • The full 16-digit credit card number should never appear on any hard copy output.
  9. Physical security
    • Ensure appropriate physical security of systems and associated peripherals. Verify no unauthorized physical access.
  10. Logging
    • Regularly review system security and audit logs.

PCI, like the fundamentals of information security, is simply focusing on attention to detail and risk management. By attending to those core elements, combined with best practices, you will significantly increase your ability to obtain PCI compliance.

Bryan Johnson (bryan.johnson@getbraintree.com) is the founder and CEO of Braintree Payment Solutions, an end-to-end provider of payment processing solutions. Ben Rothke (ben.rothke@bt.com), CISSP, QSA, is a security consultant with BT INS and author of Computer Security: 20 Things Every Employee Should Know.
Sign up for our e-newsletter

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.