Get a Plan for PCI Compliance Washington DC

provided by: 
Originally published at Internet.com

The crackdown on PCI DSS (Payment Card Industry Data Security Standard) compliance is just a few months away, with Visa's plans to fine acquirers between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants (the largest 1,200 who process 1 million or more Visa transactions a year) who have not validated by Sept. 30, 2007 and Dec. 31, 2007, respectively.

The oncoming dates are sending some retailers scrambling. While it's estimated that about 40% of Level 1 merchants have fully adopted the standard, and most of the rest of that group are in the process of doing so, Visa made some revisions last year that bumped some Level 3 and Level 4 retailers into the Level 2 cross-hairs - and there's not more than 20% compliance among merchants in that lowest tier.

And it's not just Visa's plans that are pushing retailers harder on the compliance front. Some other credit card merchants are following close behind in enforcement penalties, and banks, state legislatures, and the feds are also starting to weigh in on the issue in ways that may force more retailers to speed adoption.

"Many acquiring banks have escalated the concerns around these data breaches to the state legislature level," says Stephanie Bridges, PCI Solutions Expert at Tripwire.

The result is that more states are looking more closely at companies that don't conform to PCI requirements and who suffer a data breach, with the aim of getting reimbursement for acquiring banks.

TJX breach

In May, for example, Minnesota passed a law, which goes into effect in August, that requires businesses that fail to implement adequate security to pay some of the costs that others incur if the first business's failure to implement security measures contributes to the theft of consumers' personal information. The law includes a prohibition against retaining the three types of data that are among the PCI DSS requirements, including data from magnetic strips on payment cards, security codes, and PINs, for more than 48 hours after a transaction is approved.

At the same time, "PCI is finding a back door way into various federal laws and regulations," says Barak Engel, principle at information security and compliance consulting firm Engel and Associates, and former CSO of InStoreCard.

TJX, for instance, faces a Federal Trade Commission investigation around whether it violated consumer protection federal law, in the case of a security breach involving the theft of over 45 million credit and debit card numbers.

Tripwire Enterprise software, which enables configuration auditing and control by detecting all change across the IT infrastructure, automatically correlating change with multiple acceptance criteria and generating actionable change reports, has been purchased by more than 100 customers for PCI compliance, the company says.

"The TJX breach went on for 18 months," says Engel. "The hackers were posting messages back and forth to each other within the TJX network, and making changes to files, and had something like that been detected using TripWire with some daily reconciliation, they would have caught something like that sooner."

Next Page: Coralling the cowboys...

Back to Page 1

Of course, it's as much a culture issue as it is a technology one, he notes. In many organizations, IT personnel have a "cowboy culture," where they're used to fixing systems without having to report on what they're doing.

"It's a challenge to change the mentality. You see that culture surprisingly often," he says. "It's rare to see a well-managed change management process, unless there has been an external reason to implement one."

Eyes are opened, though, when software gives visibility into the changes happening on the system, he says, noting that when organizations see that hundreds or thousands of changes are being made in a single day they really start asking why they were done, should they have been done - and which ones were not authorized.

There are more reasons to embrace PCI compliance, though. One is that PCI, which has the tremendous advantage of being very focused, is relatively easy to understand, Engel says, compared to more vague guidelines like Sarbanes Oxley. For many organizations, PCI is the first framework they have to adhere to, and the good news is their work can play into other efforts like SOX compliance.

"Because PCI is so well defined and it is a best practice for protecting sensitive data of any nature - not just cardholder data - you find organizations saying, 'I am doing PCI on merchandising or loss prevention systems, so why not expand this to financial systems, then go to my SOX auditor and see if that handles what I need to do on those systems as well?"

Engel offers another tip for organizations moving to PCI compliance. Instead of reading the standard first and then working to implement it across all systems, organizations should first go to their environments and identify all use cases for credit cards - where data originates, is stored and transmitted, and why. The exercise might point up legacy systems and Excel spreadsheets with credit card numbers stored on them that could be eliminated from the process.

"You will end up with a significantly smaller scope for PCI compliance, then draw boundaries again until you get to the core of where credit cards need to be used in the environment," he says. "Then open the PCI standard and figure out where to apply controls to what's left."