March 9, 2009 (Computerworld) The organization responsible for administering the Payment Card Industry Data Security Standard (PCI DSS) is offering new guidance to companies on how to comply with the rules for protecting credit and debit card data.
PCI Security Standards Council LLC, which was set up by Visa, MasterCard, American Express and other credit card companies in 2006, last week released a document (download PDF) that lists the most efficient order for companies to implement the 12 security controls mandated under PCI DSS. The prioritized approach groups the controls under six milestones that companies can use as a road map towards pci compliance, according to council officials.
Bob Russo, the council's general manager, said the framework is "the culmination of a lot of input" from various stakeholders within the payment card industry. It's designed, he added, to help companies that haven't yet to start on their PCI compliance efforts and are wondering what they should do first.
The release of the rollout guidance by the council comes nearly four years after the PCI standard first went into effect, imposing a set of data security requirements on all entities that accept credit and debit card payments. The effort to create the framework indicates that many merchants, especially smaller ones, still aren't fully compliant with the standard and need help implementing it, said Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill.
"I think there are a lot of merchants who feel overwhelmed at the amount of remediation they need to undertake to become fully compliant," Huguelet said. That, he added, has resulted in a sort of "paralysis" in which some merchants either are doing nothing in regards to PCI compliance or are only taking on some of the easier requirements, which by themselves do little to reduce the overall security risks faced by companies that process card transactions.
By offering a framework that explicitly ranks the relative importance of the different requirements, the PCI council has finally given businesses that have yet to comply with the rules a way to move forward, according to Huguelet. "The journey of a thousand miles begins with a single step, and the PCI [council] has now officially announced what those first steps for merchants really should be," he said.
The first of the six milestones outlined in the framework deals with the need for companies to purge sensitive card-authentication data from their systems and limit the amount of data that they collect and retain. Among the measures that have to be implemented in this stage are purging magnetic-stripe data and personal identification numbers (PIN) from systems and destroying old data storage devices via measures such as shredding.
The second milestone involves firewalls and other controls for securing the perimeter of networks, while the third focuses on Web application security, and the fourth focuses on networking monitoring and access control. The fifth and six milestones include measures for protecting cardholder data via physical and virtual controls and implementing change-control and auditing mechanisms, respectively.
According to Russo, the milestones give companies a more organized way to achieve compliance while also ensuring that the highest-risk security issues are addressed first. And, he said, a spreadsheet-based tool released with the framework will enable companies to plot their progress against the milestones and let auditors get a quick snapshot of the pci compliance status of their clients.
The release of the framework also comes at a time when an unabated stream of data breaches — including two recent ones at payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc. — is again raising questions about the effectiveness of the PCI standard.
In the past, Russo has asserted that there's nothing wrong with the standard itself and that the controls it mandates are adequate for meeting current threats. Last year, the council added requirements for protecting Web applications and a new standard for PIN entry devices, while also releasing a Version 1.2 upgrade of PCI DSS.

This week I've been in Sydney on a training course to become a Qualified Security Assessor (QSA) for the Payment Cards Industry Data Security Standard (PCI-DSS).

The PCI-DSS is a standard jointly devised by VISA, Mastercard, American Express, JCB and Discover that details the security controls that must be in place to protect credit card data from electronic or paper theft. Any company that processes, stores or transmits credit card data is now obliged to be compliant with PCI-DSS, and any company that isn't compliant are at risk of losing their merchant status (ability to accept credit cards) and suffering a fine. As you can imagine, losing merchant status would mean end of business for many companies so this is a very big thing.

As a QSA I will be carrying out audits of the larger merchants and providing a Report on pci Compliance (ROC) to their aquiring bank to testify whether or not they comply. This is something I have to take very seriously because if I report that a company is pci compliance and then they get hacked, any fine incurred by the merchant could be passed on to my company if it can be proven that my report was innaccurate. So any company that choses me as their QSA should not expect to get an easy ride!

Only the larger merchants have to be audited by a QSA; smaller merchants can submit a completed Self-Assessment Questionnaire (SAQ) to their bank. However, if the bank is unhappy with the answers in the SAQ they will tell the merchant that they are non-compliant, as many merchants are now discovering.

It's not just merchants that I'll be able to audit either. The banks themselves, classed as Service Providers, and other companies that process payments up the chain from the merchants could also be subject to my microscope.

The requirements of PCI-DSS are quite stringent and for smaller merchants can be highly complex. In the last couple of years I've been helping companies implement compliance programs to meet the requirements of PCI-DSS and accurately complete their SAQ. Becoming a QSA takes me to the next level and authorises me to audit companies on behalf of the Payment Card Industry Security Standards Council. Although I'm a QSA I only retain my status as a QSA whilst working for a QSA Company (QSAC). Vica-versa the company I'm working for will only retain their QSAC status whilst it has QSA's in its employment, which at the moment is me and one other.

I'm not quite there yet, I've sat the course and met all the other requirements, and yesterday I sat the exam, from which I'll get the results in the next 2 weeks. I'm also waiting for my police checks to come back. I'm not expecting any problems (I'll have some explaining to do to my company if I've failed either of them!).

The course itself was quite interesting. I was already familiar with a lot of it as I've been working with the standard for the last 2 years but it did help clarify a lot of questions I had over the grey areas in the standard. I also learnt a few cool tricks such as how to find credit card numbers and a formula that can be applied to discover whether or not a number that you're looking at is in fact a valid credit card number or not. Quite a nice party trick (for a very geeky party!).

I'm on a 6-day hacking course in Canberra next week so that knowledge combined with my PCI knowledge should make me a valuable resource for the Russian Mafia. Just kidding!