The Lippis Report

In this Lippis Report we offer industry best practices for Payment Card Industry Compliance (PCI) for the mid-market commercial corporation. We'll explain PCI benefits, the severe consequences of non-compliance enforced by the largest banks through fines plus increased transaction fees and how to avoid them. PCI is a big issue for all corporations that transact business with credit cards. According to industry sources, "œthe average corporation under budgets PCI by 40%." Who needs to worry about PCI? Any corporation that processes credit card information in any of these three ways: 1) processes credit card information; 2) transmits and/or; 3) stores credit card information. If your corporation does any one of the three or all three you need to be PCI compliant. Penalties for non-compliance are severe and are enforced by banks such as Visa, MasterCard, American Express and others through fees plus increases in transaction cost. For the mid-market, a doubling of the transaction fee charged by banks for non-compliance will have a large negative impact on profit.

The PCI Security Standards Council maintains the standard and certifications, but it is the large banks such as MasterCard, Visa, JCB, American Express, Discover, et al that enforce PCI by issuing fines and higher transaction fees for those in non-compliance. The two heavyweight banks behind PCI are Visa and MasterCard. The first thing to notice is that PCI is industry versus government regulated. It is a worldwide standard that protects credit card information and provides, in essence, the Good Housekeeping seal with which safe businesses conduct transactions. But while PCI is worldwide, its standard varies between countries, with even Canada and US versions being extremely different. PCI applies to nearly every industry in the world economy. Any business that processes, transmits and/or stores cardholder data needs to be PCI compliant and the deadline for mandatory compliance of its Data Security Standard (DSS) version 1.2 — October 2008 — is fast approaching. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Merchant Levels

VISA categorizes US merchants into levels. Level 1 merchants are big firms that process 6 million or more transactions per year while Level 2 processes between 1 and 6 million transactions, Level 3 processes between 20k to 1 million transactions and Level 4 is everyone else. The PCI security standards council issues updates to the standard that specify when a particular requirement needs to be compliant. For example, on June 30, 2008 the web application firewall requirement update will be considered best practice and becomes mandatory for corporations to either deploy a web application firewall or undergo a source code review of all web applications on a regular basis. Note that to date: less than 25% Level 1 merchants are compliant. The other 75% have submitted an initial Report on Compliance. By September 30th 2008 Level 1 merchants need to be in compliance while Level 2 merchants have until December 30, 2008. Asia has until December of 2009 while Europe Level 2 and 3 have until December 31, 2008. Bottom line: the compliant deadlines are coming fast.

PCI industry deadlines are mandatory and if a corporation does not meet the requirement date then the bank can start issuing fines. This pressures business and industry to bring about change to adopt PCI. Pressure previously was placed on IT staff but they were placed between a rock and a hard place. Executive management was reluctant to appropriate budget to address the requirement. So the PCI community took the hard line approach of providing deadlines and for non-compliance estimated what fines would cost if the deadlines were not met. Overnight, PCI became a business level issue because the fines would subtract from profits, pushing PCI forward by a large degree. Executive management realizes that PCI and security are something they can't avoid any longer.

What is PCI?

The PCI data security standard is segmented into six categories with twelve requirements. They are:

Build and Maintain a Secure Network: There are two requirements under this category: 1) Install and maintain a firewall configuration to protect data; and 2) Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data: There are two requirements to comply with this category: 3) Protect stored data; and 4) Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program: There are two requirements to comply with this category: 5) Use and regularly update anti-virus software; and 6) Develop and maintain secure systems and applications.

Implement Strong Access Control Measures: To satisfy this PCI category there are three requirements: 7) Restrict access to data by business on a need-to-know basis; 8) Assign a unique ID to each person with computer access; and 9) Restrict physical access to cardholder data.

Regularly Monitor and Test Networks: Two requirements ensure that merchants regularly monitor and test their networks: 10) Track and monitor all access to network resources and cardholder data; and 11) Regularly test security systems and processes.

Maintain an Information Security Policy: There is one requirement to satisfy the security policy category: 12) Maintain a policy that addresses information security.

While the above provide six categories and 12 "œheadline" requirements, there are over 200 actual requirements when one dives into the PCI standard. PCI specifies in detail a large range of security IT. PCI covers anti-virus, firewall, AAA, IPS, disk encryption, web application firewall, etc. PCI spans all these security technologies and more. There isn't any security technology left out of PCI. PCI was developed by some of the best IT security minds in the world and just this one fact makes PCI the foundation of what a security best practice should be. Not that PCI is the end game for IT defense; compliance like anything is the lowest common denominator, but PCI delivers a solid foundation of security best practices that at least defines the first baseline for corporations to meet as PCI specifies mandatory deployment of security IT.

For example, the PCI Security Standards Council may issue a page and a half explaining firewall settings that a corporation needs to deploy which may include ingress and egress, stateful firewalls, etc. For wireless deployments, corporations are required to implement a stateful firewall in between wireless AP and card data. PCI details the security IT deployment required and while the standard may be 17 pages long, it's written in English, providing more guidance than any other government compliance regulation.

The PCI standard is a living standard. There is a large PCI standard revision due out in October 2008. PCI was first published in January 2005, and was updated September of 2006, with significant changes to support WLANs. PCI is not a standard that is implemented and then forgotten; it will be with businesses for as long as transactions are conducted with credit and debit cards and scanners.

Compliance Validation

The PCI Security Standards Council (SSC) requires validation of compliance. Each of the above mentioned merchant levels are to meet the same PCI 12 requirements, but how compliance is validated differs. For example a Level 1 merchant is required to have an annual onsite PCI data security assessment conducted by a PCI Qualified Security Assessor (QSA) from an independent company. Level 1 merchants also need to conduct quarterly network scans. Levels two through four are required to conduct quarterly network scans and annual self-assessments. While it is not mandatory for Level two through four merchants to conduct an onsite audit, it is highly recommend they do to ensure compliance, assess vulnerabilities and avoid fines. At a minimum, Level two through four merchants have to conduct a quarterly network scan performed by a scanning vendor, which is called an Approved Scan Vendor (ASV).

The PCI SSC is responsible for training and certifying QSA and ASV individuals and firms. QSA and ASVs have to pass a certification program to perform audits and scans. For PCI to work, the division of labor is that the PCI SSC defines and maintains the standard, trains and certifies QSA and ASVs while banks enforce PCI.

Getting into Compliance

As PCI details specific security IT solutions, all vendors of such products and services have offered PCI programs. As a network scan is required for all firms, networking vendors are in a particularly influential PCI position. Some networking concerns such as Cisco have developed a PCI validated architecture and a services group to perform vulnerability identification, gap analysis and solution suggestions. Cisco is also a participating organization on the PCI council.

PCI can be a tricky standard. The standard itself is written in English and fairly easy to understand. Then the standard needs to be translated into security products with specific configurations to defend transaction data and be PCI compliant. The translation from English to device selection and configuration is left to interpretation. To address this, Cisco has developed a PCI validated architecture.

Cisco PCI Validated Architecture

Cisco built an architecture made up of three remote location scenarios, an Internet edge where E-commerce is conducted and data center which offers a best practice for PCI validation. The security and wireless architecture was developed according to the spirit of PCI and in many cases went above PCI keeping with security best practices. Cisco used partners as no single company can address all PCI requirements. Cisco's PCI validated architecture includes point of sale, application servers, wireless devices, internet connection, security systems, etc. with retail partners such as IBM, Wincor Nixdorf, NCR, Intermec, VeriFone and others. RSA provides key management, factor authentication and encryption. Once the PCI validated architecture was build, Cybertrust performed an audit on the technology components of the standard to validate compliance. The approach in which Cisco has deployed the technology in the architecture meets PCI requirements. Cisco and its partners offer a PCI guide of how best to deploy security technology, configure devices, monitor systems and implement authentication management to meet PCI compliance.

Merchants can use the architecture as a guide to review security device selection, placement, configuration, etc. The Cisco PCI solution for retail is an end-to-end architecture that includes firewalls, IPS, CSA, server access, web application firewall, VPN, wireless LANs, Ethernet switching and routing, a wide range of retail end-points, transport options, etc. This architecture provides views of a retail store, data center, server access, internet edge, storage and remote access for partners, customers and teleworkers.

What you find with PCI is that compliance with its twelve recommendations means that a merchant needs to distribute security technology throughout their enterprise. This includes remote locations, internet edge, main offices and network management center(s). PCI forces merchants to view IT security from a holistic consistent approach rather than a box-by-box or requirement-by-requirement knee jerk reaction to threat mitigation. The piece meal approach will not work.

Small Private Firms Need To Be PCI Compliant Too

One thing to keep in mind is that PCI is not a big company issue. It's systemic through the economy and is required for all firms that process credit card information. Small firms need to be PCI compliant too, even private family owned companies such as restaurants. While this may be a burden for smaller firms, and many will be reluctant to invest in PCI compliance, unfortunately they simply no longer have a choice. But putting this into perspective, smaller firms will have the same requirements, but their spend will be much smaller than larger firms as the more complex a business is the more expensive it tends to cost to secure it.

Smaller firms may be more vulnerable too, especially privately owned firms, as compliance has never been important to them. Typically small commercial enterprises haven't had to participate in Sarbanes-Oxley or other government regulations. Their security concerns have been primarily physical security and theft.

PCI is increasingly important to the healthcare industry too as their business is changing. Patients pay their insurance co-pay with credit cards and at times their entire medical bill. Many healthcare institutions are requiring self-registration versus the typical interview process that occurs during hospital admittance. These two processes and others are pulling the healthcare industry into PCI.

Recommendations

We provide the following recommendations for those responsible for PCI compliance within commercial establishments.

Systems Approach: Think in terms of a holistic and distributed approach to security versus a box-by-box or requirement-by-requirement approach.

All Should Do Audits: Level 2 through 4 firms should perform audits at least twice a year and scan their networks once a quarter, as required. Even if your firm does not support WLANs, you still have to scan for APs to ensure that there are no network breaches. Audits and scans should mitigate this potential breach and others.

Security Gap Analysis: Perform a PCI security gap analysis to identify vulnerabilities before the audit so that either a remediation analysis can be performed to gain compliance or to ensure that your firm is compliant. Consider an annual gap analysis as firms are required to re-certify PCI compliance every year.

Quarterly Health Check: Consider a quarterly health check to ensure configuration changes made during the quarter do not change conformance status. If a breach occurs a bank will start its fines back to the time of the breach, if the firm was not in compliance when the breach occurred. It's important to document that the firm is in compliance at regular intervals of time to demonstrate compliance if a breach event occurs.

Auditor With Security Competence: Consider PCI auditors who started off as a security practice first, and then decided to enter into auditing as they will possess the competency to analyze security systems and work with you to address shortfalls. Beware there are many auditors that started auditing without security practice experience. These audits usually are equipped with a checklist versus competence. These are usually the auditors that inform management of a need for ten different products to meet all of the checklist requirements when in reality a single device may be all that's required.

When it comes down to it PCI is about protecting customers and customer information. Being PCI compliance signals to customers that the establishment cares enough to protect customer privacy. This in turn protects the establishment's reputation and signals to customers that they are conducting business with a safe establishment. PCI is good for building brand, customer loyalty and improved customer experience.