Lock Down Applications for PCI DSS Compliance

Lock Down Applications
for PCI DSS Compliance
The Payment Card Industry Data Security Standard requires merchants and transaction processors to protect customer data, and firewalls play a major role in the process.
By Matt Sarrel and Michael Steinhart
Executive Summary complaints in 2004, 680,000 in 2005, and 670,000 com-Credit card fraud is not a new phenomenon. However, plaints in 2006; roughly 35 percent of these complaints e-commerce has ushered in an era where data theft can be were related to identity theft. Considering that these carried out on a global scale. Just as companies processing numbers are a mere fraction of the total number of identity credit card information couldn't protect consumers in the thefts, this does not paint a pretty picture for protecting world of paper receipts, they lack the skills to do so in the the American consumer's personal financial information. electronic age. To make matters worse, as the raw number Especially when many of the cases that were reported were a of credit card-based transactions has increased online, credit result of data breaches of credit card information.card issuers are feeling the sting of the accompanying rise in Credit card fraud and identity theft not only concern online credit card fraud. consumers but also businesses. The cost of notifying To cut down on fraud and increase consumer protection, customers of a data breach and cleaning up the mess can a consortium of payment card providers collaborated to run as high as $150-$300 per customer. In 2006, breaches develop the Payment Card Industry Data Security Standard cost American businesses over $5 billion, and businesses in (PCI DSS), to ensure that companies protect credit card data the UK lost over ?1.7 billion. One of the highest-profile during storage, processing, and transmission. PCI DSS is data breaches came early in 2007, with the TJX Companies predicated on solid infrastructure and information security reporting a hole that gave hackers access to as many as 94 principles that begin with network- and application-layer million customer records. The breach cost the company an firewalls. Secure Computing's award-winning SidewinderŪ estimated $140 million. These expenses caused the firm's appliance can meet the needs of any company required to second-quarter profits to fall 14 percent; had these expenses comply with PCI DSS. not been incurred, profits would have risen 31 percent.To combat this trend, PCI compliance was instituted Introduction in 2005, when Visa, MasterCard, American Express, Over the last 15 years, e-commerce has proliferated rapidly, Diner's Club, Discover, and JCB collaborated to create a bringing an explosion of online financial transactions being new set of standards that would prevent credit card fraud. processed around the world. Almost all online transac- The PCI DSS was born, and all merchants and service tions involve the use of credit and debit cards. Whether the providers that handle, transmit, store, or process informa-cards are used for purchasing video games, food, services, or tion concerning payment cards or their related data are vacations, they have become an integral part of online com- expected to comply with the 12 requirements laid out in merce. However, along with increased use of credit cards the data security standard.for online transactions come increased opportunities for Businesses that do no comply can face monetary penalties, criminals to exploit vulnerabilities in merchant networks. an increase in card-processing fees, and/or have their card-With growing threats to consumer information, identity processing privileges terminated. Fines for non-compliance theft is increasing and consumers are losing confidence in can run as high as $25,000 a month, and service penal-the ability of businesses, especially online businesses, to ties can cost credit card processors even more. For smaller protect their identity and credit card information. The US companies, these costs can be devastating; and some larger Federal Trade Commission (FTC) fielded over 650,000 companies, unfortunately, find that it is cheaper to pay the
penalties than to comply with the standard, according to an approach that will help companies reduce risk, and they 1August 2006 report from the IT Compliance Institute. ought to be in place across all industries. However, the PCI DSS does not go into e... [download for more]