Incidents of ID theft and payment card fraud have skyrocketed in the last two years. Organizations that process card transactions and/or store payment information are scrambling to keep up with these attacks and effectively safeguard consumer information. To assist in that effort, the card associations updated the Payment Card Industry (PCI) Data Security Standard in 2006. VISA, MasterCard, Novus and American Express collaborated in developing the PCI DSS to ensure a consistent approach to protecting consumers’ sensitive data. By adhering to this security standard, retailers, service providers and allied organizations can dramatically reduce the vulnerabilities that are easily exploited for the purpose of compromising corporate data.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures associated with payment card account data. It is intended to help organizations proactively protect account data. All merchants doing business with VISA, MasterCard, Novus, American Express and other association members, regardless of the annual transaction volume, are required to follow the standard, or face substantial fines levied by the card associations.
However, adhering to the standard is often easier said than done. PCI contains a fairly comprehensive set of technical, physical and administrative requirements. Implementing a compliance program, and maintaining a strong security posture capable of warding off attacks has proved to be a significant challenge for a majority of affected organizations. Gathering information for self-assessments and preparing for third-party audits only increases the workload of the IT staff. Many affected organizations lack the performance measurement capabilities and validation processes necessary to prove compliance and appropriate diligence in managing cardholder information.
Introduction: Update on the PCI Standard
In September 2006, the PCI Security Standards Council assumed ownership of the PCI DSS, and is now responsible for its management and dissemination. However, the card associations still remain active in providing content and input into the standard. PCI SSC revised and strengthened the PCI Data Security Standard, and version 1.1 was released in September 2006.
PCI DSS applies to merchants, acquiring banks, issuing banks, payment processors and other allied service providers that process, store, transmit and/or dispose of consumer card information. The target for PCI is the cardholder data environment, which is typically a subset of the corporate computing environment, and specifically defined within the standard as “…any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.”
Although there were a number of changes from the original version of the standard, the majority of them were editorial in nature. For example, the use of the terms cardholder data and sensitive authentication data were made consistent, the terms must and should were normalized, and certain examples, such as strong cryptography, were moved from the body of the standard to the glossary section. A number of clarifications were added, for items such as key rotation, wireless protocols and open networks. The final classes of changes were few, but more substantive, including:
- Clause 6.6 – Addition of a requirement for application code review or application firewall.
- Clause 12.10 – Addition of a requirement for a policy to manage connected entities, including maintaining a list, implementing appropriate due diligence, ensuring connected entities are PCI DSS compliant, and having an established process to connect and disconnect entities.
- Appendix A – Addition of Appendix A – PCI DSS Applicability for Hosting Providers. Establishes requirements for providers that host merchant and service provider clients.
- Appendix B – Addition of Appendix B – Compensating Controls. Defines compensating controls in general and discusses compensating controls when stored cardholder data cannot be rendered unreadable.
