|
In a survey of 4,900 adults, approximately 8.3 million American consumers discovered that their personal information had been used in 2005 to open fraudulent bank, credit card or utility accounts, or used to commit other crimes, according to the U.S. Federal Trade Commission’s (FTC) Identify Theft Survey Report.
The FTC also received more than 670,000 consumer fraud and identity theft complaints, of which 36% were identity theft com-plaints and 64% were related to other types of fraud. Consumers reported losses of more than $1.1 billion from fraud. Credit card fraud was the most common form of reported identity theft at 25%, followed by phone or utilities fraud (16%), bank fraud (16%) and employment fraud (14%).
Many of these cases could have been lessened or prevented if the proper processes, network management systems and technolo-gies had been in place. In response to this alarming trend, a consortium of companies—MasterCard, VISA, American Express, Discover and JCB—established data security measures for merchants, banks and service providers. The Payment Card Industry Data Security Standard (PCI DSS, often referred to as PCI) is a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
The PCI DSS addresses both technical and administrative weaknesses, specifically those affecting sensitive cardholder data, and lists requirements companies must meet to minimize the impact of those vulnerabilities on security.
The goal of PCI is to improve data protection strategies that will allow consumers to swipe their credit cards with more trust that the confidentiality of their information will not be compromised. PCI also creates an open security standard that is achievable by all merchants for the protection of cardholder data.
Core Principles
The PCI standard requires continuous validation of security efforts, so companies complying with PCI DSS can’t simply implement solutions and then forget about them.
Ensuring Payment Card Industry (PCI) compliance requires an understanding of data storage and encryption requirements, device integration considerations and logging and reporting parameters for distributed networks. Organizations address the PCI require-ments by offering centralized management of security rules and policies across a distributed environment, real-time monitoring and logging services and historical compliance reporting.
Companies tend to have more success being compliant when PCI DSS is coordinated with corporate business processes. Integrating the DSS with corporate security standards ensures that security controls are rigorously enforced and remain consistent with PCI requirements. Such coordination also contributes to more cost-effective auditing, a stronger enterprise security profile and a more streamlined and reliable IT infrastructure that can deliver better service while incurring less risk.
Implementing the PCI DSS also leads the way to improving business processes and enterprise information security operations. To recognize these opportunities and how to effectively take advantage of them, it’s important to understand the challenges PCI compliance pose.
Challenges
Obviously, complying with PCI does pose several challenges. Typical weaknesses include inconsistent encryption, unsecured net-works, lack of consistent assessment and inadequate logging of network activity. Companies often assume that because they’re already compliant with Sarbanes-Oxley or HIPAA requirements, they are also PCI-compliant. However, that often is not the case, and they discover, too late, that the standards they have in place are not PCI-compliant.
The top cited reasons for failed PCI audits, along with top challenges for organizations attempting to pass a PCI audit, include storage of prohibited data (CVV2, PIN, etc.), vendor default settings and passwords, poorly coded Web-facing applications (e.g., susceptibility to SQL injections), unnecessary and/or vulnerable services and servers, weak encryption and unprotected user ac-cess, poorly managed track data, inadequate audit and enforcement of policy and password rules and inadequate lock-down of mobile and wireless systems.
The PCI Security Standards Council will continue to enhance the PCI guidelines as necessary to ensure that the standard includes any new or modified requirements necessary to lessen emerging payment security risks while encouraging wide-scale adoption. There’s already plenty of talk in the industry about the revised PCI DSS standard due out by the end of 2008.
|
