With many retailers just beginning to look at Payment Card Industry Data Security Standard (PCI DSS) compliance, some security vendors say merchants might have to look beyond the guidelines to be truly secure.
Under PCI DSS, all companies that accept credit cards must comply with 12 security rules, which include maintaining a secure network via firewall, encryption of cardholder data and strong access control measures. The standard was developed by the major credit card companies in order to standardize credit card data protection. Prior to PCI DSS, each card company had their own set of requirements. Visa Canada said compliance deadlines for its customers passed on December 31, 2005. Most other credit card company deadlines have also come and gone. The penalties of noncompliance range from large fines to losing the ability to accept credit card transactions.
Recent data from Visa USA indicated that two thirds of the largest merchants and almost half of medium-sized retailers have now become PCI complaint. But with these numbers still well below PCI DSS targets, and new security threats emerging almost daily, many security vendors are focusing more on credit card protection.
“What you find today with many of the retailers is they are mostly using anti-virus or signature-based technology, meaning they assume that security vendors are familiar with all these threats and hold the signatures necessary to detect them,” Yuval Ben-Itzhak, CTO of Web security provider Finjan, said. “The trouble is the threat landscape doesn’t look like this anymore as hackers are now using anti-forensic technologies to go undetected with these signature-based technologies. We are specifically familiar with dozens of trojan horses that have been installed in retailers that we’ve audited, sending out stolen data.”
Finjan said its Vital Security Appliance is able to scan code in real time at the gateway and immediately block malicious code, which assures PCI compliance for credit-card processing on Web applications.
“Taking PCI forward, compliance with the requirements doesn’t guarantee that you’re going to be secure, it just sets the minimal standard that will indicate that you’re doing something to protect data,” Ben-Itzhak said. “But, these minimal requirements are very far from where the threats are today and that’s why additional layers of security are required to protect, going above and beyond the standard to match the threats that we see today in the Internet.”
And for the more traditional “brick and mortar” retailers, the threat of sophisticated hacking techniques is just as prevalent. Earlier this month, Visa USA imposed $880,000 in fines on Cincinnati-based Fifth Third Bank, which processes most of the credit card transactions for the Framingham, Mass.-based retail chain TJX. Earlier this week, in papers filed for a class-action lawsuit by a group of U.S. banks, about 94 million payment cards were compromised in a data breach of TJX’s systems.
“With these types of breaches occurring, it clearly sends shockwaves to the C-level offices, who are now reaching out to their security or risk management people to make sure their company is covered,” said Joe Lindstrom, senior director of compliance consulting at Symantec. “The last place they want to be is the next organization that’s on the cover of the Wall Street Journal.”
For Symantec, its PCI compliance management service, which includes on-site security audits, assessments and advisory services, is aimed at educating retailers and service providers of the on-going process of achieving compliance.
“This is really an on-going relationship with the client to provide periodic checkpoints, demonstrate evidence and to provide best practices,” Lindstrom said. “If you look at PCI, it’s not a one-time event, but rather a combination of embedding really good security practices, deploying a certain set of technologies and then demonstrating evidence of that security.” Whether the PCI standard is detailed enough, or too detailed, is the subject of much debate. The typical security professional, Lindstrom said, would argue that there’s not enough meat in the standard, while others would say it’s too prescriptive in nature.
“There’s going to be a fair amount of middle ground that will happen in the next iteration of PCI that provides clarification,” Lindstrom said. “The standard affects more than 10 million merchants around the globe, so you have to provide a certain level of understanding and direction for organizations. Plus, the vast majority of the smaller retailers have very little security knowledge, so the guidelines have to address that aspect.”
One of Symantec’s biggest rivals, McAfee, agreed and according to Daniel Molina, security evangelist and strategist at McAfee, retailers should use PCI as a springboard rather than gospel for implementing better security processes.
“The last set of PCI guidelines came out a year ago, but it’s still heavily laden with legacy technology from four or five years ago,” Molina said. “We are working with Visa to strengthen the standards because having technology, in and of itself, is not sufficient. You need the people, processes and technologies to protect cardholder data.”
Molina said a lot of PCI is broadly defined, which means the management of the data flow, training of staff and overall process is crucial to security. McAfee said with its Easy PCI Plan, it provides retailers with the ability to become compliant, but far more importantly, stay compliant.