“Just when retailers thought they’d mastered payment card security, the rules changed.” This was the sentiment expressed by many grumbling IT executives when the Payment Card Industry Security Standards Council (PCI SSC), Wakefield, Mass., announced that updated requirements, Version 2.0, for PCI Data Security Standards (DSS) would go into effect Jan. 1, with implementation required by the end of this calendar year.
Ironically, many retailers mistakenly thought once they were validated as PCI DSS compliant they had achieved the Holy Grail of payment card data security.
In fact, the 2010 Payment Card Industry Compliance Report produced by Verizon, Basking Ridge, N.J., revealed that only 22% of organizations were compliant with PCI DSS on their initial review in 2009.
Rather than a function of changing requirements, the disconnect for those that had received validation in 2008 but did not achieve it at the initial report in 2009 occurred primarily because companies failed to maintain the standards or follow through with necessary tests and monitoring.
As the Verizon report aptly defined: “Compliance is a continuous process of adhering to the regulatory standard. Validation on the other hand is a point-in-time event. An organization may be able to pass validation in order to ‘achieve compliance’ but become lax about maintaining the degree of security the standard is designed to provide over time.”
Reinforcing that PCI DSS is ultimately about security not compliance. Bob Russo, general manager of the PCI SSC, stated: “If your data is truly secure, then you will be compliant — but just because you were compliant, doesn’t mean you are [still] secure.”
The real purpose behind version 2.0 of PCI DSS is to help merchants both achieve and maintain security. Russo noted that the latest version of DSS is simply a reflection that the standard is maturing and any changes were minimal, primarily for clarification or additional guidance intended to promote better understanding.
The one area where a requirement “evolved” dealt with the need to identify vulnerabilities and rank those vulnerabilities according to risk. However, an additional grace period accompanies this new-and-expanded requirement, covered in section 6.2 of PCI DSS, and defines ranking vulnerabilities as a “best practice” until June 30, 2012, at which time it becomes a PCI DSS requirement.
With regard to ranking vulnerabilities, Russo stressed that a one-size-fits-all plan does not apply. Risk-based assessments and rankings must be based on each organization’s specific business circumstances.
In addition to identifying and prioritizing potential vulnerabilities, another critical review retailers should undertake is “scoping” to identify where all cardholder data reside within their enterprise.
“Retailers have found sensitive payment card data in places where they had no idea it might be,” Russo explained. “In fact, one of the biggest retailers found credit card data in its HR files.”
Understanding vulnerabilities within the enterprise is imperative, but it is also > worthwhile to recognize the most common criminal activities and the primary sources of threats.
The Verizon report, which was based on findings from PCI DSS assessments conducted by Verizon’s team of PCI Qualified Security Assessors in 2008 and 2009 and included approximately 200 post-breach assessments, identified the most prevalent attack methods used to compromise payment card data. Based on the Verizon research, malware and hacking accounted for 25 percent of attacks, SQL injections led to 24 percent, and exploitation of default or guessable credentials were the culprit in 21 percent.
The report concluded that PCI DSS requirements “address the most common attack methods used to capture cardholder data,” and across several requirements “multiple layers of controls exist.” According to Verizon’s assessment, organizations that experienced a breach of payment card data were 50% less likely to be compliant with PCI DSS standards.
“We hope this report will help organizations approach PCI compliance in a more informed and effective way,” said Peter Tippett, VP technology and innovation at Verizon Business. “Our findings demonstrate that adherence to PCI DSS requirements can help organizations deter, prevent and detect likely security threats.”
Similarly, the 2010 Global Security Report produced by Chicago-based Trustwave Spider Labs underscored the need for securing payment card data. Trustwave, which conducts investigations into data breaches, primarily on behalf of the five major credit card companies, performed more than 200 security investigations in 2009.
According to Trustwave, a whopping 98% of the security breaches they investigate involve incidents with payment card data. In terms of assets or entry points targeted, software POS systems were breached most frequently, representing 83% of the incidents, presumably because POS systems presented the easiest opportunity for criminals. E-commerce systems were breached in 11% of the Trustwave cases.
Another red flag for retailers is that in 81% of the Trustwave cases a third-party vendor or products supplied by a third-party vendor introduced vulnerabilities that led to breaches.