Businesses shouldn't let financial pressures put PCI-security compliance on the back burner, and the PCI Security Standards Council has devised has devised a 12-step program to help merchants get there.
"Now is the time to be even more vigilant," says Lib De Veyra, the new chairman of the council who is vice president of emerging technologies for JCB International Credit Card Co., one of the five companies that make up the PCI Security Standards Council. "It's the time for criminals to step up their games."
To help with that challenge, the council is about to introduce a prioritized list of its standards set down as milestones to be reached in order, with each milestone ranked so the most critical security measures are implemented first.
The goal is to guide businesses down the path to compliance with the payment card industry data security standards that have been set up to prevent loss of sensitive personal information such as credit card numbers and PINs.
The prioritized list, which is scheduled to be released next month, can help businesses that may be having trouble getting started figure out what do to first, De Veyra says.
It also gives banks that sponsor use of payment cards a way to know that businesses have made progress even if they aren't yet fully compliant. Currently businesses are ranked as either compliant or not De Veyra says.
At the top of the priority list is getting rid of unnecessary sensitive data so if the system is compromised, there is no sensitive data to steal. "This will reduce the impact of a breach," he says.
The second milestone is to harden perimeter security by such means as tightening firewall rules and locking down wireless access points.
Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he's never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.
As a way to further encourage compliance, the council is sponsoring training for merchants that want to prepare for the evaluation of their PCI compliance by qualified security assessors (QSA). The intent of the two-day program is to give merchants a better understanding of the standards as well as a glimpse of what the QSA looks for during an assessment. "They'll understand the perspective of the QSA so they are better prepared," De Veyra says.
The training session will be held in Chicago April 6 and 7. Other sessions will be scheduled in other locations, Russo says.
Also next month the council will issue two new standards for hardware components used in payment-card processing.
The unattended payment terminal standard sets down the specifications that these terminals must meet in order to gain certification from the PCI council. Automated Teller Machine debit card terminals and self-serve gas pumps fall into this category.
The standard would ensure that credit card data is inaccessible should someone break into one of the machines. The council has already set a standard for attended terminals such as point of sales gear in retail stores.
The second standard is for host security modules, which are components of a variety of payment terminals that secure, for example, encrypted PIN pads so if they are broken into, access to sensitive data in them is disabled.
The PCI Council has eight laboratories worldwide that do the certification testing for equipment standards.
In June the board is scheduled to receive recommendations from a study commission looking into what changes should be made in the next version of the PCI standards, which are scheduled to go into effect in October 2010. The council will seek feedback on the recommendations starting in June.
Revisions are intended to make the standards more robust, Russo says. For example, encrypting traffic end-to-end might become part of the standard, and if it is implemented by a merchant, that compliance might eliminate the need to comply with some other aspects of the standards, he says.
The PCI council is also taking nominations to fill 14 out of 21 seats on its board of advisers. The other seven are chosen by the council to provide better distribution of members among geographic locations and vertical-markets than might be the case with a popularly elected board.