Payment Card Industry (PCI) update

Credit card losses to fraud adds up to about $3 Billion per year, depending on who you ask. So we can understand the concern on the part of financial service companies and the need for the Payment Card Industry Data Security Standard (PCI DSS, usually referred to as just PCI; official documents here).

But the huge credit card companies -- Visa, MasterCard, American Express, Discover, and JCB -- haven't done their job well and are forcing new rules on the wrong end of the transaction pipeline. That said, the rules are, for the most part, good security guidelines that businesses should be following anyway. Rarely do we see a bad idea lead to good results.

According to the book Geekonomics by David Rice, the PCI rules are a way for the financial giants to stave off government regulations. After losing more than a 100 million credit card records in 2006, one would think Congress would try to “help.”

The credit card industry swears it can self-regulate, and says it is in a better position than most to do so. After all, if your business is sloppy with credit card data, the card companies can cut you off and effectively put you out of business. They almost never, never do that, of course, because it's bad for business. But at least now they're forcing vendors making card transaction software to tighten up, says Computerworld.

PCI also forces any business taking credit cards, no matter how small, to become security experts. That t-shirt kiosk in the mall? Same security rules apply to it as to the Sears store down the way. Since t-shirt vendors rarely can judge the security of firewalls, operating systems, and transaction processing software, they're at the mercy of the security companies.

But many of the rules should be followed by every business. Scott Goessling of Blue Pay, a card processing service, created an understandable version of the PCI rules and gave me a copy. I don't see a copy on its Web site, but I bet if you send a note you'll get one via e-mail.

Jesper Jurcenoks, CTO of NetVigilance, a network vulnerability testing company, says 60% of businesses fail their PCI audit for one reason: they have no information security policy written down. So grab some paper and start from the basics, like “lock the door at night.” Then detail who can access data, define daily operational security procedures, and keep writing down policies.

If you don't have a security policy, it's tough to fire an employee who violates your security. While normal people may understand snooping on other employee's computers is wrong, courts full of lawyers may disagree. A written policy closes that type of loophole.

The first rule from PCI is to build and maintain a secure network. Well, that's easier said than done, isn't it? You can buy the best firewalls and servers, yet the news tells us companies with those systems in place get hacked regularly. At least you control changing passwords from vendor defaults and use secure remote connections, which is part two of the first rule.