Payment Card Industry (PCI) update

PCI looking the wrong way, but rules will help everyone.

Credit card losses to fraud adds up to about $3 Billion per year, depending on who you ask. So we can understand the concern on the part of financial service companies and the need for the Payment Card Industry Data Security Standard (PCI DSS, usually referred to as just PCI).

Credit card losses to fraud adds up to about $3 Billion per year, depending on who you ask. So we can understand the concern on the part of financial service companies and the need for the Payment Card Industry Data Security Standard (PCI DSS, usually referred to as just PCI; official documents here).

But the huge credit card companies -- Visa, MasterCard, American Express, Discover, and JCB -- haven't done their job well and are forcing new rules on the wrong end of the transaction pipeline. That said, the rules are, for the most part, good security guidelines that businesses should be following anyway. Rarely do we see a bad idea lead to good results.

According to the book Geekonomics by David Rice, the PCI rules are a way for the financial giants to stave off government regulations. After losing more than a 100 million credit card records in 2006, one would think Congress would try to “help.”

The credit card industry swears it can self-regulate, and says it is in a better position than most to do so. After all, if your business is sloppy with credit card data, the card companies can cut you off and effectively put you out of business. They almost never, never do that, of course, because it's bad for business. But at least now they're forcing vendors making card transaction software to tighten up, says Computerworld.

PCI also forces any business taking credit cards, no matter how small, to become security experts. That t-shirt kiosk in the mall? Same security rules apply to it as to the Sears store down the way. Since t-shirt vendors rarely can judge the security of firewalls, operating systems, and transaction processing software, they're at the mercy of the security companies.

But many of the rules should be followed by every business. Scott Goessling of Blue Pay, a card processing service, created an understandable version of the PCI rules and gave me a copy. I don't see a copy on its Web site, but I bet if you send a note you'll get one via e-mail.

Jesper Jurcenoks, CTO of NetVigilance, a network vulnerability testing company, says 60% of businesses fail their PCI audit for one reason: they have no information security policy written down. So grab some paper and start from the basics, like “lock the door at night.” Then detail who can access data, define daily operational security procedures, and keep writing down policies.

If you don't have a security policy, it's tough to fire an employee who violates your security. While normal people may understand snooping on other employee's computers is wrong, courts full of lawyers may disagree. A written policy closes that type of loophole.

The first rule from PCI is to build and maintain a secure network. Well, that's easier said than done, isn't it? You can buy the best firewalls and servers, yet the news tells us companies with those systems in place get hacked regularly. At least you control changing passwords from vendor defaults and use secure remote connections, which is part two of the first rule.

PCI also feels the need to require the use of antivirus (Compare antivirus products) and antispyware (Compare antispyware products) software. Going one step further, you must enable logging on your security software. This helps you determine who downloaded a new kitty screensaver from Viruses 'R Us. Keep these programs, and all your operating systems, as patched and current as possible. Surely PCI can't blame a family BBQ restaurant if someone hacks a known Windows server exploit, but CYA with updates.

All companies under PCI must run vulnerability testing at least once a year. Bigger businesses with more credit card transaction may have to test once a quarter. PCI also says to track and log all user access to network and cardholder data. If your server isn't set to log all accesses by all users, and keep that log secure from tampering, it may be time to update or call in some help. Again, that's a good idea even if you don't fall under the credit card guidelines.

Are the PCI rules self-serving for the financial industry as a way to avoid forcing vendors making transaction processing software liable for security holes they leave in their systems? Yes. Are the rules, for the most part, some helpful leverage for network managers looking to increase their budget to upgrade their security? Yes again.

Unfortunately, the PCI burdens are so stiff the latest compliance figures show less than 40% of companies pass the PCI muster. If big companies can't meet PCI compliance, what chance do small companies have? (Compare Network Auditing and Compliance products)

Doesn't matter, just keep fighting the good fight for better security from outside and inside threats. Better security comes more from a security mindset than the pocketbook.

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)