The Payment Card Industry Security Standards Council, created by the five major credit card companies to safeguard cardholder data, issued its new Data Security Standard version 1.1 in September 2006. The DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures relating to cardholder data.
This new version contains some important changes and creates additional requirements for banks, merchants, credit card processors and hosting providers. Although it is a year later, banks of all sizes are still pondering whether the updated DSS pertains to their institution, and if so, how much of it is applicable?
What is PCI DSS?
Twelve requirements, grouped into six broader categories, make up PCI DSS. They essentially outline security controls that banks and other companies must implement including firewalls, encryption, log monitoring, web application assessments and an overall security policy:
Who does PCI DSS apply to?
The standards established by PCI are applicable to your bank if you handle, store, process or transmit a primary account number. This includes acquiring banks, banks that process credit cards for merchants and banks that procure credit card applications (even if the information is passed on to a third party). So what about banks that offer debit cards? Do you also have to comply with PCI DSS? The answer is yes. Annual debit card transactions have been growing at over 20 percent per year since 1996 and now exceed credit card transactions, according to a 2006 paper published by the Federal Reserve Board. With more people opting to reach for “the other plastic card,” banks are mandated by the PCI Security Standards Council to adhere to the same security requirements for the system components (network components, servers, etc.) connected to their debit card data environment, as with their credit card data environment.
How do you know when to comply with PCI DSS?
You will either act or react when it comes to PCI DSS compliance. Often times, it is a reaction to a letter received from an individual payment brand (Visa, MasterCard, etc.) that directs you to ensure compliance with DSS through the completion of a self-assessment questionnaire. In this case, the payment brand may specify the
time frame in which your organization must meet the compliance requirements.
What do you need to do to comply?
If you want to take a more proactive approach to safeguarding cardholder data, you should first create and maintain a detailed inventory of where and how you store, process and transact cardholder data long before you receive a letter from the credit card companies. This will give you a good picture of what you have to work with. If data is housed in multiple locations (i.e. on multiple servers or in multiple departments), it should be consolidated into a single location. Identifying and consolidating all of your data should make it easier to complete the self-assessment questionnaire.
While going through the self assessment (which is an annual requirement) you may conclude that there are some technical specifications of a DSS requirement that you are unable to fulfill. In this case, compensating controls will be taken into consideration for those DSS requirements that can not be met.
For example, if you have cardholder data stored in multiple locations across your network, a compensating control might be to have stronger access controls to that information based on users’ job responsibilities, proper credentials, etc., thus limiting access to the data. Only organizations that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance (see the Payment Card Industry Data Security Standard Appendix B: Compensating Controls).
Once you have completed the self-assessment questionnaire, then you can develop remediation plans for effectively securing cardholder data. Typically, the estimated time for an organization to reach compliance is between 12-24 months, however this can vary from entity to entity.
If your bank is on a short deadline to respond to a self-assessment questionnaire, you should examine whether you have the knowledge, resources and time to drive the self-assessment project yourself. Many times, you may have the knowledge or the time, but not both. You should consider reaching out to approved scanning vendors or qualified security assessors for assistance with preparing for self assessments or completing self-assessment questionnaires. Third-party organizations can offer assistance tailored to your specific needs, whether you require help with the entire project, or just parts of it.
Being compliant with PCI DSS should be a high priority for any financial institution, merchant, credit card processor or hosting provider. Although PCI does not penalize you for noncompliance, individual payment brands will. They can implement financial or usage penalties if you fail the self assessment. Keep in mind also, that although PCI has established a consistent set of standards, each payment brand may have its own interpretation of those standards. So, it is important to be as thorough as possible on the self-assessment questionnaires.
Ted Keniston is director of professional services for SecureWorks, headquartered in Atlanta. He can be reached at 404-417-3764 or tkeniston(at)secureworks.com. SecureWorks is a WIB-endorsed Value & Income Program partner (VIP).
Copyright August-September 2007 Western Banking (BankNews Publications)