Security in the payment card industry

A common security standard for the payment card industry not only helps secure customer transactions, but also saves merchants from heavy fines imposed upon them in cases of fraud. By Varun Aggarwal

The number of credit card users is increasing and there is a corresponding rise in cases of credit card fraud. This phenomenon is prevalent not just in India, but worldwide. “The biggest challenge faced by the industry is that credit card data is being handled by millions of companies, such as banks, retailers, payment gateways, and credit rating agencies. There is no consistent procedure that is adopted to ensure that credit card data is not misused. Even one bad apple can have a huge impact on the community,” says Vishal Dhupar, Managing Director, Symantec India.

This serves to highlight the crying need for a common standard that establishes a baseline on how to handle credit card information.

Developing a standard

In January 2005, payment brands American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International came together to ratify a comprehensive standard called PCI DSS (Payment Card Industry-Data Security Standard) to help organizations proactively protect customer account data.

PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI Security Standards Council will enhance PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster widespread adoption.

The ongoing development of this standard will provide for feedback from the Advisory Board and other participating organizations. All key stakeholders are encouraged to provide input, during the creation and review of proposed additions or modifications to PCI DSS.

Amuleek Bijral - Country Manager, RSA, the security division of EMC explains, “PCI DSS helps improve the security of payment card data by providing a clear and prescriptive framework of IT security best practices. PCI DSS is extremely specific in what it requires companies to do, and all of the actions required are generally recognized IT security best practices. From ensuring that a company understands where all the credit card data resides, to deploying effective virtual and physical perimeters, to securing access to card data, to protecting the data itself through encryption, to monitoring access to cardholder systems—PCI DSS provides companies will excellent guidance in terms of technologies, processes, and policies that protect payment card data, and, in turn, help to improve an organization’s overall security posture.”

Understanding PCI-DSS

Released in September 2006, PCI DSS version 1.1 is the first update to the framework. Developed by a newly formed PCI Security Standards Council, PCI DSS 1.1 augments the previous iteration by placing additional emphasis on application security.

Banks, merchants and payment processors approach PCI DSS compliance as an ongoing effort. Compliance must be validated annually, and companies must be prepared to address new aspects of the standard as it evolves under the auspices of the PCI Security Standards Council. In short, organizations must remain vigilant in order to not just achieve—but also maintain—PCI DSS compliance.

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data.

Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: Web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

Challenges in PCI-DSS compliance

As with any other compliance related activity, customers face challenges with PCI DSS compliance as well. Bijral has categorized these challenges in three categories:

The first is locating and classifying all credit card data. Card issuers cannot secure what they cannot manage, and cannot manage what they cannot find. Issuers face the significant challenge of finding all credit card data across the enterprise, in order to ensure that each piece of information is secure.

The second challenge is ensuring that all credit card data is effectively secured. Since credit card data must be secure everywhere, customers face the challenge of moving beyond basic perimeter protection in order to secure the data wherever it resides; ensure that only those with authorization may access cardholder data systems; and guarantee that individuals accessing card data are who they claim to be.

Finally, customer must be able to respond to security threats and compliance audits and are under internal pressure to demonstrate that their PCI investments can go beyond compliance. Investments of time, money and human resources must be leveraged beyond PCI. Customers need to understand that the energy they expend today will be useful tomorrow–well beyond the PCI audit.

What’s in it for me!

The cost involved in complying with this standard may lead you to wonder why you should go for it. PCI DSS compliance not only helps you to secure customer data, but at the same time it also helps you secure IT infrastructure for your company as a whole. If you are compliant with the standard, you can avoid fines amounting to millions in case of fraud.

Dhupar adds, “Recently Trusted Strategies did an analysis of the Department of Justice Prosecutions from 1999 to 2006 and the average financial loss was found to be more than $3 million per case of data breach. In addition, non compliance impacts brand reputation and exposes corporations to extensive negative publicity that undermines consumer confidence.”

The standard has been mandated and all merchants with more than six million transactions per year need to be compliant by December 2007. However, companies who deal with merchants falling under this category would also be required to comply even if their transactions per year are less than six million.

Rohit Tripathy, Founder-Director of Control Case adds, “The December 2007 deadline applies for Indian Merchants as well. Though all merchants have to comply, only merchants with more than six million transactions per year have to get it externally validated. As of date India does not have a Category 1 merchant, but it may have some in the near future. Yet, there are some business areas where risk perception is high (like online travel sites, and mobile service provider Web sites). Card Agencies and acquiring banks are focusing on getting theses sites to become PCI DSS compliant. One large bank for instance has identified 17 high risk merchants which should comply with PCI DSS.”

PCI DSS can handle IT related credit card security issues. Sometimes fraud can occur though employee collusion, or through an intent to cheat at a human level (for example, people having valid access under PCI DSS 1.1 have defrauded). PCI DSS 1.1 has not been designed to prevent fraud due to non-IT issues.

“If a fraud occurs through IT systems in spite of an entity obtaining PCI DSS compliance, and the entity can prove that it was successfully maintaining PCI DSS controls at the point of fraud, it is entitled to safe harbor protection from Card Agencies, and will not be fined by them,” concludes Tripathi.