Visa PCI – Complying with Payment Card
Industry Standards
By Jack Bess
KnowledgeLeader Contributing Writer
Whether it is a neighborhood pizzeria or a giant chain of retail stores, any merchant that handles transactions by credit card is required to meet security standards established two years ago by the payment card industry (PCI). Security breaches at pizzerias are not likely to make headlines, but that is not the case with larger businesses.
On Jan. 17, 2007, TJX Companies Inc. announced that stored credit-card data at some of its stores may have been accessed by intruders via its computer systems during 2003 and from mid-May through December 2006. The retailing giant, which owns such stores as T.J. Maxx and Marshalls, was initially unable to determine how many customers may have had their data stolen, saying only that the number of such customers was “substantially less than millions.” Repercussions of the breach are still being discovered. In late January, the Massachusetts Bank Association reported that the stolen credit- and debit-card data were linked to incidents of fraud at several state banks and to fraudulent purchases in the U.S., Hong Kong and Sweden.
With the financial stakes so high for businesses, banks and customers, the payment card industry issued its Data Security Standard (DSS) in December 2004. Visa, MasterCard and other credit card brands had their own security standard as early as 2001 and only recently came together to support the PCI security standard. The standard is maintained and updated by the PCI Security Standards Council, an independent council composed of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. Visa USA manages all compliance enforcement and validation initiatives. Earlier compliance deadlines have come and gone; the next one is June 2007.
To retain their ability to accept credit-card payments, merchants and service providers must comply with the DSS. Yet, the compliance rate is strikingly low. Estimates of the number of compliant companies range from 17 percent to just short of 30 percent, say Protiviti IT security consultants. The low rate is usually attributed to the magnitude of the task. No less than 204 controls have to be in place to be certified as compliant. One major retail chain has worked for three years and spent millions of dollars to replace IT equipment at its 2,000 stores, and they have yet to reach full compliance, says Scott Laliberte, Protiviti director.
“It is a very strict standard,” Laliberte says. “It consists of 204 controls, and every single one has to be in place and operating effectively.”
A picture has begun to emerge of some best practices and common pitfalls organizations encounter on the road to 100 percent compliance with the security standard.
Dealing with the digital dozen
The PCI Data Security Standard consists of six principles out of which spring 12 requirements, the so-called digital dozen:
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security.
All merchants and service providers that process or transmit credit-card transactions must comply with the DSS and report on their compliance. “Merchant” refers not just to retailers but also to institutions that provide services such as hospitals, universities and nonprofit organizations. “Service provider” means an entity that helps process or store credit-card data for another business, such as companies that handle reward programs for hotels and airlines. The DSS is the same for everyone, but reporting requirements will vary, determined by the annual volume of Credit Card transactions processed and whether a business is a merchant or service provider.
Merchant Levels
|
|
Description |
Reporting Requirement |
|
Level 1 |
· Any merchant processing over 6 million Visa transactions per year. · Any merchant that has suffered a hack or an attack that resulted in an account data compromise. · Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. · Any merchant identified by any other payment card brand as Level 1. |
Annual on-site security audit and quarterly network scan |
|
Level 2 |
Any merchant processing 6 million to 100 million Visa transactions per year, regardless of acceptance channel. |
Annual self-assessment questionnaire and quarterly network scan |
|
Level 3 |
Any merchant processing 20,000 to 100 million Visa e-commerce transactions per year. |
Annual self-assessment questionnaire and quarterly network scan |
|
Level 4 |
Any merchant processing less than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions per year. |
Annual self-assessment questionnaire and quarterly network scan |
Service provider levels
|
|
Description |
Reporting Requirement |
|
Level 1 |
All VisaNet processors (member and non-member) and all payment gateways (an agent or service provider that stores, processes and/or transmits cardholder data as part of a payment transaction. |
Annual on-site security audit and quarterly network scan |
|
Level 2 |
Any provider who stores, processes or transmits more than 1 million Visa accounts/transactions annually. |
Annual on-site security audit and quarterly network scan |
|
Level 3 |
Any provider who stores, processes or transmits fewer than 1 million Visa accounts/transactions annually. |
Annual self-assessment questionnaire and quarterly network scan |
Compliance standards are the same for overseas companies that process Credit Card transactions, though the name of the compliance program may be different. Visa International, for example, has the Account Information Security compliance program. Also, reporting requirements may vary a little, but the compliance concepts are the same, Laliberte says.
ROC-solid compliance
Merchants and service providers at the top levels are required to have the annual on-site security audit. The PCI council recommends the audit be performed by a qualified security assessor, but a large organization can perform that work themselves, provided the necessary skill sets exist within the organization and an officer of the company signs off on the report, says Timothy Hartzell, Protiviti Associate Director.
In either case, the document that must be completed is called the PCI DSS Security Audit Procedure (download it at www.pcisecuritystandards.org), which is more commonly referred to as the Report on Compliance (ROC). “This is the template we are required to use when reporting on an on-site assessment,” Hartzell says.
Service providers send the completed ROC to Visa for review, and if the documentation meets all the criteria, the provider is deemed to be certified. Merchants, however, send the completed ROC to the acquiring bank for review.
“If the merchant is making an effort to comply, typically, they will show the bank where they are in non-compliance and have to show a plan of how they are going to comply,” Laliberte says. “Then the bank will come to an agreement with them about when they have to be in full compliance, and the bank monitors the progress of the merchant and how they are performing against their plan.”
Penalties for non-compliance are primarily financial. Visa can fine its members up to $500,000 per incident for a non-compliant company that suffers a security breach. If a member fails to notify Visa of a suspected or confirmed loss or theft of any transaction data, they can be fined $100,000 per incident.
However, organizations may not be fully aware of all of the potential problems that could result from a security breach, Hartzell says. To begin with, the law requires companies to notify customers that their information may be compromised, which can be expensive for a national retailer.
Also, “if a company suffers a breach, Visa will send in a forensics team of their choosing, and the merchant or service provider is required to pay for this,” Hartzell says. “It can become very costly very quickly.” Still other penalties might be that the bank will charge more for its services so that merchants will have higher fees for accepting credit cards, or the merchant could lose its ability to accept the card for payment, Hartzell adds.
Additional fines are waiting in the wings. According to Hartzell, American Express has said that as of April 1, 2007 merchants will be fined $50,000 if they fail to provide documentation that they are taking steps to meet the PCI standard and performing such tests as vulnerability scans.
Then there are the “harder-to-quantify consequences,” such as lawsuits from customers whose data was stolen, and the merchant’s or service provider’s name being tarnished in the public eye.
What do security consultants find?
In assisting such clients as national retailers and hotel chains with their compliance and reporting requirements, Protiviti consultants typically identify issues around the size, age, and capability of clients’ IT systems.
“Encrypting credit-card data seems like a simple task,” Laliberte says. “But when you get into a high-transaction environment, the encryption requirements can require quite a bit of processing power, and that starts to introduce complexity into the situation.”
This issue applies particularly to companies with legacy equipment, and in the rapidly evolving world of information technology, “legacy” can mean equipment less than a decade old. Encryption may simply not be possible with older systems. Hartzell says one commonly seen problem is the TELNET protocol, which is used to manage a router on a network.
“TELNET is a very old protocol and it sends user credentials across the wire in clear text, or not encrypted,” Hartzell says. “So if a hacker is ‘sniffing a wire,’ they would have your user ID and password. There is newer technology called SSH, or Secure Shell, which runs an encrypted transmission from end to end. But companies that are using a router more than five or six years old may not support SSH in their present configuration. Equipment may have to be significantly upgraded or replaced to support that function.”
For a national chain, that may mean having to budget for replacing equipment at hundreds or thousands of stores.
Other commonly seen issues, Hartzell says, are incomplete or no documentation for security procedures that are indeed performed, and the lack of strong auditing functions around IT security. “A company may have logging functions enabled on their system, but they do not have a formal process around centralizing, reviewing, securing and storing them,” Hartzell says.
On the other hand, consultants can also find ways to reduce the size of a company’s problem, such as segmenting the network, which means using a firewall to separate portions of network traffic, Laliberte says. Another beneficial concept is truncation. Instead of having a system store the entire credit card, it can store a truncated version that uses only the first six and last four digits of the card, he says.
“By doing some creative things like that with one client, we were able to take an entire data center out of scope because they changed their business process to where they did not need that full card number anymore,” Laliberte says. “By re-architecting your network and processes, you can limit the risk, reduce the scope of PCI and make it a little easier to comply.”
Companies are recommended to use qualified independent security assessors for performing the annual penetration test and quarterly vulnerability scans of their systems. In the “pentest,” the tester simulates what a hacker would do: try to identify a network vulnerability that can be exploited. In quarterly scans, the consultant will use a PCI certified scanning tool and process to test the merchant Internet range of IP addresses, Hartzell says. An automated scanner examines the addresses and identifies a missing patch or mis-configuration that might make the system vulnerable to a hack. Then the consultant will review the results for any false positives, he notes.
“The tools are designed to err on the side of caution,” Hartzell says. “It is better to report a vulnerability that may not actually be there than not report one that could be there. So we take the results from the automated tools and verify that the vulnerability actually exists or provide evidence that it is a false positive.”
Consultants typically work closely with Internal Audit (IA) departments since IA usually takes the role of making sure the organization is compliant. Other parties that may be involved, Laliberte says, are the treasurer, who works most closely with the bank; the Chief Information Officer, who makes sure the IT controls are in place; and Human Resources, which has responsibilities around policy and personnel requirements.
Of course, responsibility for compliance will vary from organization to organization. Ultimately, the ideal vision for an organization, Hartzell says, is to have an individual – whether it is the CIO, the Chief Compliance Officer or someone else – responsible for a team of people who can carry out the action necessary to become compliant.
Is it safe?
There is one other, very significant benefit for merchants and service providers who have achieved full compliance – the right to invoke “safe harbor.” Under this concept, an organization that has a security breach can be shielded from fines and some of the fraud costs, as long as it has all 204 controls in place and operating effectively and has met its reporting requirement.
However, there is a potential problem with safe harbor, Laliberte warns. He offers this scenario: A merchant could have a clean report on compliance and have recently completed a quarterly scan that did not flag any problems. But in the assessment, the tester selected 10 out of 20 systems as his sample for testing, and one of the 10 untested systems did not have a control operating effectively. What if this untested control results in a subsequent breach?
“It means you are not fully in compliance with the standard, and therefore safe harbor probably goes out the window,” he says.
Increased vigilance by internal audit departments can help ensure that the discovery of security issues does not become the work solely of independent security assessors. IA can use the PCI DSS Security Audit Procedure, which is the document that all assessors use, Laliberte says.
“The organization can download the document, go through it, and start to benchmark themselves against the standard and the audit requirements to get an idea of where they are going to have problems,” he says.
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |