October 28, 2010

The well adopted PCI Data Security standard, which defines how credit card issuers and processors should protect credit card transactions and data, is being re-released in a 2.0 version today, along with Payment Application Data Security Standard 2.0. Bob Russo, general manager of the PCI Council spoke with us yesterday (during a break from a PCI Council European community meeting in Italy) to share what's new in the standards and how they will affect banks.

There are no dramatic changes to the card security rules, which Russo describes as "maturing gracefully." He believes it's a testament to the soundness of the rules that they don't need to be changed. "If there were things in the standards that weren't doing well, there would be a need for all kinds of upgrades and changes," he says. Rather, version 2.0 provides clarifications and explanations requested of stakeholders among its 600 members (who represent banks, issuers, acquirers, and POS terminal vendors). For instance, some bankers had questions about how to secure the cardholder account number that are cleared up in the new version.

The security requirements of DSS are broad and basic, as you can see in this PCI Council music video (the 12 requirements are also listed at the bottom of this article):

There are no big surprises for banks in the 2.0 standards. "If you were compliant with the standards last year, you won't notice many changes at all," Russo says. But he urges banks to think of DSS in terms of security, rather than compliance. "Compliance is a checkbox mentality," he says. He offers an analogy to compliance with a homeowners insurance policy. "Do I have smoke detectors? Yes. Do I have an alarm system? Yes. Do I have batteries in my smoke detectors? That's another story."

Some work was done to make sure the standards would be applicable anywhere in the world. "I'm in Italy now, if I drive for two hours, I'll be in a different country and all the rules will be different," Russo notes. "There are 30 countries in the EU alone that all have different rules when it comes to privacy, so we have to deal with those."

The Council is looking at newer technologies such as point to point encryption (rule #4 requires encrypted transmission of cardholder data across open, public networks). It has updated its standard for wireless card payments.

One thing bankers have sought clarification on is a rule that prevents them from storing authorization data, which they need to issue cards. A working group is looking at this question in light of other bank regulations that already protect authorization data.

A focus for the PCI Council this year is smaller merchants that lack IT experience. The group is adding resources to its website to help small merchants cope with the rules. The Council is also working to align the three related standards it manages: the DSS data security standard, an application security standard and a standard for PIN entry devices. "As a banker, you're not only securing your data, but you also have to deal with applications and POS terminals that need to be secured," Russo says.

One card security best practice the PCI Council always recommends to banks is that they have logging turned on and check their logs. In the case of one major credit card data breach at a transaction processor, "everything that happened, everything, was in the logs, but nobody was looking at them," Russo says. "Forensics investigators saw the fraudulent activity immediately. Was nobody looking at these logs?" If banks use multiple logs, they need to centralize and monitor that data.

Another basic step for banks and processors is scoping, knowing all the spots on a network where credit card data is stored. Russo recommends using an automated method of combing the entire network for credit card data. For instance, the human resources department may use some employees' credit card numbers as identifiers for some reason, unbeknownst to IT. "You need to make sure you find this data," Russo says.

The PCI Council is beginning a new lifecycle for its standards, such that the new DSS standard will go into effect January 1, 2011, but it won't sunset until the end of next year. "This gives people more time, it lets us collect more meaningful feedback on business and how we may need to change the rules going forward," Russo says. "Not that we want them to wait until the end of next year. We want them to use the new standards as quickly as possible."

The 12 Requirements of PCI DSS:

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security