Does PCI Compliance mean PII and Card Data Security?

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance security of Personally Identifiable Information and cardholder data. It facilitates the broad adoption of consistent data security measures globally and provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). PCI Security Standards Council, LLC [US]).

All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards. Companies that are compliant are expected to be more difficult to breach.

Driven by constant legislation creating new rules, requirements and auditing procedures, more organizations are feeling the demands of regulatory compliance. Most compliance requirements are seen as an unnecessary burden that was legislated to protect external entities. However, correctly enforced compliance policies can and should protect organizations from security intrusions, lawsuits and corporate data loss. PCI DSS 3.0 was created by taking PCI DSS 2.0 and combining it with expert industry inputs regarding the benefits, uses and shortcomings of the previous standard document.

In general, the following PCI standards V3.0 must be met in order for a retailer to be deemed compliant:

• Maintain and test a secure network – regularly monitor and test the actual network that cardholder data travels through.
• Map the flow of cardholder data – throughout the applications and systems to understand the boundaries of the CDE (Cardholder Data Environment), identify all locations where PCI controls should apply and ensure no data ends up outside this secure perimeter.
• Protect Cardholder Data – focuses on how cardholder data are stored and transmitted. When a customer makes a purchase on a website, cardholder data sent over the Internet must be strongly encrypted with an industry-tested and accepted algorithm with strong cryptographic keys. Inside the organization cardholder data must be protected with the CDE (Card Data Environment), and any subsequent locations data are stored.
• Upkeep a Vulnerability Management Program – systems, antivirus software,  computer hardware, operating systems and software must be kept up-to-date (patched).
• Implement Strong Access Control Methods – assign a unique identification to each person that has access to data that is to be protected by PCI.
• Maintain a Security Knowledge Program – make sure that employees know and understand the importance of cardholder data and its implications.

These six items are quite clearly intended to ensure security and prevent data breaches. PCI DSS 3.0 puts a greater emphasis on achieving security through compliance rather than compliance for the sake of compliance. This is a step on the part of the PCI Standards Council in shifting attention from achieving compliance to achieving the compliance goal – PII and card data security.

Enforcing compliance regulations makes good business sense and compliance has a positive approach to the requirements of computer security. Compliance, like security, is about managing risk, where the risk of compliance failure can be financial loss, intrusions, customer loss, or even ceasing to exist as a business (which has happened before). The risks with an improperly secured system are very similar to compliance risks, except that security is not mandatory while compliance is.

Data retention is a part of regulatory compliance that is an unavoidable challenge. Retention of data may be incompatible with security, where the longer data is retained the longer it has to be secured. Compliance with industry regulations may seem contrary to user privacy, but data retention regulations request data owners retain detailed records of user activity beyond the required time for regular business operations.

Millions of digital credit card records are exposed every year. In June 2013 Facebook disclosed a breach of 6 million users’ emails and telephone numbers. The Target Corp. admitted that 110 million customer payment cards were compromised. Adobe said attacks exposed user IDs, passwords and credit card information for 2.9 million customers. The list is long.

Nearly all data losses are the result of hackers finding and exploiting well known vulnerabilities in web applications, web and database servers or networks. If all businesses processing card data, find and eliminate their vulnerabilities, card data loss would be substantially reduced. Compliance is no longer about checking boxes and making sure everything is in place for the short period of time of the PCI audit. Modern compliance is about combining compliance and security, compliance being a security driver to ensure privacy and prevent loss.

This unification of compliance and security management, which grew from necessity, results in economies of scale. The combination of the two can bring about efficiencies that lessen overhead, both in time and in cost. PCI DSS 3.0 aims to achieve just that. Compliance that leads to a high level of security, protecting organizations and end users alike.

This post is also available in: French

AboutIrene Abezgauz

Irene Abezgauz (@IreneAbezgauz) has ten years of experience in information and application security, focusing on application security testing and research. She is the Product Manager of Seeker, the new generation of automatic application security testing, as well as the leader of the research center in the company. She has discovered and published numerous vulnerabilities in products of leading vendors, and is a frequent speaker at professional conferences.