Code & Data Security
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance security of Personally Identifiable Information and cardholder data. It facilitates the broad adoption of consistent data security measures globally and provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). PCI Security Standards Council, LLC [US]).
All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards. Companies that are compliant are expected to be more difficult to breach.
Driven by constant legislation creating new rules, requirements and auditing procedures, more organizations are feeling the demands of regulatory compliance. Most compliance requirements are seen as an unnecessary burden that was legislated to protect external entities. However, correctly enforced compliance policies can and should protect organizations from security intrusions, lawsuits and corporate data loss. PCI DSS 3.0 was created by taking PCI DSS 2.0 and combining it with expert industry inputs regarding the benefits, uses and shortcomings of the previous standard document.
In general, the following PCI standards V3.0 must be met in order for a retailer to be deemed compliant:
These six items are quite clearly intended to ensure security and prevent data breaches. PCI DSS 3.0 puts a greater emphasis on achieving security through compliance rather than compliance for the sake of compliance. This is a step on the part of the PCI Standards Council in shifting attention from achieving compliance to achieving the compliance goal – PII and card data security.
Enforcing compliance regulations makes good business sense and compliance has a positive approach to the requirements of computer security. Compliance, like security, is about managing risk, where the risk of compliance failure can be financial loss, intrusions, customer loss, or even ceasing to exist as a business (which has happened before). The risks with an improperly secured system are very similar to compliance risks, except that security is not mandatory while compliance is.
Data retention is a part of regulatory compliance that is an unavoidable challenge. Retention of data may be incompatible with security, where the longer data is retained the longer it has to be secured. Compliance with industry regulations may seem contrary to user privacy, but data retention regulations request data owners retain detailed records of user activity beyond the required time for regular business operations.
Millions of digital credit card records are exposed every year. In June 2013 Facebook disclosed a breach of 6 million users’ emails and telephone numbers. The Target Corp. admitted that 110 million customer payment cards were compromised. Adobe said attacks exposed user IDs, passwords and credit card information for 2.9 million customers. The list is long.
Nearly all data losses are the result of hackers finding and exploiting well known vulnerabilities in web applications, web and database servers or networks. If all businesses processing card data, find and eliminate their vulnerabilities, card data loss would be substantially reduced. Compliance is no longer about checking boxes and making sure everything is in place for the short period of time of the PCI audit. Modern compliance is about combining compliance and security, compliance being a security driver to ensure privacy and prevent loss.
This unification of compliance and security management, which grew from necessity, results in economies of scale. The combination of the two can bring about efficiencies that lessen overhead, both in time and in cost. PCI DSS 3.0 aims to achieve just that. Compliance that leads to a high level of security, protecting organizations and end users alike.
This post is also available in: French