The Green Sheet Online Edition
February 23, 2009 • Issue 09:02:02
PCI Compliance for Dummies
Stealthy and anonymous, cyber thieves can wreak havoc on the commercial financial services sector. The beginning of e-book PCI Compliance for Dummies states that a cyber thief, not "a gun-toting thug," is the avatar of contemporary crime.
As evidence, coauthors Sumedh Thakar, PCI Solutions Manager for the IT asset security company Qualys, and Terry Ramos, Qualys Vice President, Strategic Alliances and Channel Development, cite security breaches at several U.S retailers in recent years in which millions of credit and debit card numbers were stolen. TJX Companies Inc., BJ's Wholesale Club Inc. and OfficeMax Inc. are just three of nine or more retailers that have been breached.
Yet, while huge breaches occurring at big corporations are sure to grab headlines, they are anomalies. Of all attacks on payment card systems, more than 80 percent target level 4 merchants - those who process less than 1 million transactions a year - of which there are about 6 million in the United States, according to the authors.
These are the retailers with whom PCI Compliance for Dummies seems primarily concerned. More than anything else, the reference to large-scale data swindling is a warning to smaller merchants that electronic payment security demands the highest vigilance; if leading corporations with top-flight security technology can be breached, imagine the vulnerability of a small retail shop with limited resources to devote to security.
Yet, the pressing importance of cyber security is far from universally recognized. According to the National Federation of Independent Business Guide to Data Security (as cited by the authors), 57 percent of merchants "don't see securing customer data as something that requires formal planning," and 61 percent "have never sought out information about how to properly handle and store customer information."
The book delves into technical examinations, both of the various ways data breaches happen and the different measures commonly undertaken to prevent them. At the book's core are explanations of the Payment Card Industry (PCI) Data Security Standard's (DSS) 12 requirements for guarding sensitive cardholder data.
The PCI DSS mandates businesses to implement such measures as firewall protection, cryptograms, anti-virus software and a system for tracking all access to cardholder information.
"The great thing about PCI requirements is that they provide an excellent checklist for protecting cardholder data," said the authors in their description of industry regulations. "The PCI Data Security Standard requirements are the same points you'd normally use for overall information and network security."
In addition to the technical details (written in layman's language), the book covers basic procedures that can be overlooked in the cyber world of retail security - for example, making sure paper records of data are either eliminated or, if kept, properly and securely stored.
According to the authors, some common forms of data breach aren't terribly sophisticated; password theft tops the list. Often merchants simply don't bother to change the default passwords on their software. Hackers get passwords through online search engines and gain instant access to rivers of data. (According to the book, every unit of a given software release has the same default password.)
While the volume of information in PCI Compliance for Dummies is a bit staggering, all of it makes clear to merchants the need for both the construction of a full-scale cyber fortress and its watchful upkeep.
Network maintenance should include tests on firewall and router configurations, regular updates of anti-virus software, daily reviews of computer security logs and the use of "vulnerability scanning products and services."
Most suggestions in the book are mandated by the PCI DSS; a vulnerability scan (with an Approved Scanning Vendor) can be used to fulfill certain PCI testing requirements. To ensure compliance with all 12 requirements, however, it is recommended that a Qualified Security Assessor be summoned for an on-site audit.
The stakes are decidedly high; without due diligence, a merchant risks seeing his or her business devastated by attackers armed not with guns, but simple pass codes.
To download this e-book, please visit www.qualys.com/forms/ebook/pcifordummies.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.