As the Payment Card Industry (PCI) data security standard comes into force this month, many companies are still struggling to meet its stringent standards.
PCI DSS was developed by the major payment card issuers, American Express, Discover, JCB, MasterCard and Visa. It was created to establish a global standard for securing and protecting payment card data during the entire transaction process with the intention of simplifying the process of securing systems.
PCI DSS has 12 basic security requirements, which include encryption of cardholder data, user access controls, running updated anti-virus software, deploying a firewall, and checking systems regularly for security issues. Companies are validated compliant after an audit performed by a qualified security assessor. The PCI DSS standard went into effect in June 2005, and is overseen by the PCI Security Standards Council. Penalties for non-compliance include fines of up to $500,000 (£250,000) and loss of the ability to accept credit cards.
But the deadline for UK retailers, which had been extended to 30 June, has raised concerns over the amount of companies struggling to meet its requirements.
Jacob West, Manager of the Security Research Group at security vendor, Fortify Software welcomed the PCI standard and its emphasis on self-regulation. “When dealing with information as sensitive as credit card details, it is absolutely crucial that everything possible is done to ensure the complete protection of this data,” he said.
But West is concerned that, in the rush for businesses to comply with the PCI standard, particularly the requirement to maintain secure systems and applications, some organisations won't do as thorough a job as they should. “To achieve meaningful compliance with PCI, organisations have to design, build, test, and deploy their credit card systems with security in mind from the very beginning,” said West.
“We believe the PCI standard would be more effective – and that more companies would pass the PCI audit the first time – if it outlined specific steps necessary to implement a secure development lifecycle.” Rather than alluding to industry best practices, he called for PCI-mandate specific activities, such as architectural risk assessment, static source code analysis during development, security testing with specific measures of breadth and depth and application-aware security defences applied to deployed applications.
Ritchie Jeune, chief executive of Evolution security systems consultancy said smaller retailers in particular don’t yet see the standard as relevant to them, especially having recently upgraded systems to handle the chip and PIN deadline last year. “There’s a lack of understanding about what PCI really means and that, for instance, the biggest threat can be internal.”
Jeune recommended using one of the self-assessment tools created online by the many vendors looking to capitalise on the standard and have their products PCI accredited, like Evolution’s own version on its website. “This is a good initial step to demonstrate you’re doing something about it,” he said.