Retailers face card data clampdown
Key Issues
- Payment Card Industry Data Security Standard comes into effect from June
- If cardholder data is compromised, merchants face stringent penalties
- Retailers must limit access to resources and information
- Data collected by point of sale systems could also be affected
The Payment Card Industry Data Security Standard (PCI DSS), which comes into effect in June, promises to improve the security of consumers' credit card information. It will have a huge impact on how credit card information is stored and retrieved, and will require retailers to have complaint systems.
The PCI, whose members include VISA, MasterCard and American Express, is enforcing compliance with the standard in a bid to improve the security of credit card information. Non-compliant retailers risk large fines.
With the deadline for PCI DSS compliance so close, members of the PCI have been meeting retailers to discuss the challenges.
The data security standard has 12 requirements, covering the protection of cardholder data, vulnerability management, network security and access control. There are four levels of compliance, based on the volume of credit card theft and any retailers that experience credit card theft and are found to be non-compliant face hefty fines.
There have been warning against those at a lower level of compliance who have experienced a security issue where cardholder data had been compromised due to non-compliance would be moved to the highest level of compliance, Level 1. This requires annual onsite third-party audits and quarterly system scans.
Retailers also need to realise that implementing PCI DSS compliance is costly.
The PCI DSS stipulates the use of firewalls to ensure the network is secure. Retailers also need to put in place measures to protect unauthorised access via the internet, whether accessed via an e-commerce platform of from within a company network by an employee.
It also recommends that retailers install only one primary application on an individual server. Companies must disable all unnecessary and insecure services and protocols and remove all unnecessary functionality from such servers.
The PCI DSS states that retailers need to limit access to computing resources and cardholder information only to those individuals whose job requires such access. Physical measures include using cameras to monitor sensitive areas, auditing collected data, and restricting physical access to publicly accessible network sockets, wireless access points, gateways, and handheld devices.
These requirements can put a huge burden on IT departments. One of the key requirements retailers need to address is the storage of credit card transactions.
Relational databases storing credit card information should be locked down. In addition to remain compliant database administrators would need to disable XML support - a feature available on most modern databases. The database shoujld also run on a separate box, where all operating system services not required for the storage and retrieval of credit card information are disabled.
Retailers also need to be aware of the data collected via their electronic point of salve system (EPOS). For example if the EPOS system is permanently connected to the internet and is not protected with a firewall, the information in the EPOS could be at risk.
Although it is forbidden under the PCI DSS to store sensitive authentication data, some older EPOS systems do this. The risk from this is because attackers can use full magnetic stripe data to create counterfeit physical cards.
For online merchants that use a manual method of processing credit card information it might be more cost effective to start using a payment processor such as SecPay, Protx, or PayPal. The advantages of using a payment processor are that in most case the merchant is relived of most of the PCI DSS requirements as they no longer store the credit card number.
Maintaining CardHolder Data Security
- Install and maintain a firewall configuration to protect cardholder data
- Do not use default passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business on a need-to-know basis
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Test security systems and processes regularly
- Maintain a policy that addresses information security
More information
- http://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
- http://pcianswers.com
- http://robnewby.blogspot.com/2007/03/reply-to-michael-dahn-on-pci-compliance.html
Source: Page 16, Computer Weekly Issue: 10th April 2007
Date - 30 April 2007
Small Business Solutions
Home | About Us | Help | News | Resources | Support | Contact
SSIWEB, Unit 2, Goldcroft, Yeovil, Somerset, BA21 4DH, UK
Soft Solutions International Ltd © 2006 | Privacy Statement | Terms of Use