April 2006

Card Work

If you work in IT security for a retail organisation the chances are you will be aware of the Payment Card Industry Data Security Standard (or PCI DSS for short).

If not you need to quickly get involved as it could have major ramifications for the way your organisation focuses on security.

The Payment Card Industry (PCI) Data Security Standard is a worldwide standard for consumer
data protection across the payment industry and follows an alignment of the Visa Cardholder Information Security Program (CISP) and the MasterCard Site Data Protection (SDP) Programs.

The standard was introduced after a number of high profile hack attacks where a considerable amount of transactional information was compromised resulting in millions of credit card details being withdrawn and new cards issued. Now, if retailers are subverted and have failed to follow the requirements of the standard by the stated dates it could result in fines, restrictions or expulsion from card acceptance programs altogether.

The Payment Card Industry Data Security Standard has become an excellent yardstick for measuring IT security being as it is based on proven security principals and rules. Depending upon the number and type of transactions that Merchants store, process or transmit, they are now required to undertake quarterly network security testing, complete a security questionnaire and in the case of very high transaction levels, have an onsite audit conducted.

In terms of the approach to IT security and the level of knowledge and sophistication, the retail sector is a number of years behind the financial services/banking industry. Typically due to the competitive environment of retailing, the key aim of these organisations has been to take money over the tills with any other operational expenses being seen as an overhead. It is very important that this perception is changed and the PCI Data Security Standard goes some way in not just enforcing security standards within the retail sector but also helping to raise the profile of IT security throughout the retail organisation as a whole.

The requirement for compliance is looming ever closer and some Merchants may already have left it too late to meet the deadlines.

The PCI Data Security Standard consists of twelve main requirements:

Build and maintain a secure network

Install and maintain a firewall configuration to protect data

Not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

Protect Stored Data

Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a vulnerability management program

Use and regularly update antivirus software

Develop and maintain secure systems and applications

Implement strong access control measures

Restrict access to data by business need-to-know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Regularly monitor and test networks

Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain an information security policy

Devise and implement a policy which addresses information security

For more information on ProCheckUp's PCI Data Security Standard testing services click here