Retailers face card data clampdowm

The Payment Card Industry Data Security Standard (PCI DSS), which comes into effect in June, promises to improve the security of consumers' credit card information. It will have a huge impact on how credit card information is stored and retrieved, and will require retailers to have compliant systems.

The PCI, whose members include Visa, MasterCard and American Express, is enforcing compliance with the standard in a bid to improve the security of credit card information. Non-compliant retailers risk large fines.

With the deadline for PCI DSS compliance so close, members of the PCI have been meeting retailers to discuss the challenges.

The data security standard has 12 requirements, covering the protection of cardholder data, vulnerability management, network security and access control. There are four levels of compliance, based on the volume of credit card transactions being processed by a retailer, and any retailers that experience credit card theft and are found to be non-compliant face hefty fines.

Phil Cracknell, director of information security at Deloitte and president of the Information Security Systems Association, said the legislation meant that UK merchants were at risk if they stored or transmitted cardholder data and were found to be non-compliant with the PCI standard.

Cracknell warned that those at a lower level of compliance who have experienced a security issue where cardholder data had been compromised due to non-compliance would be moved to the highest level of compliance, Level 1. This requires annual onsite third-party audits and quarterly system scans.

Retailers also need to realise that implementing PCI DSS compliance is costly.

The PCI DSS stipulates the use of firewalls to ensure the network is secure. Retailers also need to put in place measures to protect unauthorised access via the internet, whether accessed via an e-commerce platform or from within a company network by an employee.

It also recommends that retailers install only one primary application on an individual server. Companies must disable all unnecessary and insecure services and protocols and remove all unnecessary functionality from such servers.

The PCI DSS states that retailers need to limit access to computing resources and cardholder information only to those individuals whose job requires such access. Physical measures include using cameras to monitor sensitive areas, auditing collected data, and restricting physical access to publicly accessible network sockets, wireless access points, gateways, and handheld devices.

These requirements can put a huge burden on IT departments, said Richard Brain, chief technology officer at IT security firm Procheckup. One of the key requirements retailers need to address is the storage of credit card transactions.

He said, "Any relational database storing credit card information must be fully locked down."

In particular, Brain warned that, to remain compliant, database administrators would need to disable XML support - a feature available on modern databases. The database should also run on a separate box, where all operating system services not required for the storage and retrieval of credit card information, are disabled.

Brain said retailers may need to disable protocols such as Netbios and LDap, which are often used in database administration. "Lots of database applications mix protocols, and so would need to be rewritten to be PCI-compliant," he warned.

Retailers also need to be aware of the data collected via their electronic point of sale system (Epos). Diana Kelley, vice-president and service director at analyst firm Burton Group, said, "If the Epos system on the end of a permanently connected internet link is not protected, the information contained in that Epos could be at risk."

Although it is forbidden under the PCI DSS to store sensitive authentication data, some older Epos systems do this, Kelley warned.

"Storing sensitive authentication data poses a serious risk because attackers can use full magnetic stripe data to create counterfeit physical cards," she said.

Another problem that retailers could face arises from remote access, which often used for maintenance on Epos systems. "Systems that can be accessed remotely over the internet must be protected to prevent unauthorised access to credit card data," said Kelley.

Maintaining cardholder data security

● Install and maintain a firewall configuration to protect cardholder data

● Do not use default passwords

● Protect stored cardholder data

● Encrypt transmission of cardholder data across open, public networks

● Use and regularly update anti-virus software

● Develop and maintain secure systems and applications

● Restrict access to cardholder data by business on a need-to-know basis

● Assign a unique ID to each person with computer access

● Restrict physical access to cardholder data

● Track and monitor all access to network resources and cardholder data

● Test security systems and processes regularly

● Maintain a policy that addresses information security


The following article appears on Computer Weekly. You can click here to read it in its original source.