n By Ellen Messmer
With deadlines looming this year for the biggest credit-card merchants and service providers to prove compliance with the Payment Card Industry Data Security Standard (PCI DSS), businesses are under the gun, sometimes spending hundreds of thousands of dollars to accomplish that goal.
But PCI compliance is a moving target,
and more standards for next year are in sight.
The PCI Security Standards Council last year issued a set of 12 security requirements, PCI DSS 1.1 (known by insiders as the“digital dozen”), for protecting card data. The requirements include encryption of cardholder data as well as more general enterprise requirements to use antivirus software, application-layer firewalls, and conducting periodic vulnerability assessments.
But even as businesses struggle to make their networks and business processes available for inspection by any of the 70 or so “qualified security assessors” (QSAs) trained under the council’s program for evaluating PCI compliance, the prospect of additional security requirements is coming into view for next year.
At the PCI Security Standards Council 2007 Community Meeting held recently in Toronto -- the first meeting of its kind to bring the council’s membership and certified PCI security providers together -- the 300 or so attendees got a sneak peek of the new set of “best practices” guidelines for application security that the council intends to publish by year end.
“These will be guidelines for designing applications in a secure manner,” says one attendee, Joe Lindstrom, senior director for professional services at Symantec. The security software vendor is a QSA accredited by the PCI Security Standards Council to
perform on-site evaluations of businesses handling card-payment data to determine if sensitive information is being appropriately processed or stored as define by PCI DSS 1.1 standard.
Lindstrom says the new application-security guidelines under discussion by the council would take effect in the fourth quarter of next year as a new requirement above and beyond the current PCI DSS 1.1.
“These will be guidelines to designing applications in a secure manner,” Lindstrom said. The new PCI rules, he said, would pertain to applications developed in-house or those acquired by certified application providers. In addition, he noted, an emerging standard for PIN-entry devices for card processing is coming into view.
Businesses that handle card-payment data say they are spending mightily to hire QSAs to prove they meet the current PCI DSS 1.1 standard.Visa and MasterCard say the high-volume card-processors and service providers must show PCI compliance this year.
“PCI crosses any and all aspects of the organization,” says Peter Clark, director of information systems at Jordan’s Furniture, a retailer with stores in Massachusetts and New Hampshire.“It’s a big canopy that covers everything.”
Clark said the company is in the process of being certified for PCI compliance by Ambiron Trust Wave, a certified QSA.
An expensive priority
Jordan’s Furniture has already spent almost $100,000 in the PCI compliance process in the past few weeks to make the changes it hopes will result in a good report that will be shared with Visa, MasterCard and the retailer’s acquiring bank, First Data Merchant Services.
Symantec’s Lindstrom acknowledged PCI compliance can be an expensive process, calling PCI the“Sarbanes-Oxley” of the card-processing world.
Fees for PCI compliance evaluation run “from as low as $20,000 to over half-a-mil-lion-dollars,” said Lindstrom. When businesses select a QSA, the first step is typically a basic security evaluation, carried out in tandem with business managers, to determine where the business might be“deficient and fall short of compliance.”
Remediation to bring the organization up to PCI compliance involves a process, which if goes smoothly, could take a matter of a few weeks — though there’s the possibility the company never makes it through.“Some fail,” said Lindstrom.
PCI compliance often kicks off in earnest with a letter from the bank to the merchant. That’s what happened recently at the Philharmonic Center for the Arts in Naples, Fla., which has 500 employees and handles about $16 million per year in transactions.
The Philharmonic is not a top-volume card-processing merchant so it doesn’t have to meet this year’s PCI compliance deadlines, but it may be among those facing a deadline of next year.
“Our credit-card processors are pressuring our finance manager,” says the Philharmonic’s network administrator Anthony Garmont. “The pressure is increasing every day, but as far as a specific date, I don’t know.”
References:
Archives