Meet the PCI DSS, avoid being the next TJX
We recently interviewed some PCI DSS auditors who used TJX as an example of what merchants are
still doing wrong, particularly when it comes to the unnecessary storage of credit card numbers. In
your view, what were TJX's biggest failures with respect to the PCI DSS?
It's hard for me to talk about TJX's specific processes because I only know their issues from
what's been reported in the media. But one thing we always try to help companies understand is that
they need to know where data such as PIN and credit card numbers are, and get rid of it
immediately. That's the simple first step: If you're done with the data, get rid of it. There's
simply no reason to store it. The journey to PCI DSS compliance is just that, a journey. You should
consider dumping that stuff the first step on your journey.
|TJX data security breach:
document offers clues on TJX security failings: If company execs need a lesson on what not to
do before and after a data breach, experts say there's plenty to learn from a regulatory document
TJX filed with the SEC Wednesday.
DSS auditors see lessons in TJX data breach: Following the recent TJX data breach, several PCI
Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But
they say there are lessons to be learned.
Are a majority of merchants falling into the trap of
storing too much customer data, or are you satisfied that companies are starting to grasp the
importance of getting rid of it?
We've done a lot of outreach since September and since the TJX breach, and one thing I'm extremely
optimistic about is that people are no longer asking why they need to comply with PCI DSS. Now they
ask how to do this. The level of questions on how to implement this has risen sharply. We spoke at
the CSO Interchange during RSA [held in San Francisco in February] and what came out of it is that
awareness is up by 90%. And this is no longer a credit card thing. It has become about how you
protect the lifeblood of your company -- the customers. The PCI
Security Standards Council formed last September as part of a wider overhaul of the PCI DSS.
Talk about what the council's primary tasks are, whether it involves further updates to the
standard or more extensive training and enforcement programs.
When we launched there were several criteria. One was to become a place where companies can go to
ask questions and get information on the standards. There was a lot of noise in the system, so the
council was set up to deal with that noise.
|Requirements of the PCI Data Security Standard:
|Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
Protect cardholder data Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program Requirement 5: Use and regularly update anti-virus
Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data Requirement
11: Regularly test security systems and processes
Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security
For more on the 12 basic requirements of the PCI Data Security Standard, check out our exclusive
Compliance: Best Practices and Common Misconceptions with guest speaker Roger Nebel.
The council recently announced a membership "call to
arms," encouraging members to take a greater role in the development of the next generation of the
standard. Talk about what they can do to play that greater role.
There is further need for continuing clarification. You get specific questions on how to think
about a given requirement. If multiple businesses come in and ask the question, it becomes apparent
that something wasn't clear. In September, we added stronger language on application security
because we see that as an emerging threat vector and we need to be staying ahead of the bad guys.
It was also necessary to add more clarity and consistency to the guidelines. Security is an
evolving process. The council wants to get more stakeholders -- merchants, banks -- to the table to
help us with feedback on what implementation and security challenges are there. How do we make the
PCI standard a living, breathing road map? Compliance is not a one-time experience. Talk about the
makeup of the council, in terms of the number of members and the breakdown of representation.
We have each of the five payment brands represented, and we are adding a membership participation
organization with 150 members. Globally, 67% of the membership are U.S. businesses -- merchants,
processors, banks, point-of-sale vendors and security vendors. You just hired a general manager,
Yes, our new general manager is Bob Russo, who will be the face of the standards council and will
help me with outreach. He has more than 25 years of high-tech business management, operations and
security experience. Most recently, he served as the vice president of commercial sales for Secure
Info, a provider of security, risk and compliance services and software. He was also a founder of a
number of software and security companies, including Network-1 Software & Technology and ATC
Security. His presence and leadership will further our goal of engaging key stakeholders. His
previous experience managing the compliance of payment industry merchants, issuers, acquirers and
service providers while maintaining relationships with the credit card payment brands made him a
natural choice for this position. What are some of the specific projects now under way?
We are currently laying out a calendar for getting input on the next generation of the standard.
Big companies are starting to get it. Now we need to help guide the small-to-medium-sized
businesses. They tend to not be as sensitive as the bigger companies to the threats out there and
they are not as aware of PCI DSS. The small restaurant owners are not necessarily going to be
thinking about this the same way a large financial firm is. If the restaurant, for example, is
going to be buying a new point-of-sale system, we want to be there to help them make the right
choices and ensure the right level of security. If they are not paying as much attention as the
bigger guys, how do you help them with that?
We are working on a specific set of standards for point-of-sale vendors, standards as to what must
be in this technology and what the vendor must do to be in compliance with PCI DSS. That is one of
the big business initiatives for us right now.