The Payment Card Industry Data Security Standard (PCI DSS) has been a world-changing experience for many midmarket businesses, retailers and credit card processors that previously had little or no regulatory oversight for security.
"PCI has been their baptism," said Steve Alameda, principal consultant of Data SafeGuard of San Francisco. "It's one heck of a way to get baptized."
Consultants who devote part or most of their activities helping smaller organizations -- mostly those with Level 3, 4 and some Level 2 requirements for self-assessment -- share some of the difficult lessons learned in the trenches.
Lesson 1: Don't Underestimate PCI
Astonishingly, there's anecdotal evidence that some smaller companies are still unaware they must comply with PCI. Level 4 merchants, those processing fewer than 20,000 transactions annually, are slower to get the word.
Assuming your business is not in that situation, you're facing requirements that are growing increasingly demanding. Self-Assessment Questionnaire D, which most covered organizations are required to complete, is far more detailed than what the questionnaire originally required in 2007. Most companies often turn to consulting help for a variety of reasons:
- Lack of knowledge about their own environment. Small companies are wrapped up in doing business, not doing security. Once they realize what they have to protect and all the ways they might be exposed, light
- bulbs go off.
- Inability to comprehend the requirements. Few small companies have security people and most have, at most, a small IT staff that lacks the time and/or expertise to understand and complete the assessment.
- The requirements sink in. Organizations start out doing a self-assessment, then realize as they proceed they may have bitten off more than they can chew.
- Nobody wants to get it wrong. No one wants to go to the president and tell him/her that after all the time and money spent, the company is still not compliant.
- Companies think they have adequate security to meet the requirements. To most small businesses, that's desktop AV and a firewall.
This may also mean underestimating cost. Companies that do their homework, either internally or in combination with outside help, will have a realistic expectation of what they'll need to spend in terms of manpower, technology and services. For example, while they have AV and a firewall, chances are they have never given a thought to purchasing log management, IDS or file integrity-monitoring tools, let alone a Web application firewall.
Also, small companies, unlike enterprises or smaller organizations in heavily regulated industries, are not accustomed to refreshing equipment, such as point-of-sale systems, every few years. In many cases, they need to either upgrade or replace older equipment to become or remain compliant.
Companies do not, typically, anticipate they will have to make some fundamental changes in the way they do business. It's not a matter of tacking on security, even for the little guys. You may, for example, store credit card information in Excel spreadsheets. Now you need to convert all that information into databases and protect them.
"It's one of the hidden costs of PCI. I can't tell you how many businesses we walk into where they have paper records -- a warehouse of credit card receipts that's intermixed with invoices, etc." said Seth Peter, CTO of Minneapolis-based consultancy NetSPI. "One big area where companies underestimate costs is how do you stop doing that and how do you go back and clean it up?"
"They feel their environment is in pretty good shape, and don't think they'll need to make many changes," said Data SafeGuard's Alameda. "Then the reality hits that there will be a lot of changes."
Lesson 2: Learn PCI Problem Areas
PCI presents a laundry list of prescriptive data security requirements, many of which can be a challenge to smaller companies, but some are more likely to be especially problematic.
Encryption: The PCI requirement that stored credit card data must be encrypted can be a formidable challenge. Face it: Many large enterprises have flinched at encryption projects. The reason is not the encryption itself -- that's relatively easy. But key management, with all its complexity and administrative overhead, and concern about recovering data if keys are lost, is another matter.
The PCI practitioners we spoke to said most of their clients -- somewhat to their surprise -- had some encryption in place, but mostly in one-off situations where they could more or less set it in place and forget it. With PCI, the requirements become more complex and companies need to turn to products that simplify key management or seek outside help to manage it for them.
Policy: Midmarket companies are unlikely to have anything resembling a comprehensive security policy, unless they are already in a highly regulated industry, such as financial services. PCI Requirement 12 says that companies must maintain a policy that addresses information security. Sounds simple on the face of it, but when you dig into the details, this is really a complex set of requirements that impact many aspects of the business. It addresses all the other PCI requirements, and how to ensure that your employees and partners adhere to them.
This is a complex area because it touches all areas of the business and requires attention to things such as change management policy, which may be foreign to smaller businesses.
The best advice is to start with a set of base policies that can get companies through and build from there. There are good resources, such as the SANS Institute, that provide policy templates organizations can use as a starting point.
"We help companies to set policies specific to their environment and general enough to work with and expand," said Michael LaBarge, president and CEO of Datassurant Inc. of Reston, Va. "It gives them a starting point to improve their security posture, checks the box, and gets them on the right road."
Application security: Section 6.6 of version 1.2 of PCI DSS now requires either application code review or a Web application firewall (WAF). Even large enterprises have been slow to adopt strong application security in code development, application security assessments or even Web application firewalls.
Most companies, lacking the expertise for internal reviews, have opted for WAFs, but the requirement has come as something of a shock to small businesses. Small organizations can consider outsourcing if they can find a service provider at a reasonable price.
Lesson 3: PCI Compliance is Continuous
PCI ain't over when it's over. It's very common for companies that don't have a well-developed compliance program to put a lot of time and intense effort into PCI compliance, then be let down. They're setting themselves up for a lot of unnecessary and redundant work when the next year's assessment comes around.
Compliance often requires changing some basic business practices. Once a company is compliant, processes that were laid out are not followed through, because they cease to be urgent priorities, and management may have little appetite for changing operations.
In addition, if your smaller company is typical, the effort put into achieving compliance is taking people away from their day jobs. That means everyone is playing catch-up with responsibilities that have been neglected, and lose focus on compliance. That underscores the point that compliance processes need to become part of normal business operations, not simply a stack of "to-do tasks."
Finally, roles and responsibilities at small companies are not clearly defined. Duties are not documented and may change quickly if the person who usually does it gets pulled off to do something else, is out sick or goes on vacation. If it's not mission-critical for the business, it might not get done.
This was first published in November 2009