Late in 2010 the Payment Card Industry (PCI) Security Standards Council announced version 2.0 of the PCI Data Security Standard (DSS) and the Payment Application (PA) DSS. The PCI DSS is the worldwide information security standard for organizations that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards. The sole purpose of these standards is to reduce credit card fraud due to the exposure of the sensitive information contained on the card. This information is printed or on the magnetic stripe, encoded in the magnetic stripe, or in some active of passive embedded device (e.g., RFID chip). This information is necessary to complete the financial transaction, and when stolen can be used to commit that fraud. Based on the volume of such transactions, organizations must have an annual audit by an external Qualified Security Assessor or by a Self-Assessment Questionnaire.
All audits after 1 January 2012 must be done according to the PCI DSS 2.0 standard.
The changes in 2.0 come under several categories, including:
- Clarification and additional guidance.
This set of over 100 changes includes better definitions, clarifications of scope and processes, or simply to eliminate some redundancy in the specification. I suspect that in many cases, organizations will have little impact from most of these changes, but they should all be carefully reviewed.
- Risk Based Approach.
Perhaps the most significant update is to allow vulnerabilities to be ranked and prioritized according to risk. This is an evolving area of the standard that I expect will see significant changes in future versions. I also believe it is critical that organizations take this risk-based approach in order to concentrate their efforts on those areas that provide the most benefit. If a vulnerability has low risk but high cost to correct and you can appropriately document that low risk level, you may be able to be compliant without “fixing” the risk or through the use of compensating controls. Certainly, all high-risk vulnerabilities must be addressed.
- Emerging Threats.
The changes ensure that the standard is keeping up with emerging threats and changes in the market. Again, I expect to see interim updates in this area.
This change updates the “one primary function per server” requirement.
Some companies with low volumes, and therefore low fines for non-compliance, feel it is better to be fined than to be compliant. While it is true that the fines can be substantially less than the cost of becoming compliant, the real risk to the company is not the cost of the fines but the cost of a data breach. According to the Ponemon Institute, on average it costs a company over $200 for each lost record in direct and indirect costs. Over 99% of the records stolen through data breaches are stolen by external agents. They are very good at it, and they take everything they can get, and they use that data to commit fraud. Since the time between when your systems are compromised by an attack and you are aware of the attack and able to stop the data loss is usually measured in weeks or months, when you are attacked you are likely to have lots of records stolen.
I was talking to a manager at a small retail store. They sell things in the $10 to $1,000+ range. The store does 40-50 transactions a day, 80-90% of them by a credit or debit card. In an average month they handle about a thousand unique cards. If they have a data security problem, they could easily lose two months worth of that sensitive data, and it could cost the store $400,000 to deal with the result.
The US Secret Service / Verizon RISK Team “2011 Data Breach Report” noted that 89% of organizations covered by PCI-DSS that had data breaches in 2010 were not compliant. These are the companies that decided to “pay the fine,” and now have to also pay potentially millions of dollars to fix the problem. Some of those companies will not survive.
It is shortsighted to avoid compliance in order to save money. In my view, it is critical that an organization be compliant with PCI or whatever compliance regulations apply to it. The cost of failing to be compliant can be the loss of the business, and with cyber terrorists running rampart and winning the fight with largely ineffective government enforcement activities, the odds of being successfully attacked are increasing.
The last word:
If 89% of successfully hacked companies that were supposed to be PCI compliant were not, that means that 11% of those data breaches were to companies that were compliant. Compliance is necessary, and based on conversations with lawyers on both sides of data breach cases, you are a whole lot better off if you were compliant. However, compliance is not sufficient.
Security has to be elevated to the corporate level. Compliance regulations like PCI must become a business imperative, not just an IT imperative. It must be woven into the fabric and culture of the organization. Then it can become a financial and competitive advantage.
Keep your sense of humor.