Whether you are a large retailer or a small internet boutique, if you accept credit cards you need to keep that information secure. It’s not just about compliance with The Payment Card Industry Data Security Standard (PCI DSS)— more importantly, you owe it to your customers. David Gibson, Director of Technical Services, Varonis Systems, takes us through the detail of PCI DSS compliance.
PCI DSS was developed as part of a collaboration by MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB. Their efforts have culminated in the standard that serves as directive and guideline to help organisations prevent the misuse of credit card data.
Who Needs To Comply
All merchants and service providers who store, process and transmit credit card information must undergo quarterly self-assessments as well as audits (vulnerability scans) by an Approved Scanning Vendor (ASV) and in accordance with PCI DSS Scanning Procedures.
Large merchants (i.e. more than 6 million transactions per year for all outlets including e-commerce) and service providers (i.e. more than 1 million transactions per year) must also undergo annual on-site audits performed by a PCI DSS Qualified Security Assessor (QSA). The audit is inclusive of all systems, applications and technical measures, as well as policies and procedures used in the storing, processing and transmission of cardholder and credit card information.
What Is Considered Sensitive Data
According to the standard, the following information is considered sensitive:
* Primary Account Number (PAN)
* Cardholder name
* Service code
* Expiration date
* Pin Verification Value (PVV)
* Security code (3 or 4 digit)
In accordance with the standard, merchants or service providers are not allowed to store the PVV or the security code that uniquely identifies the piece of plastic in the cardholder’s possession at the time of the transaction. However, the PAN, cardholder name, service code and expiration date may be stored.
PCI Compliance Is More Than Just Securing Cardholder Information Within Databases
Many organisations naturally focus efforts for protecting cardholder information within databases, a challenge for which technical solutions abound. However, as breaches like Citigroup’s and Pfizer’s have shown, enterprises also face challenges controlling access to and dissemination of spreadsheets and documents that contain cardholder information. Exporting sensitive cardholder data out of databases is all too common, often done so that the information may be analysed as part of market research or be imported into other applications. In fact, 42 percent of enterprises hold customer data in spreadsheets as a matter of course according to Ventana Research , and these figures don’t include the individual users who conduct such exports on their own for business analytics or other purposes.
In the case of PCI, it is important to protect not only databases, but also file shares and SharePoint sites that house these spreadsheets and documents. Organisations need to implement a comprehensive system for not only finding the PCI information that resides outside of databases, but also for authorization, access control and auditing of all unstructured & semi-structured data stores. When file shares contain any of the PCI-designated sensitive information, organisations need to audit, review, and tighten up access to these shared networked resources as part of their PCI compliance efforts.
What Are The Costs/Risks Of Non-Compliance
Credit card fraud and misuse reaches into the billions of dollars annually. While the costs per incident may vary by merchant size, they include:
* Loss of income from fraudulent transaction
* Cost to reissue cards
* Costs of investigation and possible litigation
* Possible fines imposed by credit card companies
* Loss of reputation, customer confidence and business
* Possible loss of ability to accept credit cards for payment
PCI Compliance the Easy Way
There are five principles organisations need to address when seeking to comply with PCI DSS:
* Continual identification of relevant data
* A process to identify and revoke unwarranted access
* A process to configure and review logical access controls
* Proper separation of duties
* Evidence that these processes are being followed
Logical access control objectives are based on the principal of least privilege; access should be granted to only those resources that are required to perform a user’s function. Many audit regulations now focus on proper access and use of unstructured data on file systems and SharePoint servers.
It stands to reason that wherever the organisation has permissions to write or read data, a data owner, or steward, should be designated to make decisions about who gets access, acceptable use, etc. Otherwise, decisions about that data are left up to members of IT, who have little organisational context about the data they are trying to manage and protect.
In order to identify an owner/steward, IT needs to know who is making use of data—analysing data usage over time provides actionable business intelligence on the probable data owner of any folder. Using these statistics, administrators can quickly see the most active users of a data container. Often, one of the active users is the data owner. If none of the active users is the business owner, he or she will likely work for the data owner, or at least know who the data owner is likely to be.
Data Owners/stewards need to be automatically involved in the authorisation workflows and reviews for their data. Automation should enable users to request access to data, route the requests to the data owner and other appropriate parties, execute the appropriate actions, and track each requests. Entitlement reviews, or attestations, should also be similarly automated and auditable.
While this may all seem an insurmountable task, software solutions are available to find PCI data, aggregate user and group information, permissions information, access information, and content information (which files actually contain PCI data) from directories and file servers. Sophisticated analytics can then be applied to reveal detailed data use, misuse, and determine rightful access based on business need. Using this intelligence, organisations can then:
* Continually scan for PCI data (the audit trail enables true incremental scanning for only changed or modified files)
* Protect data by removing overly permissive access controls
* Ensure on-going compliance with automated entitlement reviews, and authorization workflows
* Restrict unstructured data access to those with a business need for that data
* Automatically update access controls to account for changes in roles and file server contents
* Track and monitor file touches for each and every user
* Alert on behavioural deviations that may signal a possible data breach
Surely the loyalty of your customers should be rewarded by securing their sensitive information. A breach doesn’t just affect the person whose account has been emptied— it can affect your reputation if the violation can be traced to your door. Compliance is important, for every one in the chain, and it may be easier than you realize to not be the weak link.
David Gibson has been in the IT industry for more than fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Director of Technical Services at Varonis Systems where he oversees product marketing and positioning. As a former a technical consultant, Mr. Gibson has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems. He is a Certified Information Systems Security Professional (CISSP).