The 12 Standards of PCI SSC
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
PCI Help on the Web
The news reports are all too common. A Miami man and two Russian conspirators are charged with stealing 130 million credit and debit card numbers over a two-year period from a New Jersey payment processor that handles data for national clients, such as 7-Eleven stores and regional businesses, including the Hannaford Brothers supermarket chain.
An Atlanta company that sells consumer information to employers and marketers reports that criminals posing as legitimate businesses gained access to Social Security numbers and credit histories of more than 145,000 consumers.
Intruders hack into the computer system of TJX Companies, owner of T. J. Maxx and Marshall’s stores, compromising millions of credit card accounts, as well as drivers’ license numbers and checking account information linked to transactions for returned merchandise.
Since it’s formation in late 2004, the Payment Card Industry Security Standards Council (PCI SSC) has been working to eliminate those news stories. What the Council does impacts every retailer—from major chains to mom-and-pop operations—that accept credit and debit cards. Retailers who don’t stay current on PCI SSC data security mandates may end up paying heavy fines or worse.
A Little Background
The PCI SSC is a combined effort by American Express, Discover Financial Services, CB International, MasterCard Worldwide and Visa Inc. The original goal was to establish a system of global security for cardholder data that is stored, processed or transmitted. Led by a policy-setting executive committee representing the various payment brands, PCI SSC has authored and released the Payment Card Industry Data Security Standard (PCI DSS), which addresses the minimal security standards necessary for all operations that handle data.
Although the PCI DSS standards are not legislated, many states have adopted some of the standards as law. Currently, 46 states have a breach notification law in the event of a problem. “Right now, the government has looked at the standards and says the industry is doing a good job of policing itself,” said Bob Russo, general manager of the PCI SSC.
The standards cover everything from businesses WiFi networks and back-end inventory systems to servers and LAN and POS networks. PCI SSC allows businesses to audit themselves or be audited by an approved professional, to determine if they are compliant with the standards or if there are security issues to address. Businesses that fail to comply with the standards run the risk of being fined should a security breach occur.
“If a small merchant (who is not compliant) experiences a breach, there is a distinct possibility that they will be required to pay fines, and lawsuits could result,” said Russo. “Their reputation would suffer. Their customers would get up and walk away feeling that their data is not secure.”
Russo’s is not an empty claim. Last summer two Spicy Pickle restaurants in Kalamazoo, Mich., closed their doors after a hacker accessed the credit card data of approximately 150 customers and made purchases using that information. “It hurt us so bad, you wouldn’t believe it,” restaurant co-owner Terry Henderson told a local newspaper recently. “We never recovered our sales levels. We never came close.”
While numerous PCI mandates are in effect, the council is currently focused on the security of PIN entry devices (PEDs). In 2007, large grocery chains, including Stop & Shop and Albertsons, reported that criminals walked into some stores, went to unattended checkout lanes and swapped out the stores’ PEDs with their own information-collecting devices. The culprits later returned to pick up their equipment, which by that time had captured and stored hundreds of credit card and PIN numbers.
Last year, two men pleaded guilty to placing a similar device at a Rite Aid drug store counter. The equipment collected numerous account and PIN numbers, which the pair used to create phony cards. They later stole more than $500,000 from various accounts.
This type of activity is known as “skimming.” Using a skimming card reader or “skimmer,” the magnetic data on the debit or credit card is illicitly copied and the card information is stolen. The victim is usually oblivious to the offense until cash is withdrawn or an unauthorized purchase is made with card information.
Despite the boldness of such cyber crimes, skimming is not uncommon, according to Visa. It is more likely to occur at after-hours operations, such as supermarkets, drug stores and convenience outlets. Visa advises retailers to be especially vigilant about activities around store PEDs and to educate employees about potential PED threats and theft. The company also wants merchants to use only PCI-approved PEDs, and as a result, has mandated changes to the store environment that go into effect on July 1, 2010.
Prior to 2004, manufacturers needed to meet only minimal standards when producing PEDs, and as a result, early devices were more easily compromised than later models. An improved PED was produced between Jan. 1, 2004 and Dec. 31, 2007, although this equipment can no longer be sold. The safest PEDs, which comply with current PCI security standards, are those that have been produced and lab-tested after Jan. 1, 2008.
According to a Visa mandate, all PEDs issued before 2004 must be pulled from service as of July 1, 2010. Retailers who are uncertain if their PEDs meet mandated standards should contact their acquirer—the financial institution that accepts credit and debit card payments on their behalf—or the manufacturer of their current PED. Merchants who want more information on the VISA mandate should visit www.visa.com/pin.
“We’ve been working on this for a year and a half,” said Trinette Huber, who manages information security for Sinclair Oil Corp., including PCI compliance for the company’s 300-plus distributors in the Rocky Mountain and Midwest regions.
But other organizations have delayed making the conversion and the cut-off date is close. “Everyone is rushing to meet the July deadline,” she said. ”It’s like studying for a test the night before your final exam.”
PED: Just One Part
Complying with the PED mandate is important, but it is just one small part of the overall program designed to protect credit and debit card data. There are 12 PCI standards (see sidebar) that must be addressed as part of a retailer’s security strategy, no matter how many stores they have or the number of credit and debit transactions they process. For an organization to be compliant, it must be audited based on each standard. A single audit does not ensure permanent compliance, making regularly scheduled follow-up audits necessary.
Merchants who have not navigated through the complete compliance process need to start right away, according to John Adams, delivery director for CTG Information Security Solutions, an IT services provider in Buffalo, N.Y. Retailers need to educate themselves about the process and develop a good relationship with their acquirer. “They have teams on staff providing PCI support,” he said of the acquirers. “They’re generally willing to work with you.”
For retailers, being mandated to do this is difficult to accept, said Jenny Bullard, chief information officer for Flash Foods, the convenience store operator based in Waycross, Ga., and chair of the NACSTech Conference. “But once you do go through it, it’s beneficial and makes the company more secure.”
Be Prepared for Challenges
Computer hackers were once believed to be young, bright and brash teenagers, like Jonathan James,
who made headlines after joy rides through the NASA and Defense Department computer systems when he was just 16. But things have changed.
“These are not teenaged kids trying to hack into your system for fun,” warned Russo of today’s offenders. Instead, they are more like Max Ray Butler, a 36-year-old hacker from San Francisco. In June, he pled guilty to federal wire fraud charges after admitting to the theft of nearly two million credit card numbers from banks and businesses and racking up $86 million in fraudulent charges. While some cybercriminals work alone, law enforcement agencies are finding more frequent hack attacks by sophisticated crime sydicates in offshore locations.
Focusing on PCI compliance is not a one-time project, such as replacing pre-2004 PEDs with more secure models, according to Russo. IT security should be a year-round activity for any organization that handles customers’ financial information.
“Retailers really need to look at these things and be compliant,” he said, referring to the 12 PCI SCC standards. “They need security built into everything they do.”