News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Eric Ogren's picture
Eric Ogren

Security Impact

More posts | Read bio

September 27, 2006 - 12:20 P.M.

Is PCI creating an industry?

4 comments

The new version of the Payment Card Industry (PCI) Data Security Standard, version 1.1, has been out for a few weeks now. Sources tell me that customers are interpreting the new PCI standard to determine what they have to do to comply. I have not seen many comments on the spec yet, so let me ring up a few +'s and –‘s.

In general, this is a great spec for applying security technologies. I have some quibbles about requiring specific technology instead of problem solutions, but it does deliver enhanced security for credit card data which can only be a good thing. As a product manager I learned to avoid the trap of putting “how to” design requirements into product specifications instead of “what needs to be fixed” functional requirements. PCI 1.0 was a serious offender, but PCI 1.1 is improved in this regard.

Compensating Controls (+). Great idea! Not all companies can implement all sections of PCI. In some cases they have met the intent of the requirement by means other than that specifies by PCI; in other cases the economics of a solution just do not make sense for that business. Compensating Controls allows organizations some needed flexibility in meeting a PCI requirement.

Web application security (+). I like web app gateways for protecting applications. It is only a recommendation in PCI 1.1, but I am glad to see the awareness raised for this technology. One good thing is the segregation of duties: a web application gateway can also detect information loss (e.g. unusually large chunks of outbound credit card data). Places to check out here include Citrix, F5, Imperva and Protegrity.

PCI Consulting Industry (+/-). PCI is spawning a services industry for generating official PCI audits. Anytime that happens you can be sure they'll create demand for more consulting work. Services engagements for security expertise can certainly help with organizations that are short in that skill set (+), but I hate to see an overhead-cost industry spring up just for the sake of PCI compliance (-).

Insufficient focus on data loss (-). In general, PCI is focused on detecting intruders or malicious insiders from penetrating the system. Let's face it, firewalls, anti-x, authentication, physical security and IDS/IPS will not help you detect a breach. PCI 1.1 is surprisingly light on how to detect loss – requirement 10 is mostly about the integrity of audit logs to try to figure out what happened and I must have completely missed egress content inspection, audit reviews for loss or spot checks of outbound email. Seems to me a good value-add from PCI would be recommendations on how to detect a breach followed by what they should do when the breach occurs.

Ideas for PCI 1.2 (+/-). The +/- is because these are just my ideas for discussion for PCI 1.2. There are undoubtedly other concepts that readers can add as comments.

  • Tell businesses how to detect data loss. Really, most don't have a clue. Visa/Mastercard/AMEX are experts at analyzing fraudulent behavior. Tell businesses to look for valid users grabbing unusually large chunks of consumer data, accessing data on off-hours, or accessing from home PCs. Then use the audit information to determine the magnitude of the loss.
  • Erase confidential data from end-points after SSL. The technology exists and is not a burden to either businesses or end-users. Require cache scrubbing, history file cleaning and temporary file removal whenever SSL is used. These capabilities exist from vendors like Aventail, Cisco, Citrix, and Juniper as well as a bunch more. Use ‘em.
  • Define a data loss procedure. It is remarkable that the responsibilities to consumers is missing beyond "12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach." I want to see what the business must do when data loss is detected. Do they need to report cardholders affected? Offer credit-watch services? PCI is structured to reduce credit card fraud for the card companies – I'd like to see something for protecting their customers. It's the right thing to do.
  • Create a forum for best practices. There is so much that can help companies that does not belong in a standard specification. Organize a PCI advisor forum and a PCI Compliance Wiki. Let the community help you reduce fraud by sharing their best practice experiences.

I started this on the train to InterOp in NY. This could be my longest blog on Computerworld. Thanks for reading to the end!

What People Are Saying

Add new comment

Actually, the PCI DSS 1.1

Submitted by Chris Farrow on October 2, 2007 - 9:21 A.M.

Actually, the PCI DSS 1.1 has been out for over year (released in Sept 2006) and was effective starting January 1st 2007. Organizations have been working compliance to this standard all year and the larger merchants have audited against it on a quarterly basis. The end of September was merely the deadline for larger merchants to achieve compliance and avoid the ramped up fine structure. However, exception are already being granted for those Tier 1 merchants for filed for extensions with a plan to make Jan 1st 2008.

Report this comment

Well, I've read the 12 Major

Submitted by Darby Weaver on August 22, 2007 - 3:44 A.M.

Well,

I've read the 12 Major Tasks and I did not find them to be impossible nor did I find them to be beyond most companies in the Level 1, Level 2, or even Level 3/4 capacity.

Read the items, most items line up with secure networking, security, and application best practices in the first place.

Two-factor authentication, using SSL/SSH, implementing PKI infrastructures, performing regular audits, items to prevent collusion, secure passwords, security awareness training for all employees, encryption, centralized authentication, loggings, monitoring, alertings, IDS/IPS, Firewall, Policies, etc.

I audit networks, I perform a gap analysis based on my findings, and then I create an action plan based on the Statement of Work that is the result of the gap analysis.

Contact me if you need help. If your google works you can find me easily enough.

This is actually a good thing.

Report this comment

There's a huge absurdity in

Submitted by Anonymous Coward on January 26, 2007 - 7:06 P.M.

There's a huge absurdity in the PCI DSS that it seems nobody's talking about.

Although the focus on implementation & enforcement is on Level 1 & 2 merchants, the PCI DSS requirements officially apply to all businesses that process credit cards - no matter how small.

While it's likely that VISA and the like won't be going after Level 4 merchants if there isn't a data breach, it's simply impossible for a company without huge staffs and financial resources to actually be compliant with the PCI DSS.

The standards were written assuming that every merchant is a huge Fortune 1000 equivalent company. I've yet to see an article about PCI compliance point out that mandating all merchants of every size to be PCI compliant would either put them out of business altogether or force them to stop accepting credit cards.

It's essential to safeguard customer & cardholder confidential data, but let's get real!!

Report this comment

Great post, Eric. As an IT

Submitted by BR on September 28, 2006 - 9:28 P.M.

Great post, Eric. As an IT Security Manager for a fashion retailer, we have dedicated several resources to our PCI compliance efforts. While we went in circles for a short time, we've found that the best approach was to discuss our PCI status with our credit card processor, and basically, ask them for guidance before wasting time and resources. They are more than willing to offer assistance.

Additionally, several industry leaders provide more than adequate products for data loss prevention, PCI compliance server/network scanning, and secure encryption methods. Vontu, PGP, and Qualys are our choices to date.

I agree... credit card processors need to provide the necessary incentives for PCI compliance. Regardless, most states have now adopted legislation that requires merchants to notify customers if their card data has been compromised in any manner. The negative business impacts on an announcement of this type should be enough to drive most tier 2 or higher merchants to seek the necessary controls for PCI safeguards.

Report this comment

Related Posts

Spam culture, part 3: Nigeria (and 419 scams)
Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM
Your next stop ... the Password Zone
Latest threat vector: Our mobile devices

Today's Top Stories

Microsoft confirms IE6, IE7 zero-day bug
iPhone worm steals online bank codes, builds botnet
PC market crash averted, says Gartner
Jolicloud eyes Chrome OS's thunder
Is federal stimulus money being used for IT hardware, not hiring?
Obama backs return to math, science, tech
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.