Assessing PCI Compliance — World’s Biggest Standard

Everyone has a credit card these days.  Ever take it out and take a good look at that little magnetic strip on the back of a credit card?  It’s only about 2 1/2 inches long and quite thin.  That little strip contains all the personal information about you — your name, address, password, mother’s maiden name, perhaps your social security number and your financial account number and even more information about your account.

Who wrote the program that ended up on that magnetic strip? Are there copies of that magnetic strip information stored somewhere?  And this is only ONE card; you probably have a wallet full of them.

These payment cards (PC= Payment Card Industry) are the biggest deal in information security these days because of a new standard call the PCI-DSS standard (Payment Card Industry- Data Security Standard).  The PCI Security Standards Council, which created the standard, was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Credit card companies want you to charge it and they know that concerns about identity theft might possibly slow down your card use — so it is in their best interests to make sure that a solid security standard is in place to protect you.  The standard has turned into a requirement for everyone who takes a credit card and that turns out to be literally millions of grocers, retailers, online retail outlets, government agencies, convenience stores, utilities — almost everyone.  So the PCI-DSS standard may be the most widely applied information (data) security standard in the world.

With such a widespread and critical standard, there is confusion about how to meet the standard because just doing a self-assessment isn’t enough — you are also required to do penetration tests on your systems that handle and transmit this electronic customer information and ATTEST that you use the standard in your information systems.  

This includes having strong firewalls that protect cardholder data and making sure to remove
the generic vendor-supplied passwords; using good storage devices for sensitive customer information and encrypting data that flows over your network.  In addition, the card manager has to use anti-virus software, and also build secure systems.  Once proper controls are in place, these controls need to be monitored and tested. 

Doing a full compliance and vulnerability assessment annually is the best way to make sure that you can prove you have done all the specific activities required in the PCI-DSS standard.  The assessment actually breaks the entire standard down into smaller, manageable chunks and then each one is monitored, or validated, with an audit trail, so that is easy to prove that you have evaluated your organization’s compliance with the PCI-DSS standard.

The PCI-DSS standard is actually mild, as information security standards go, and not as far-reaching or intrusive as, for example, the HIPAA standard (Healthcare Insurance Portability and Accountability Act) which has completely revised the way healthcare organizations do business.  Nor is it as complicated as the BSA (Bank Secrecy Act) or the International Standards Organization’s 27001 standard (ISO 27001 and 27002).  

After the infamous TJMAXX identify theft incident — consumers should welcome the PCI standard and retailers and others affected by it should be grateful that is just another way of encouraging good information security practices.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security