PCI DSS Compliance: A Difficult But Necessary Journey
by Andre Muscat - GFI Director of Engineering - Monday, 5 November 2007.
The need to comply with the Payment Card Industry Data Security Standard (PCI DSS) has been a rude wake up call for thousands of companies who believed their networks are secure and safe from security breaches.

This standard is a set of network security requirements agreed upon by five of the major credit card companies in an attempt to stem the growth of credit card fraud around the world and to give a common interpretation of what security is all about. Since PCI DSS was launched, it has helped to expose serious security shortcomings, companies’ failure to follow security best practice and a general lack of awareness of the security threats facing organizations today.

The statistics reveal a worrying increase in the level of identity theft and credit card fraud. According to a Federal Trade Commission report in January 2007, 25% of reported identity theft in 2006 was credit card fraud. Considering that more than $49 billion was lost by financial institutions and businesses in that year due to identity theft, and $5 billion lost by individuals, credit card fraud is digging deep into everyone’s pockets. E-commerce fraud is also on the rise, reaching $3 billion in 2006, an increase of 7% over 2005.

A growing sense of urgency to meet these requirements was spurred by TJX Companies Inc.’s loss of 45.7 million records containing customer personal account information as well as 455,000 merchant details over an 18-month period. Although the TJX breach is considered to be the biggest in US history it is not the only one. According to the Privacy Rights Clearinghouse, between 1 January 2005 and August 2007, more than 159 million records containing sensitive personal information have been involved in security breaches. The actual figure is probably higher because many cases are either under-detected or they are not reported at all.

Large retailers like TJX are not the only organizations being targeted. Public attention may be focused on high-profile data losses, but experts studying financial fraud say hackers are increasingly targeting small, commercial websites as well! In some cases, criminals were able to gain real-time access to the websites' transaction information, allowing them to steal valid credit card numbers and use them for fraudulent purchases. Although small businesses offer fewer total victims, they often present a softer target; either due to flaws in the ecommerce infrastructure being used, or due to over-reliance on outsourced website security or simply due to the false belief that their existing security set-up is adequate.

Knee-jerk reaction?

The PCI DSS is not the result of a knee-jerk reaction to an increase in security breaches but it is a studied approach to data security taken by each of the card companies. Before 2004, American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International had a proprietary set of information security requirements which were often burdensome and repetitive for participants in multiple brand networks. Seeing the need for greater cohesion and standardization, these associations created a uniform set of information security requirements that became known as the PCI Data Security Standard (PCI DSS), governing all the payment channels: retail, mail orders, telephone orders and e-commerce.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th