For more than two years, credit card companies have been encouraging retailers to comply with the strict set of 12 requirements that are aimed at securing cardholder data that is processed or stored by them. Unfortunately, with two deadlines looming – 30 September and 31 December 2007 for Level 1 and Level 2 US merchants – it seems that many companies will not be ready in time. Even with a last minute push, it is highly improbable that retailers – large or small – have the time or the resources to become compliant in such a short-time frame. Most companies, especially in the SMB market, want to become compliant but they are still struggling to introduce basic security practices let alone implement all the systems needed to become compliant. The most recent compliance statistics from Visa for the month of July indicate an improvement but they are far off the targets that Visa and the other card companies hoped for.
According to figures for July, 40% of Level 1 retailers were compliant, up from the 35% compliance rate in May 2007. With the somewhat smaller Level 2 retailers, the July figures showed a 33% compliance rate – up from 26% in May – and the smaller Level 3 retailers showed 52% compliance, just slightly up from the 51% that Visa reported for that group in the same month. Visa did not release figures for Level 4 retailers; however it said compliance remained low.
Such a low compliance rate – after more than two years of preaching by the credit card companies – is possibly due to three reasons. First, some companies have taken a very laid-back approach to the issue, realizing only recently that the credit card companies mean business. Now, they are rushing to comply by the deadline, suddenly aware that they have a massive task ahead of them. Second, many small and medium sized companies do not have the resources or the finances to invest in the more personnel or a technology solution to meet the PCI requirements. Third, some retailers have complained that the standard does not distinguish between retailers on the basis of their size.
According to the Retail Industry Leaders Association (RILA): "Some PCI requirements are vague. Some are unattainable. Retail companies […] cited numerous examples of low-result PCI requirements, one-size-fits-all rules that don't work for various kinds of retail formats.” RILA has argued that although there is universal support for the goals and objectives of PCI and its efforts at making payment systems more secure, the standard’s ‘one size fits all’ framework is imposing unrealistic hardships on smaller retailers and it does not “appreciate the practical staffing flexibility that retailers need”.
While some of the PCI requirements may be open to interpretation, it is also true that the PCI DSS standard is one of the most robust and clear when compared to other compliance regulations such as Sarbanes-Oxley. PCI is not only the least ambiguous of the lot but it is also the only standard that has gained universal approval.
What is the PCI standard?
The PCI standard is not rocket science and neither does it introduce any new, alien concepts which systems administrators should adopt; on the contrary it is an enforcement of practices that should already be in force on all corporate networks. Although PCI DSS was developed with the protection of cardholder data in mind, more than 98% of the requirements apply to any company that needs to secure its network and its data.
In essence, PCI DSS comprises 12 distinction standards that are designed to 1) Build and maintain a secure network, 2) Protect (cardholder) data in transit or at rest, 3) Maintain a vulnerability management program, 4) Implement strong access control measures, 5) Regularly monitor and test your IT infrastructure and finally, 6) Maintain an information security policy. The list below shows a breakdown of each category and what companies need to do to become compliant.
The PCI DSS requirements
Often referred to as the ‘digital dozen’, these define the need to:
Build and maintain a secure network
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5: Use and regularly update anti-virus software or programs
6: Develop and maintain secure systems and applications