Protecting Payment Card Data Wp091010


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protecting Payment Card Data Wp091010

  1. 1. PRoteCtiNg PAymeNt CARd dAtAConsiderations for Achieving and Maintaining On-Going PCI DSS ComplianceExEcutivE OvErviEwBusinesses managing payment card data face tremendous security challenges. The cost of a security breachcan be devastating in terms of lost revenue, legal costs and damaged reputation. In fact, the payment cardbrands may even stop a business from processing credit card and debit card payments from customers. ThePayment Card Industry Data Security Standard (PCI DSS) provides a blueprint for building and maintaininga secure data network; however implementing the policies, people,processes and technologies to achieve and maintain PCI compliance can Compliance and securitybe overwhelming. This paper provides some background about PCI don’t stand alone—they areDSS and its effectiveness, and explains how enlisting experts to help intertwined. It is a cycle that weexecute your strategy can be the best way to achieve and maintain loop through, and every time weon-going compliance. do, we get better at it. David Mahon, Vice PresidentMyriad challEngEs can iMpEdE cOMpliancE plans of Information Security, QwestDeveloped by founding payment brands of the PCI Security Standards Council,the PCI Data Security Standard strives to ensure payment account data securitywith a comprehensive set of requirements for IT and network departments to follow. If you are a merchant or serviceprovider and accept payment credit cards, you must validate PCI compliance at least annually. According to Fred Kost,Director of Security Solutions Marketing at Cisco Systems, the PCI standard has been successful because of its unifiedapproach. “It’s a global standard that applies to a lot of industries and covers diverse requirements of various companies,from the very large to the very small,” he said.But a myriad of challenges thwart best efforts of many companies attempting to achieve PCI compliance. One reasonis that deploying policies and controls across an organization takes time, during which threats and methods within thehacker community change. “The hacking community gets smarter all the time, and we’re seeing the evolution of the PCIstandard to address new threats,” said Cisco’s Kost. Furthermore, merchants eager to stay competitive by deploying newtechnologies may not take enough time to ensure that adequate security policies and procedures are always enforced,resulting in vulnerabilities. As a result, merchants struggle with how to not only pass the PCI audit but maintain on-goingcompliance without over-taxing budgets and corporate resources.More changes ensue as PCI DSS is periodically revised to fit new purchasing scenarios—ecommerce transactions, ortransactions that occur when the customer hands his credit card to a retail clerk at the counter are only part of the datasecurity dilemma. Advances in mobile devices and other technologies have given rise to new payment options. Pen-entryand other new interactive devices, pay-at-pump systems and card swipe capture devices used in smaller stores and kiosksall present a risk. “As IT professionals, we need to think more broadly about how customer data is accessed, touched,changed and moved,” said Kost.Ensuring your compliance strategy is up to date with new requirements means you must revisit your strategy often andmake the necessary changes. “You have to have the processes and policies in place and be willing to modify them based onchanging requirements,” said Kost. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 1 All marks are the property of the respective company. April 2009
  2. 2. FlExibility within pci standard allOws FOr custOMizatiOnPCI is broad—it offers a single set of guidelines to be applied to all sorts of retailers—both large and small—because it mustcover the issues faced by an incredibly diverse group of companies. For example, a large global retailer with a complex datacenter will have different requirements than the small doctor’s office with a server under the receptionist’s desk. “The creditcard is a ubiquitous form of payment, cutting across all different forms of transaction types and organizations—from the localgrocery store to global ecommerce retailer,” said Kost.Although PCI provides a blueprint for best practices, the standard provides the flexibility for each IT department to bestexecute those practices to suit their particular business needs. For example, requirements 7–9 address the process ofrestricting user access to data, however the parameters for those restrictions are not specified, and the methods for enforcingthose restrictions are up to IT staff.Outsourcing the task of PCI compliance to a trusted partner can help organizations adapt to changes that impedecompliance and capitalize on the flexibility within PCI to implement best practices in a way that maximizes the operationaland security benefits. “Partnering with the right kind of organization can make a big difference in making your complianceprocess more efficient and improving security now and into the future.”what is pci dss?The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed bythe founding payment brands of the PCI Security Standards Council, including American Express, Discover FinancialServices, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption ofconsistent data security measures on a global basis. It is a multifaceted security standard that includes requirementsfor security management, policies, procedures, network architecture, software design and other critical protectivemeasures intended to help organizations proactively protect customer account data.Source: PCI Security Standards CouncilFigure 1. the PCi Security Standards Council’s 12 requirements target key potential weaknesses in complex data networks Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Requirement 5 Use and regularly update anti-virus software Program Requirement 6 Develop and maintain secure systems and applications Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 2 All marks are the property of the respective company. April 2009
  3. 3. Implement Strong Access Control Requirement 7 Restrict access to cardholder data by business need-to- Measures know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information securityit takEs pEOplE, prOcEssEs, pOliciEs and tOOlsTo overcome these challenges and achieve PCI compliance now and on an ongoing basis, you must have the people,processes, policies and tools in place to address the requirements that pertain to your business. This is a big commitment.Building and maintaining the right teams and processes can be much more difficult than implementing the technology. Inmany businesses, IT security skills are scarce. Companies face budgetary and retention issues, and may lack resources fortraining personnel on compliance procedures.Partnering with a PCI certified provider is often the best way to accomplish PCI compliance goals. “PCI-certified providersare service providers that have done the hard work of going through the PCI audit process for products and services,”said Kost. “ Cisco, for example, provides reference architectures for PCI compliance that put together the various piecesof a compliance solution, so you don’t have to worry about it.” Other providers, such as Qwest, provide the services thatcompliment the architecture, allowing IT departments to hand off those tasks that cannot be performed efficiently in-house.Many providers will offer testing in simulated retail environments, with POS terminals, wireless devices and Internetconnections. They may also provide configuration monitoring and authentication management services. PCI audit andremediation partners offer audit review, to ensure you have the pieces in place to pass your compliance audit.But compliance doesn’t end with the audit. PCI assessments are point-in-time audits; many companies struggle to enforcethe processes and policies to maintain compliance on an on-going basis. As a result, breaches can still occur, even aftera company passes its audit. And the effects of a breach are devastating. Forrester Research estimates that the cost of asecurity breach to the company who suffers it may amount to anywhere between $90 and $305 a record—one significantbreach could cost an organization millions of dollars.1“What you have to keep in mind is that you’re not implementing security controls on a one-time basis,” said David Mahon,Vice President of Information Security at Qwest, who offers PCI certified products and services to help companies achievePCI compliance. “You have to have processes in place to maintain a secure system after the audit, as well.”Enlist thE ExpErts tO Maintain cOMpliancEBecoming PCI compliant is a huge challenge and it is not a static one. Companies must be able to maintain complianceby integrating the necessary policies and procedures into their daily business operations. This can be challenging and timeconsuming. Enlisting a PCI certified partner can help you build and sustain an effective long-term compliance strategy, andmaximize internal resources and expenses. Hosted services and reference architectures can ease the burden and simplifyyour ongoing PCI compliance program.1 Top Unified Communications Predictions For 2008, by Henry Dewing with Ellen Daley and April Lawson, February 20, 2008. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 3 All marks are the property of the respective company. April 2009
  4. 4. Your best bet? Look to partners with compliance experts that can help you organize the technologies, policies andprocesses to satisfy the PCI requirements that pertain to your business and protect against new threats by keeping pacewith changing requirements. And remember, it is an ongoing process. According to Mahon, “Compliance and security don’tstand alone—they are intertwined. It is a cycle that we loop through, and every time we do, we get better at it.”CoNNeCt. SimPliFy. eNhANCe. ®with Qwest Business Solutions®Qwest is focused on helping you work smarter, with services that leverage the latest technology and award-winning support.Here are a few solutions that can address the issues covered in this solutions brief:hosted ivr. A highly customizable, network hosted interactive voice response (IVR) solution that enables full-featured callerself service, caller prompting functionality, call recording and detailed caller data and call flow reporting. Hosted IVR can beused stand-alone or integrated with existing contact management equipment.Q routing®. A network-hosted intelligent, inbound and outbound, multi-media contact routing solution that enables virtualagent pools, call recording, skills-based routing for voice, email and web chat. The application includes powerful agent, adminand supervisor desktop tools and cradle to grave reporting. Q Routing can be used stand alone or integrated with existingcontact management equipment.Managed backup and storage. Qwest’s fully-managed, flexible portfolio of state-of-the-art storage and backup productsand services includes a managed dedicated storage solution, utility solution on a pay-for-what-you-use (utility) basis, point-in-time copy service, and a variety of backup solutions.Managed Firewall-vpn. Managed Firewall-VPN Service is a management platform that integrates third party firewallproducts with Qwest monitoring, management, and administration capabilities.cybercenter colocation. Qwest provides a full range of CyberCenter collocation services to meet any business need.Each CyberCenter facility is connected to Qwests OC192 backbone, offering customers a fully redundant solution to ensurethat critical data needs are met.why QwEstQwest delivers reliable, scalable data and voice networking solutions, across one of the largest U.S. fiber footprints.Qwest serves businesses of all sizes, ranging from small business to 95 percent of Fortune 500 companies, with industry-leading SLAs and world-class customer service.lEarn MOrEFor more information about Qwest voice and data services for large businesses, visit or call(877) 816-8553 to speak to a Qwest representative. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 4 All marks are the property of the respective company. April 2009