For many companies that process credit card data, the requirements of the Payment Card Industry Data Security Standard (PCI DSS) are all too familiar. But should companies that do not process credit cards implement the same data security restrictions?
Today there is a veritable alphabet soup of data security standards to which companies can adhere, but because of its prescriptive nature, PCI DSS seems to be catching on as a viable option for companies that do not take credit cards, experts agree. For example, rather than simply stating that a firewall for web applications needs to be in place, PCI DSS describes in detail exactly what is required and how to configure it.PCI DSS is primarily a contractual agreement between the major credit card companies and enterprises that accept and process credit cards. The standard, defined by the Payment Card Industry Security Standards Council, was put in place as a means of ensuring that personally identifiable information (PII) is protected.
However, some experts argue that PCI should be adopted as a best practice by those not required to comply with the standard. “PCI DSS requires you to continue to monitor [your network],” says Deven Bhatt, CISO of Wright Express, a provider of payment processing and information management services. “It's not a project with a start and end date.”
Unlike other standards mandating technology usage – such as ISO 27001, which often uses vague language, such as “appropriate” – PCI DSS is far more specific and not open to “user interpretation,” Bhatt says. Even small or midsise companies that do not process credit cards should consider implementing PCI DSS, he says, because “even small companies have PII.”
Ensuring compliance with the standard can be done in two ways.
A qualified security assessor (QSA), who has been certified by the PCI Council as being qualified to assess compliance to PCI DSS, can inspect a company and either certify or deny it. For smaller companies, self-certification is an option. For this, a checklist is used to ensure that all of the key components of the standard have been implemented.
However, data security consultant and a former CISO, Frank Kenisky cautions that a self-analysis is sometimes inadequate. Checklist-based analysis of security is not appropriate for an ongoing process, such as protecting corporate data, he says. A checklist might provide basic information, but it does not take into consideration wider-ranging issues about protecting data, including ensuring that the auditing of the security system is done separately from the team that is responsible for the data security itself. “The checklist mentality treats a business like a board game,” he says.
But, steps must be taken to ensure data is protected. Jeff Hall, a director at consultancy RSM McGladrey, says companies should consider PCI DSS as a viable data security foundation, regardless of the kind of data they are protecting. Instead of thinking of cardholder data, just substitute PII or other company-confidential information, he says, adding that virtually every company has some type of confidential assets, be it human resources, financial, trade secrets or a myriad of other data sets, such as Social Security or driver's license numbers.
Much of today's data is attainable on the web, he says. “We make everything so searchable, [even] cretins can search for anything.”
Among the information often searched for by ill-intentioned people is personal and company confidential data, he says. “Competitive information and intellectual property (IP) are as important as PII.” In some companies, he says, IP is siphoned off the server by thieves as soon as it gets there.
Companies of all sizes need to make better decisions about who has access to data, Hall says. If companies make information too accessible or keep PII on servers when it should be archived or destroyed, then they are taking a much greater risk than necessary. Just because a company can do something – like keep data accessible on networked servers – it doesn't mean it should, Hall says.
But, when it comes to implementing precautions, such as those outlined in PCI DSS, many companies balk because they fear the added costs. “It costs a fortune to get the [appropriate] infrastructure in place,” he says.
Open to breach
In addition to aging hardware, some companies are still using older data security practices that can be breached easily. Even the cloud infrastructure of Amazon S3 – the online shopping giant's storage web service – had a backdoor that was breached, Hall says. It was fixed soon after.
Experts agree that implementing a proper risk management plan can help organisations better understand IT security priorities. But, at the same time, tighter budgets are forcing CISOs to squeeze more efficiencies out of a company's security infrastructure. By basing IT security plans on standards like those from the PCI Council, CISOs can go a long way in building a stable foundation for a strong security posture that also accounts for still lingering, industry-wide belt-tightening, say experts.
Hall is a big supporter of standards in general and PCI in particular. “The PCI standards were not developed in a vacuum,” he says in a post on his blog PCI Guru. “They are a consolidation of a lot of other security standards and guidance gained through root cause analysis of security incidents gathered over the years with the express purpose of protecting cardholder data.”
Shawn Chaput, chief architect and executive consultant at Privity Systems, agrees that PCI DSS can help companies protect noncredit card data. Companies that are involved in or considering mergers and acquisitions, as well as those with intellectual property or confidential sales leads and human resource data, should consider protecting their information with more than just minimal data security techniques, he says.
But for some, implementing the PCI standard will provide only a minimal data security framework. Some companies should consider more stringent security measures if their risk assessment indicates greater security is required, experts say.
For companies not required to implement PCI DSS, its encryption portion might be one area where savings can be realised, Chaput says. Although, he admits, encryption can be expensive, so many companies, especially smaller ones, might pass on it.
However, there are other advantages to compliance. Companies that provide services to enterprises that fall under the PCI DSS requirements might well choose this route for a marketing benefit, says Chaput. He knows of a Canadian company that does processing for a large bank, but does not handle any credit card data, has implemented the PCI standard for its own company. Although it is not required to do so, the company now markets itself as a PCI-compliant data processor for banks, hoping that its adherence to the standard will build its business by attracting companies that must follow compliance mandates.
Next page - Get in Step