Contenu connexe
Similaire à Protecting Payment Card Data Wp091010
Similaire à Protecting Payment Card Data Wp091010 (20)
Plus de Erik Ginalick (18)
Protecting Payment Card Data Wp091010
- 1. PRoteCtiNg PAymeNt CARd dAtA
Considerations for Achieving and Maintaining On-Going PCI DSS Compliance
ExEcutivE OvErviEw
Businesses managing payment card data face tremendous security challenges. The cost of a security breach
can be devastating in terms of lost revenue, legal costs and damaged reputation. In fact, the payment card
brands may even stop a business from processing credit card and debit card payments from customers. The
Payment Card Industry Data Security Standard (PCI DSS) provides a blueprint for building and maintaining
a secure data network; however implementing the policies, people,
processes and technologies to achieve and maintain PCI compliance can Compliance and security
be overwhelming. This paper provides some background about PCI don’t stand alone—they are
DSS and its effectiveness, and explains how enlisting experts to help intertwined. It is a cycle that we
execute your strategy can be the best way to achieve and maintain loop through, and every time we
on-going compliance. do, we get better at it.
David Mahon, Vice President
Myriad challEngEs can iMpEdE cOMpliancE plans of Information Security, Qwest
Developed by founding payment brands of the PCI Security Standards Council,
the PCI Data Security Standard strives to ensure payment account data security
with a comprehensive set of requirements for IT and network departments to follow. If you are a merchant or service
provider and accept payment credit cards, you must validate PCI compliance at least annually. According to Fred Kost,
Director of Security Solutions Marketing at Cisco Systems, the PCI standard has been successful because of its unified
approach. “It’s a global standard that applies to a lot of industries and covers diverse requirements of various companies,
from the very large to the very small,” he said.
But a myriad of challenges thwart best efforts of many companies attempting to achieve PCI compliance. One reason
is that deploying policies and controls across an organization takes time, during which threats and methods within the
hacker community change. “The hacking community gets smarter all the time, and we’re seeing the evolution of the PCI
standard to address new threats,” said Cisco’s Kost. Furthermore, merchants eager to stay competitive by deploying new
technologies may not take enough time to ensure that adequate security policies and procedures are always enforced,
resulting in vulnerabilities. As a result, merchants struggle with how to not only pass the PCI audit but maintain on-going
compliance without over-taxing budgets and corporate resources.
More changes ensue as PCI DSS is periodically revised to fit new purchasing scenarios—ecommerce transactions, or
transactions that occur when the customer hands his credit card to a retail clerk at the counter are only part of the data
security dilemma. Advances in mobile devices and other technologies have given rise to new payment options. Pen-entry
and other new interactive devices, pay-at-pump systems and card swipe capture devices used in smaller stores and kiosks
all present a risk. “As IT professionals, we need to think more broadly about how customer data is accessed, touched,
changed and moved,” said Kost.
Ensuring your compliance strategy is up to date with new requirements means you must revisit your strategy often and
make the necessary changes. “You have to have the processes and policies in place and be willing to modify them based on
changing requirements,” said Kost.
Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 1
All marks are the property of the respective company. April 2009
- 2. FlExibility within pci standard allOws FOr custOMizatiOn
PCI is broad—it offers a single set of guidelines to be applied to all sorts of retailers—both large and small—because it must
cover the issues faced by an incredibly diverse group of companies. For example, a large global retailer with a complex data
center will have different requirements than the small doctor’s office with a server under the receptionist’s desk. “The credit
card is a ubiquitous form of payment, cutting across all different forms of transaction types and organizations—from the local
grocery store to global ecommerce retailer,” said Kost.
Although PCI provides a blueprint for best practices, the standard provides the flexibility for each IT department to best
execute those practices to suit their particular business needs. For example, requirements 7–9 address the process of
restricting user access to data, however the parameters for those restrictions are not specified, and the methods for enforcing
those restrictions are up to IT staff.
Outsourcing the task of PCI compliance to a trusted partner can help organizations adapt to changes that impede
compliance and capitalize on the flexibility within PCI to implement best practices in a way that maximizes the operational
and security benefits. “Partnering with the right kind of organization can make a big difference in making your compliance
process more efficient and improving security now and into the future.”
what is pci dss?
The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by
the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial
Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of
consistent data security measures on a global basis. It is a multifaceted security standard that includes requirements
for security management, policies, procedures, network architecture, software design and other critical protective
measures intended to help organizations proactively protect customer account data.
Source: PCI Security Standards Council
Figure 1. the PCi Security Standards Council’s 12 requirements target key potential weaknesses in complex
data networks
Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect
cardholder data
Requirement 2 Do not use vendor-supplied defaults for system passwords
and other security parameters
Protect Cardholder Data Requirement 3 Protect stored cardholder data
Requirement 4 Encrypt transmission of cardholder data across open,
public networks
Maintain a Vulnerability Management Requirement 5 Use and regularly update anti-virus software
Program
Requirement 6 Develop and maintain secure systems and applications
Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 2
All marks are the property of the respective company. April 2009
- 3. Implement Strong Access Control Requirement 7 Restrict access to cardholder data by business need-to-
Measures know
Requirement 8 Assign a unique ID to each person with computer access
Requirement 9 Restrict physical access to cardholder data
Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and
cardholder data
Requirement 11 Regularly test security systems and processes
Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security
it takEs pEOplE, prOcEssEs, pOliciEs and tOOls
To overcome these challenges and achieve PCI compliance now and on an ongoing basis, you must have the people,
processes, policies and tools in place to address the requirements that pertain to your business. This is a big commitment.
Building and maintaining the right teams and processes can be much more difficult than implementing the technology. In
many businesses, IT security skills are scarce. Companies face budgetary and retention issues, and may lack resources for
training personnel on compliance procedures.
Partnering with a PCI certified provider is often the best way to accomplish PCI compliance goals. “PCI-certified providers
are service providers that have done the hard work of going through the PCI audit process for products and services,”
said Kost. “ Cisco, for example, provides reference architectures for PCI compliance that put together the various pieces
of a compliance solution, so you don’t have to worry about it.” Other providers, such as Qwest, provide the services that
compliment the architecture, allowing IT departments to hand off those tasks that cannot be performed efficiently in-house.
Many providers will offer testing in simulated retail environments, with POS terminals, wireless devices and Internet
connections. They may also provide configuration monitoring and authentication management services. PCI audit and
remediation partners offer audit review, to ensure you have the pieces in place to pass your compliance audit.
But compliance doesn’t end with the audit. PCI assessments are point-in-time audits; many companies struggle to enforce
the processes and policies to maintain compliance on an on-going basis. As a result, breaches can still occur, even after
a company passes its audit. And the effects of a breach are devastating. Forrester Research estimates that the cost of a
security breach to the company who suffers it may amount to anywhere between $90 and $305 a record—one significant
breach could cost an organization millions of dollars.1
“What you have to keep in mind is that you’re not implementing security controls on a one-time basis,” said David Mahon,
Vice President of Information Security at Qwest, who offers PCI certified products and services to help companies achieve
PCI compliance. “You have to have processes in place to maintain a secure system after the audit, as well.”
Enlist thE ExpErts tO Maintain cOMpliancE
Becoming PCI compliant is a huge challenge and it is not a static one. Companies must be able to maintain compliance
by integrating the necessary policies and procedures into their daily business operations. This can be challenging and time
consuming. Enlisting a PCI certified partner can help you build and sustain an effective long-term compliance strategy, and
maximize internal resources and expenses. Hosted services and reference architectures can ease the burden and simplify
your ongoing PCI compliance program.
1 Top Unified Communications Predictions For 2008, by Henry Dewing with Ellen Daley and April Lawson, February 20, 2008.
Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 3
All marks are the property of the respective company. April 2009
- 4. Your best bet? Look to partners with compliance experts that can help you organize the technologies, policies and
processes to satisfy the PCI requirements that pertain to your business and protect against new threats by keeping pace
with changing requirements. And remember, it is an ongoing process. According to Mahon, “Compliance and security don’t
stand alone—they are intertwined. It is a cycle that we loop through, and every time we do, we get better at it.”
CoNNeCt. SimPliFy. eNhANCe. ®
with Qwest Business Solutions®
Qwest is focused on helping you work smarter, with services that leverage the latest technology and award-winning support.
Here are a few solutions that can address the issues covered in this solutions brief:
hosted ivr. A highly customizable, network hosted interactive voice response (IVR) solution that enables full-featured caller
self service, caller prompting functionality, call recording and detailed caller data and call flow reporting. Hosted IVR can be
used stand-alone or integrated with existing contact management equipment.
Q routing®. A network-hosted intelligent, inbound and outbound, multi-media contact routing solution that enables virtual
agent pools, call recording, skills-based routing for voice, email and web chat. The application includes powerful agent, admin
and supervisor desktop tools and cradle to grave reporting. Q Routing can be used stand alone or integrated with existing
contact management equipment.
Managed backup and storage. Qwest’s fully-managed, flexible portfolio of state-of-the-art storage and backup products
and services includes a managed dedicated storage solution, utility solution on a pay-for-what-you-use (utility) basis, point-in-
time copy service, and a variety of backup solutions.
Managed Firewall-vpn. Managed Firewall-VPN Service is a management platform that integrates third party firewall
products with Qwest monitoring, management, and administration capabilities.
cybercenter colocation. Qwest provides a full range of CyberCenter collocation services to meet any business need.
Each CyberCenter facility is connected to Qwests OC192 backbone, offering customers a fully redundant solution to ensure
that critical data needs are met.
why QwEst
Qwest delivers reliable, scalable data and voice networking solutions, across one of the largest U.S. fiber footprints.
Qwest serves businesses of all sizes, ranging from small business to 95 percent of Fortune 500 companies, with industry-
leading SLAs and world-class customer service.
lEarn MOrE
For more information about Qwest voice and data services for large businesses, visit www.qwest.com/business or call
(877) 816-8553 to speak to a Qwest representative.
Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 4
All marks are the property of the respective company. April 2009