PCI: How to break the piggy bank!

For any company, merchants included, who haven’t been meeting the PCI Data Security Standards, I have some bad news: you’re about to spend at least twice the money you never spent on security and privacy in the first place.

If you purchased bargain basement discounted Point-of-Sale systems, you’re in for a surprise courtesy of Visa’s Application Securityrequirements. In fact PCI has adopted these standards and will begin enforcing them in 2008 and 2009. The requirements associated with the Application Security portion will target all levels, not just the top tier.

If you lucked out in the PCI Compliance lottery by outsourcing everything to do with credit card data, that outsourcing is likely to get expensive as the outsourcer will likely pass those costs on to its customers.

If you seriously need to get up to speed quickly, I would advise following the steps outlined in a recent SearchSecurity Article. I’ve numbered the steps as Mike Rothman presented them in the article:

1. First, pick off the low-hanging fruit such as Requirement 1, which is to have a firewall to protect cardholder data, and Requirement 5, which mandates the use and updating of antivirus software.
2. Requirement 2, which is to change default passwords and other security parameters.
3. Also take a look at Requirement 4, which requires encryption to protect cardholder data that is sent over open networks. Simply using SSL allows an organization to check the box on that requirement.
4. After picking off the simplest stuff, address the requirements that can be difficult or nebulous, like Requirement 3 to protect stored cardholder data, or Requirement 6 to develop and maintain secure systems and applications.

The last thing you want to do is try PCI Compliance blind-folded. You and/or your team need to understand the requirements before you attempt to comply and before you bring in any outside consultant to document data flows or perform site assessments because it is easy to go broke and/or break the company complying with PCI.

Regulatory Flaws

I learned many things working for an former DOJ attorney but the thing that stands out the most is his savvy when it came to predicting what organizations would do in given situations. Legal regulations and contracts produce the same effect in businesses: do the minimum to get by aka comply.

Doing only what you have to, will catch up to you in one form or another. This minimalist philosophy is infectious. Take for example the rampant security breaches of the 21st century. Hackers unite!

Companies of all size grow and extend their business in order to satisfy their customers. If the company is publicly traded, then the company also seeks to please its stockholders. If security was a priority, companies would solve the data breach problem voluntarily. There are any number of reasons for security being what it is today.

We don’t need regulations in order to promote and achieve security within organizations, rather courage and leadership are needed. Security is not a profit-center, it is risk-avoidance; just like insurance. No one buys insurance (except maybe Allstate’s insurance) expecting to make money, insurance protects you against loss [whatever form that loss may take] but the insurance is only as good as the language in the policy. Security is no different; however, a company can reduce the cost and improve the effectiveness of security by including it throughout the organization and by building it into products and services instead of adding it on after a data breach has occurred. Unfortunately, too often security is implemented in the form of damage control following an incident because little financial justification can be made in advance of such an incident.

Regardless, politicians’ calls for “stronger” regulation are predictable because “stronger” regulation is “better”—in a press conference. In the real world, however, regulation is no more capable of divining threats to data security than, say, a common law liability regime, or even businesses’ natural interest in maintaining their operations, integrity, image, brand, and assets. [CATO]

Businesses will stay ahead of both the law and law breakers if strategy, business processes, and the big picture replace procedural band-aids, reactionary planning, and cost as their chief motivators. [ITCI]

If all that fails, you can still buy insurance!