Walking the minefield of PCI DSS compliance May 2010

Transcription

1 White paper Walking the minefield of PCI DSS compliance May 2010 In association with

2 White paper computing 2 A foreword by Neira Jones, Head of Payment Security at Barclaycard In the 1960s-70s, we had zip-zap machines. Two decades later, the first card acceptance terminals became mainstream. Now, not only do we have more sophisticated payment terminals - mobile or otherwise, attended or not we also have EPOS (Electronic Point of Sales) systems, online shops, payments enabled smart phones, and many derivations of all these. As card payments become available through a variety of channels and technologies, the challenges faced by retailers to secure their customer data increase. It is therefore not surprising that between 2000 and 2008 in the UK, Card Not Present (CNP) transactions rose by 400%, and CNP fraud rose by 350%. CNP fraud represents nearly 2 thirds of total UK card fraud. In Europe, Card Present merchants (brick and mortar businesses) are far less likely to be compromised than Card Not Present merchants. This is due to the successful introduction of Chip & PIN, upgrades to payment systems and adoption of standards over the past few years. It is no wonder therefore that card fraud has essentially migrated online. Whilst CNP fraud is still dominant and is projected to continue on this trend, it has for the first time since 2004 decreased in value. This is mainly due to the following factors: Increased use of fraud screening detection tools by retailers and banks Growth in the use of MasterCard SecureCode and Verified by Visa by both online retailers and cardholders Security awareness in the merchant community and drive for Payment Card Industry Data Security Standard (PCI DSS) compliance. Modern day criminals want our data: be it credit, financial, payment card or personal. There is a strong black market in each, and identity thieves are more inventive than ever. The annual cost of identity theft to the UK economy is estimated to be 1.2bn. Every year we share more of ourselves online - a trend that is set to continue as we spend more money on e-commerce sites. Each time we do this, we place our data and our faith in the security measures taken by the businesses that manage these e-commerce sites.

3 White paper computing 3 Exploiting vulnerabilities using techniques such as SQL injection is a method currently in favour with hackers and data thieves. SQL injection attacks exploit vulnerabilities at the web application layer to access sensitive data in back-end databases. These web-based attacks can pass undetected through firewalls and other perimeter defences, including intrusion detection and intrusion prevention systems, then hijack the application server to gain access to underlying database records. This threat is rising, and according to a data breach report published by the Verizon Business RISK team, 75% of all breached records came from compromised database servers, while other IT assets such as laptops and backup tapes accounted for less than 0.05% of compromised data. The PCI DSS has been introduced to help protect everyone against card fraud; to protect businesses and their customers card data. Every business is dependent on their customers trust. If e-commerce security is not high on their agenda, e- commerce retailers may lose more than they think. As a very first step in simplifying their PCI DSS compliance journey, Barclaycard advises retailers to always seek PCI DSS compliant service providers (e.g. payment gateways, processors, managed hosting providers, shopping carts). Executive summary In the online environment trust can be won or lost overnight. Customer data security must lie at the core of all online business. The Payment Card Industry Data Security Standard (PCI DSS) provides a global security standard for companies that accept card payments. Different levels of compliance are required according to the type and size of the company. PCI DSS compliance is not law. However, merchants that do not comply may be subject to fines and forensic audits should a security breach occur. For smaller businesses, this could put an end to trading. A company can achieve PCI DSS compliance if they are using a hosted infrastructure. However, the onus remains on the retailer to have compliant processes, as well as ensuring the hosting partner and its infrastructure has sufficient security levels.

4 White paper computing 4 The fragile bond of trust In the amped-up and accelerated online economy, etailers can grow from concept to global business in a handful of years and in the case of some social networks, that level of increase can be seen in months. Even in the recession, the twin drivers of such explosive growth online have been the availability of credit coupled with the secure exchange of private data. Etailers and customers need a bond of trust facilitated by robust security policies and supporting technology. Before e-commerce, most trusted brands built their reputations over decades of face-to-face dealings with the public, growing brand value through word of mouth, good service and consistent execution. Online, that degree of trust can be won or lost overnight, which means global standards are essential. Customer data security must lie at the core of all online business. However, many enterprises are unaware that responsibility for customer data security is theirs even if the infrastructure partners they use might be compliant with global standards. All personally identifiable data, such as account number, expiration date, name, address, and so on, that is stored, processed, or transmitted must be protected at every stage by the company. Securing such information is a challenge for most organisations: global brands can be undermined by a single security breach, while medium-sized traders may sell globally but have scant resources or in-house expertise to cover payment card security. For the smallest etailer, meanwhile, payment card security compliance can be a barrier to growth. In every case, the financial penalties for non-compliance can be ruinous. Who needs to be PCI DSS compliant? The Payment Card Industry Data Security Standard (PCI DSS) was established in 2004 by the Payment Card Industry Security Standards Council ( an alliance of card providers including American Express, Discover, JCB, MasterCard and Visa. The standard which was updated in 2006, and again in 2009 to cover wireless LANs applies to all organisations that hold, process, or pass cardholder information, including public sector bodies. If your company accepts payments via a card showing the AmEx, Discover, JCB, Mastercard or Visa logos, and stores, processes or transmits cardholder data then your business needs to be PCI DSS compliant. The foundations of the standard are simple to state, but the reality of monitoring and enforcing compliance can be more complex. Compliance is itself measured and monitored by Qualified Security Assessors (QSAs). A list of these is available through the Security Council.

5 White paper computing 5 Put simply, compliance requires constant vigilance: an organisation can become non-compliant in an instant, and even the use of big-name web services providers does not guarantee a compliant infrastructure, nor a compliant customer. For example, some web services platforms are not in themselves PCI DSS compliant, while in other cases a single instance of an application might be insecure and give rise to hacks, exploits and data breaches, however secure the transactional systems might themselves be. Basic PCI DSS requirements A more detailed list can be found at: The PCI Security Standards Council website Build and maintain a secure network: In practice, this means installation and maintenance of a robust firewall with security parameters customised to each organisation Protect stored cardholder data on a secure database, with encrypted transmission of that data when using open, public networks Maintain a vulnerability management programme: regularly update anti-virus and -malware software and maintain secure applications Maintain strong access control measures, restricting computer and physical access to cardholders' personal and transactional data, and assign a unique ID to each person with data access Monitor and test networks and security systems for vulnerabilities regularly, tracking and monitoring access to private data Maintain an information security policy. The latter point is significant. The early years of the 21st century have been littered with examples of lax data security at the weakest point of the security chain: vulnerable, fallible human beings. The trust implications of breaches in the public sector, for example, are still being felt today. This is because too many enterprises treat security as a technology problem requiring a technology solution. In fact, security technologies must (and can only) work in service of a watertight policy enforced throughout every tier of the organisation. The private sector is far from immune: in 2009, for example, hackers stole information from over 45 million payment cards used by customers of US retailer TJX, which owns budget fashion outlet TK Maxx in the UK. There have been dozens of other high-profile examples this century, including Network Solutions, which suffered an intrusion and data breach compromising more than 4,300 customer sites and 570,000 people's credit card information. Network Solutions was, and is, PCI compliant.

6 White paper computing 6 So it is clear that PCI DSS compliance is essentially only a blueprint for Web and organisational security, and that it is possible to be both compliant and insecure in terms of the risk from vulnerable exploits in new applications and even operating systems, for example, and from lax enforcement of security policies. Arguably, it is also possible to be secure and non-compliant in some respects. PCI DSS compliance is not law. However, merchants that do not comply may be subject to fines and forensic audits should a security breach occur. For smaller businesses, this could put an end to trading, and for all businesses, damage to a brand's local or global reputation can be equally catastrophic. The payment service provider may even refuse to authorise online payments until the company is compliant, cutting off a vital payment method. The punitive costs of non-compliance help enforce and drive up security standards across all organisations and make secure trading part and parcel of the competitive market online. The members of the Security Council may issue fines of between $5,000 and $100,000 per month for compliance violations fines that the banks will pass down the line to the companies responsible. Levels of compliance Some people have criticised the PCI DSS code for introducing tiers of organisation type and levels of compliance based around these. These are: Merchant Level One: Any merchant processing over six million e-commerce card transactions per annum, or any merchant deemed to be Level One by the Security Council Level Two: Any merchant processing one million to six million e-commerce card transactions per annum Level Three: Any merchant processing 20,000 to one million e-commerce transactions per annum Level Four: Any merchant processing fewer than 20,000 e-commerce card transactions per annum and any merchant that deals with fewer than one million point of sale (i.e. over the counter) sales per annum. Immediate compliance validation is required only for Level One to Three merchants and is optional for Level Four. This is controversial, given that there are far more retailers in this category than any other and 80% of payment card compromises in the past five years have hit Level Four enterprises. Arguably, it also creates a barrier to expansion for the smaller enterprise: growing beyond a certain number of transactions in any financial year has compliance implications, and potential penalties for failure.

7 White paper computing 7 However, if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required for all types of enterprise. Using the cloud to ensure compliance For many smaller to medium-sized enterprises, using a hosted or cloud-based infrastructure is an attractive option as it frees up the enterprise, and its hardpressed IT department, to operate more strategically and to scale up to meet spikes in demand without the concomitant spikes in capital expenditure. On the face of it, it may also seem attractive in terms of outsourcing compliance issues and even enforcement to whoever hosts the data centre. A company can achieve PCI DSS compliance if they are using a hosted infrastructure. While a hosting partner may offer compliant technology, an equally key ingredient from your partner is data protection and PCI DSS compliance expertise. However, the onus remains on your company to have compliant processes, as well as ensuring the hosting partner and its infrastructure has sufficient security levels. This is simply good practice in any supplier relationship: you are in the driving seat of the deal, trusting your provider to do what it is best at so you can concentrate on running your core business. Walking the minefield In a recent survey conducted by Barclaycard, two accredited QSAs said that as long as the merchant meets the criteria for the requirements then they can achieve compliance but both agreed that more guidelines were needed on this, and also accepted that people can gain compliance on a technicality. Another QSA said that whether or not a merchant achieves compliance depends on what level of compliance they are looking for, their main business function, and their plans if anything was to happen with the data on the hosted infrastructure. This suggests that the organisations tasked with monitoring compliance are not in full agreement on how compliance might best be achieved in a hosted environment. One thing is certain, however: etailers should make no assumptions about compliance when using hosted processing, data storage or web services. For example, Amazon's EC2/S3 web services technologies are at the core of many successful online retail operations, and a cloud supplier ecosystem has flourished around adding value to Amazon's offering for any company wanting to build an online presence. However, in 2009 an Amazon representative admitted on an AWS online forum that its EC2/S3 system was not inherently PCI Level 1 compliant (it is Level 2 compliant). Amazon advised users not to use its platform in isolation to store sensitive payment card data.

8 White paper computing 8 It should be explained that PCI compliance is no guarantee of safety and security, and neither does the lack of technical compliance automatically imply that a site is insecure. Amazon went on to explain that: Merchants regardless of their size are independently responsible for complying with PCI when they collect, process or store credit card information. When using a shared hosting service... where the merchant controls what credit card information touches the service, the merchant is responsible for using the services in a manner that permits them to be PCI compliant, such as the proper use of encryption and key management. In other words, you can rely on suppliers such as Amazon to provide the underlying technologies, but do not expect them to carry the can if your company is not PCI DSS compliant. It remains your responsibility. So if a merchant is using a data centre to provide their managed infrastructure to host customer card data, is it possible for the merchant to gain PCI compliance if their data centre provider has not already obtained compliance? In Barclaycard's survey, 50% of the QSAs surveyed said that they could not give a definite answer to whether the merchant would gain compliance if the data centre provider had not itself done so. It is a cloudy area which needs clarification, said one. A colleague has been dealing with an issue similar to this and it hasn t been easy to look into or get any guidance. The provider, I would presume, would need some level of compliance but to what degree I couldn t tell you. Technically, in the past, they could be compliant even if their data centre was not. But now it is probably best to ensure that the centre has the right levels needed otherwise they are liable if anything happens to the data. If it then turns out that the data was not safe in the first place then it risks causing disruption to the businesses and they could lose their [PCI DSS compliant] status. So PCI DSS compliance remains a controversial area where even the bodies charged with monitoring compliance are not in full agreement about the specifics of how best to implement and maintain it. The best approach is for merchants and etailers, whose responsibility compliance remains, to honour both the letter and spirit of PCI DSS and also see it as an opportunity to establish a world-class security position in the market rather than merely tick the boxes and provide a basic standard of security for customer data. After all, in the 21st century, secure customer data and loyalty are your business. Lose or compromise either, and your business will not survive.

9 White paper computing 9 About Barclaycard Barclaycard: innovation and responsibility Barclaycard is innovative - First to introduce credit cards in 1966 & contactless technology in Trusted brand with 10.4 million customers, and one in five credit cards in the UK in our portfolio. We continually invest in technology in order to remain ahead of our competitors and enhance our service to customers. We are a responsible lender, adapting and improving our products and services to help our customers. We help retailers acquire payments and help them meet their business objectives with easy to set up and cost-effective acquiring package. Leading the way in payment security: - PCI Security Standards Council Board of Advisors member - PCI SSC Participating Organisation - Dedicated Payment Security Team - Online resources - Publications We are a responsible business by treating our people, our local communities and the environment well. References Barclaycard payment security and PCI DSS Information Barclaycard white paper "processing online payments securely" Barclaycard s PCI DSS compliant payment gateway Payment Card Industry Security Standards Council Visa downloads and resources (where vulnerability guidance can also be found)

10 White paper computing 10 About the sponsor Star provides on-demand computing and communication services to UK businesses. Utilising an advanced cloud computing platform, the company has redefined how business people use and pay for the technology that supports them. Star s On-Demand Business Services TM are easy to use and pay for and are available any time and from anywhere, removing unnecessary costs for hardware, software and ongoing maintenance. Since 1995, when Star was founded, the company has been an internet technology innovator and pioneered the system for cloud-based spam and virus scanning for business that became MessageLabs. In the last 14 years Star has established itself as a leading IT and communications service provider of the highest pedigree looking after 3,500 UK business customers and their 500,000 users. Star has UK-based datacentres that sit within a network and communications capability that forms the basis of the Star Platform, from which a wide range of computing and communication services are delivered to customers. Star has more than 230 employees working from offices throughout the UK, providing the highest levels of customer service and support. Star s technology roadmap will deliver on-demand, cloud computing services to UK businesses who want immediate access to the latest enterprise technologies. For more information please go to Contact Star Telephone: Visit: info@star.net.uk