Ho, Ho, Ho! PCI DSS Compliance…Just in Time for the Holidays

By Greg Hoffer

Are you enjoying your early holiday gift from the Payment Card Industry Security Standards Council?

Retailers who use point-of-sale (POS) systems as a part of their business are now subject to Payment Card Industry Data Security Standard (PCI DSS) 3.2, an updated set of security processes designed to guard against the kinds of hacks and data breaches that have plagued the retail industry in recent years.

 Many well-known retail, hotel and food & beverage brands use MICROS.  Image Source:  Krebs on Security

Many well-known retail, hotel and food & beverage brands use MICROS.
Image Source: Krebs on Security

These events include attacks on specific devices, such as the hack on a network of 330,000 cash registers as reported by USA Today, or the networks of specific stores, including the hack that involves the retail chain Eddie Bauer as reported by PC World.

PCI DSS is an information security standard established in 2004 by the leading credit card brands in response to fraud. PCI DSS has since been adopted as a benchmark minimum standard for organizational security programs; it has even been used by some states for determining if commercial companies have made a good faith effort at protecting consumers in the event of a data breach.

For these reasons, PCI compliance is firmly established as a best practice for the retail industry and regular evaluations and compliance audits are common practice. The PCI Security Standards Council regularly evaluates and updates PCI DSS in response to the industry’s understanding of threats. Earlier this year the new standard was announced and PCI DSS 3.2 went into effect on October 31, just in time for the holidays.

The update gave organizations time to understand and incorporate the new practices into existing security plans and, in particular, address the vulnerabilities that have resulted in POS system breaches. The PCI Security Standards Council posted a blog in April addressing key points of the update. Issues such as multi-factor authentication, best practices for service providers and other third-parties involved in payment processing and questions related to technical changes were all addressed. A similar April blog post from the PCI Security Standards Council discussed more questions, including guidance to help organizations plan their approach to compliance as well as the reasons behind the update.

For organizations that have put off complying with the latest PCI DSS 3.2 regulations until the October 31 deadline may feel the timing is inconvenient as it hits during the busiest retail season of the year. There are bigger challenges facing retailers from November through January, after all. And yet, the goal of PCI DSS is to avert the challenges—and costs—that come with a data breach.

The larger aim of PCI DSS compliance is prevention of a crisis. Data breaches involving consumer personal and financial data are a legal, logistical and brand-damaging mess. Preventing the fallout for consumers and the organization through PCI DSS compliance is an investment, and while a PCI DSS compliance program may seem to be a daunting undertaking, the effort can pay dividends in building brand trust. Failing core PCI DSS compliance requirements means leaving your organization and its patrons vulnerable to fraud and theft.

The process of establishing and maintaining PCI DSS compliance is founded on six primary objectives and twelve principles as written by the PCI Security Standards Council, which includes:


Objective 1: Build and maintain a secure network

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters


Objective 2: Better protect cardholder data

  • Protect stored cardholder data by implementing data retention and disposal policies
  • Encrypt transmissions of cardholder data across open, public networks


Objective 3: Maintain a vulnerability management program

  • Protect all systems against malware and regularly update anti-virus software and programs
  • Develop and maintain secure systems and applications


Objective 4: Implement strong access control measures

  • Restrict access to cardholder data by business on a need to know basis
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data


Objective 5: Regularly monitor and test networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and practices


Objective 6: Maintain an information security policy

  • Maintain a policy that address information security for all personnel

 

Thomas Jefferson said that "the price of liberty is eternal vigilance." Vigilance is the price of data security as well and PCI DSS 3.2, with its emphasis on ongoing attention to security detail is a small price to pay when compared to the alternative.


About Greg Hoffer

Greg Hoffer is Vice President of Engineering at Globalscape where he leads the product development teams responsible for the design and engineering of all of Globalscape products.

More About Greg