RealTime IT News

Merchants Cope With PCI Compliance

PCI compliance

These days, you can't look far without seeing a vendor offering solutions that comply with Payment Card Industry Data Security Standard (PCI-DSS) 6.6.

One of 12 Payment Card Industry, or PCI, requirements, PCI-DSS 6.6 aims to ensure that data entered from untrusted environments into Web applications is fully inspected.

To secure transactions by debit and credit cards, the regulation requires merchants to conduct application code reviews and install Web application firewalls.

Up until now, implementing PCI-DSS 6.6 was optional, but it becomes mandatory June 30.

Although PCI regulations are meant to enhance security at organizations that accept credit and debit cards, they are just part of the overall security puzzle. Finding the right approach is key.

"Compliance doesn't necessarily equate to good security, but good security does equate to PCI compliance," said Mike Puglia, director of product marketing at Veracode, which provides static code analysis and dynamic application security testing in software as a service, or SaaS , mode.

Risk management

A major approach to data security involves risk management. A lack of it could further hammer an enterprise already reeling from a data breach.

Risk management embraces everything from calling in the police and having IT staff race to the datacenter to having PR people ready to offer favorable spin on what has happened.

TJX (NYSE: TJX), the Massachusetts-based operator of discount retail clothing chains such as T.J. Maxx and Marshalls, found out firsthand why risk-management planning is critical.

Between 2004 and 2007, the company suffered a security breach that compromised almost 46 million credit- and debit-card numbers.

In addition to the millions of dollars it lost because of the breach, TJX found itself in trouble with the Maine department of motor vehicles (DMV). According to Puglia, 30,000 applicants sought new driver's licenses in one week because the TJX breach compromised their old ones.

Puglia recommends enterprises set up a process to notify anyone who will be impacted if a breach occurs, whether inside or outside of the enterprise.

Even if a company has risk-management processes in place and is in compliance with PCI, that doesn't mean much in the larger scheme of things; in fact, being fully PCI compliant could reduce overall enterprise security.

"There are instances where being PCI compliant can actually downgrade your security posture, depending on the size of your organization," Jack Phillips, co-founder and managing partner for research group Institute for Applied Network Security, told InternetNews.com.

For example, many retailers redesigned their IT architecture to create zones that didn't interact with each other, to comply with the PCI requirements, but knowledgeable users whose work required they interact with applications in various zones "went around some of the zones and security mandates and software," Phillips explained.

That has led to a backlash from IT security, which is now refusing to compromise overall security.

"Some of the security professionals are realizing they've been so focused on the technical details that they've lost touch with the larger behavioral and policy issues that security is really about," Phillips said.

"IT's saying it's not going to sacrifice common sense security, just get 100 percent PCI compliant."

That could lead to problems for management because "IT security professionals are eager to tell senior management they're 100 percent PCI compliant" but aren't sure whether or not their companies will be fined for noncompliance when a breach occurs, Phillips said.

"Ultimately something you never thought of could be the cause of some sort of breach, and the key is mitigating and lowering the exposure, whether it be with the issuers at the PCI level, with the customers, with the banks, or with the federal government," Phillips said.

"The craft of information security has quickly been transformed from a technical craft to risk management," Phillips added.

Next page: Holistic view