| | | RssFeeds
 
Get NetworkComputing Connect Search   Search Search
 
NWC Print
Nov 2008
Beyond Headlines
Buzzcut
Editorial
Cover Story
On the Record
Show Case
Interop 2009
Lateral View
In-Depth
On Location
Down to Business
Techmall
Book Review
In Passing
Last Mile
Archieve
 

Bulls Eye

 

 PCI DSS for payment card security

Faced with credit card losses of an estimated $55 billion every year, payment companies have come up with a minimum compliance system for merchants and service providers. 

 By Anoop K Menon

Comply or get ready to be fined. Payment brands like American Express, Discover Financial Services, JCB, MasterCard and Visa won’t have it any other way.

For the uninitiated, PCI DSS stands for Payment Card Industry Data Security Standard. To counter the rapidly growing incidents of credit card fraud—a recent survey by Visa put the losses at $55 billion a year—the payment brands came up with PCI DSS as the minimum security compliance for merchants and service providers. Retail, higher education, healthcare, travel and finance companies are examples of merchant payment gateways; hosting outfits for e-commerce sites are examples of service providers.

“Though the standard was created in 2005, the drive on the part of payment brands to push for compliance gained momentum due to highly visible credit card fraud incidents in the past 12 months, the most famous being the TJX data breach,” says Srikiran Raghavan, regional sales head at RSA, a company engaged in data protection. (On January 17, 2007, discount retail conglomerate TJX Companies, which operates in North America and Europe, reported that a computer systems intrusion exposed at least 45 million credit and debit cards of its customers to potential identity theft.)

PCI DSS calls for merchants and service providers to ensure that their transaction and data storage systems are secure. Failure to comply, or any compromise of customer information, will invite fines from the credit card companies. According to Santanu Mukherjee, country manager, South Asia, Visa International Asia Pacific, compliance with the PCI DSS is a requirement for all entities in the Visa payment system that process, transmit or store Visa account and transaction data.

Raghavan said that as India moves in the direction of a retail-driven economy, and merchants engage customers on multiple fronts, a key challenge for them would be to control where customers’ payment card information is being located and distributed, and prevent the same from being leaked.

Adds Mukherjee, “The data within the Visa system is limited to the specific transaction data, but once outside of Visa’s domain some stakeholders (i.e. merchants) can produce additional data to form a ‘consumer footprint’ that can be used for marketing initiatives and loyalty schemes. It is within this ‘footprint’ that the susceptibility of the data to both fraud and identity theft resides. Thus, any entity which handles payment card information is therefore responsible for data security. Hence Visa requires all of its members to be compliant with PCI DSS and ensure that their merchant customers are compliant with the standard.”

Mukherjee points out that many security breaches are not caused by hackers or complex computer viruses, but rather by lax security policies or carelessness. “How merchants dispose of sensitive data can be just as important as how they store it. There is a strong need for Web site and online security,” he emphasizes.

According to Shubhomoy Biswas, country manager, India, SonicWall, merchants failing PCI audits had the following problems:

  • Password and IPSEC pre-shared keys not encrypted in DB.

  • Management platforms do not use strong ciphers for HTTPS management.

  • User account passwords on devices do not have an aging and rotation capability.

  • Security devices do not support two-factor authentication.

  • Weak ciphers for interconnectivity tunnels (eg DES) rather than stronger cipher at 128-bit and beyond.

 

Biswas recommends the following 12 steps for PCI DSS compliance.

  • Install and maintain a working firewall to protect data.

  • Don’t use vendor-supplied defaults for passwords and security parameters.

  • Protect stored data.

  • Encrypt data sent across public networks.

  • Use and regularly update antivirus software.

  • Develop and maintain secure systems and applications.

  • Restrict access by “need to know.”

  • Assign a unique ID to each person with computer access.

  • Restrict physical access to cardholder data.

  • Track all access to data by unique ID.

  • Regularly test security systems and processes.

  • Implement and maintain an information security policy.


Incidentally, SonicWall offers an integrated suite of technology comprising global management system software and SonicWall PRO or TZ series firewall. The company also provides guidelines on how to set up a PCI DSS compliant secure network. “These solutions are available in India through SonicWall’s distributors and channel partners,” says Biswas.

GFI Software offers the GFI PCI Suite for PCI DSS compliance. This suite combines GFI EventsManager, a complete event log management solution, and GFI LANguard Network Security Scanner, a complete network vulnerability management solution that includes vulnerability scanning, patch management and network auditing.

Symantec offers Symantec PCI Services for merchants, service providers and payment application vendors. Says Vishal Dhupar, MD, India & Saarc, Symantec, “Symantec PCI Services include PCI Security Audit, PCI Security Scanning, PCI Payment Application Best Practices Assessment, and PCI Compliance Readiness Review.” However, these services are not being offered in India.

On whether Visa has set a deadline for Indian merchants and service providers to become PCI DSS compliant, Mukherjee said that PCI DSS compliance is an ongoing program and Visa requires its members to certify the compliance of their merchants and agents annually. “We are working with the Indian Payment Cards Risk Council in assessing the level of compliance in the Indian market. Most of the third-party payment processors have been audited for PCI DSS compliance,” he stated. He felt that the key challenges in attaining a full rate of PCI DSS compliance in India include education and raising awareness among the industry of the need to be compliant.

Raghavan of RSA said that there should be some integration between the international compliance invoked by payment brands and local regulations. He felt that if the proposed amendment to the Indian IT Act 2006—wherein, under section 43, if any organization is found negligent of protecting data, it is liable to be fined up to Rs 5 crore—comes through, the momentum on the PCI DSS compliance front could speed up.

Under the existing IT Act, there are no damages for negligence of data. “But at the same time the payment brands are not looking at prosecuting capabilities. They are only seeking to protect the revenues of all the concerned parties,” Raghavan declared.

Print this Page   E-mail this Page
RATE THIS ARTICLE
 Worse   Better 
Comment:*
First Name:*
Last Name:*
Company:
City:*
E-mail:*
Verification Code:*

Type the characters you see in the picture above.
 
  Reset

Comments >>
1
No Comments to display

Disclaimer >>
Messages posted on this Web site under the `Comments' area are solely the opinions of those who have posted them and do not necessarily reflect the opinions of UBM India Pvt. Ltd.(CMP) or its site www.networkcomputing.in . Gossip, mud slinging and malicious attacks on individuals and organizations are strictly prohibited. UBM India Pvt.Ltd .(CMP) and www.networkcomputing.in can not be held responsible for errors or omissions in content, nor for the authenticity of the user/company name or email addresses associated with posted messages. UBM India Pvt.Ltd. (CMP) reserves the right to edit or remove messages containing inappropriate language or any other material that could be construed as libelous, potentially libelous, or otherwise offensive or inappropriate. UBM India Pvt.Ltd.(CMP) and www.networkcomputing.in do not endorse the products and services or any other offerings mentioned in these messages.
 
 CIO Perspectives >>

“Always look for simpler solutions to challenges and be the first to make decision in your area of specialization”

Satish Das, CSO and Director-ERM, Cognizant

 

More: CIO Perspectives >>


 FEATURED STORIES >>

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed

 

Inside 1&1's Giant Web Hosting Data Center

Photos of the ISP's newly green data center in Kansas reveal the infrastructure behind the Web host's strategically located facility

 

Largest Core Banking Rollout in Indian Co-operative Banking Sector

Punjab State Co-op Bank has selected Flexcube, Oracle Database and Oracle Financial Services OnDemand to replace manual processes and enhance efficiency by maintaining customer intimacy  created over the years

 

CAST YOUR VOTE>>
Will hardware requirements reduce when companies deploy virtualization solutions?



View Polls Archive
ADVERTISEMENTS >>
 
News | Server & Storage | Network Infrastructure | Information Security | Enterprise Applications | Connectivity & Convergence | Whitepaper | Management
International Partners: Germany
Media Kits | Reprints | Privacy Statement | California Privacy Rights | Copyright © 2007 CMP Media LLC | Terms of Service
Content Management System By AdwebTech | Search Engine Optimization By AdwebTech & eBrandz | Web Hosting By AdwebTech & Hostway
Powered By: ssCMS 2.2.0.0