Home » Data Protection » PCI and Compliance

All About the PCI Data Security Standard

More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

Likewise, at CheckFree, Vice President and CSO Ed Sarama is still working on his company’s PCI compliance. “Nothing is easy in the IT world,” says Sarama, whose $880 million company does payment processing for many of the United States’s largest banks. “We like for everything from a consumer perspective to be magical, but there’s a lot of work behind the scenes, and this is no exception.”

Sarama says the main challenge he’s having is that the standard is a moving target. For instance, last autumn, the PCI Security Standards Council made some changes to retention requirements that affected CheckFree. Now, an audit trail of all access to cardholder data and network resources must be available online for three months and offline for another nine months, which means that CheckFree has to invest in additional online storage devices. Another change means that CheckFree must put application firewalls in front of its Web servers; Sarama has to figure out how to do this in a way that won’t cause any applications to fail.

On any given point, the fallback to meeting the letter of the law is meeting the spirit of the law. In PCI-land, this is known as a “compensating control.” Ken Rowe, a principal of the consultancy Chief Security Officers, and a certified PCI assessor, knows all about compensating controls. For instance, he’s working with one city government whose network isn’t segmented with firewalls, as the PCI standard requires. That means that the entire network must be in compliance with the standard—not just the portions of it, such as the ticketing application for the performing arts center, that actually house card data.

“There are other compensating controls in place, like VLANs and access control, that prevent someone from another department accessing credit card numbers,” Rowe says. “But the standard calls for segmentation using firewalls,” so that’s what the city government is working on.

Some of the technical issues may work themselves out sooner rather than later. For instance, at PayPal, CISO Michael Barrett—another American Express alum—is trying to figure out what to do about the standard’s vague stance on whether Unix servers must have antivirus software installed.

“PCI says this [need for antivirus control] is more applicable if you’re running Windows servers and less applicable if you’re running Unix servers,” says Barrett, whose company, an eBay division, processed $37.8 billion online payments during 2006. “It doesn’t actually say, if you’re running a Unix server you’re exempt from the requirement. You get into discussions with auditors about whether it’s enough. I expect PCI to mature over the next year or so, so that those discussions become much more routine.”