PCI: Smart or Stupid?

There is something odd about the payment card industry (PCI) standard. Its one of the best things to happen to the security of consumer data, yet many think it is as complex as rocket science.

PCI requirements fall into six major categories: build and maintain a secure network; install and maintain firewall configurations; protect stored data; use and regularly update antivirus software; restrict access to need-to-know; and monitor and track all access to network resources and cardholder data. These requirements provide a textbook outline of the fundamentals of information security. They reflect attention to detail and risk management. One can sum up PCI in a single word: pragmatic. It takes a realistic approach to the problems of consumer credit data and applies a common sense set of security solutions. PCI takes a narrow focus on what it attempts to solve, as opposed to the Sarbanes-Oxley Act, which lacks any form of specific detail. PCI is a godsend for the protection of consumer credit card data.

Given what PCI is trying to accomplish, one would expect it to be welcomed with open arms by the industry. To a degree, it has been. But surprisingly, there seems to be a cabal that has chosen to attack, rather than embrace, PCI. One recent example: Michael Mathews, chief operating and technology officer at security services company Cynergistek, wrote an article called PCI Has Lost Its Way, Growing Overly Complex and Costly, for the June 2007 issue of Information Security. Mathews repeatedly stresses the complexity of PCI.

But where exactly is that complexity? The requirements and corresponding specifics are extremely pragmatic and can be classified as information security 101.

Mathews writes that because of these and other complications, many merchants remain noncompliant to many facets of PCI DSS. However, the issue really is that these merchants have created their networks with little to no thought of security and privacy. They have placed minimal controls on their users, given no direction to their application developers nor documented required procedures for their administrators on how the network should be managed. Merchants are not noncompliant as a result of PCI DSS; they are noncompliant because they never developed their security programs in the first place.

In another example, the director of IT at Virgin Entertainment Group told Computerworld that while much of the PCI standard includes good, solid network and security policies, some of it is over the top and can be confusing. He also contends that the costs of meeting the requirements do nothing to boost a retail companys bottom line, with no direct return on investment.

Recent events demonstrate otherwise. TJX Companies violated some of the basic tenets of the PCI DSS, and its insecurity has had a direct negative financial effect. The company announced that in one recent quarter, it took a $12 million loss, equal to 3 cents per share, for costs incurred to investigate and contain the intrusion, improve computer security and systems and communicate with customers, as well as for technical, legal and other fees. The company also reported that it expects that it will continue to incur these types of costs related to the intrusion in the subsequent quarter and estimated that the costs will total 2 cents to 3 cents per share.

Such breaches are precisely what PCI comes to prevent. Had TJX followed the principles of PCI and properly secured its systems, it would have had a positive return on the investment and saved the organization millions of dollars, in addition to significant negative publicity. Absolutely nothing complex about that.

All it takes is one successful hack attack to wipe out years of so called savings gleaned from not implementing security. Online crime has become more sophisticated and far better organized over the past several years. No business wants to risk its bottom line or consumer confidence on the hopeful idea that a security breach just wont happen to them.

The time to take security seriously is before an attack happens, not after. That is what PCI aims to do. PCI is the best thing that has happened to consumer data protection in the payment industry in many years. The quicker it is embraced and implemented, the better off we all will be. n

Ben Rothke, CISSP, QSA, is a security consultant with BT INS.


Copyright © 2007 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline