Risky Behavior: Securing Credit Card Data

Over 234 million consumer credit card records with sensitive information have been breached since January 2005, according to Privacy Rights Clearinghouse.org. The seriousness of this problem begs us to examine the gap between meeting industry compliance requirements and the securing of confidential data.

A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk: 81% store payment card numbers; 73% store payment card expiration dates; 71% store payment card verification codes; 57% store customer data from the payment card magnetic stripe; 16% store other personal data.  Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)

As a result of this behavior by merchants, vulnerabilities were created in the card-processing ecosystem. Information security breaches occurred in point-of-sale devices; personal computers or servers; wireless hotspots, ecommerce applications; paper-based storage systems; and unsecured transmission of cardholder data to service providers.

To combat this trend, a PCI Data Security Standard (DSS) was created by the PCI Security Council whose founding members include: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. To any security manager, these standards are very familiar as they mirror corporate best practices for network security. Here are the 12 requirements for PCI DSS.

Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Change your passwords often.

Requirement 3: Protect stored cardholder data. Anything stored should be encrypted and cardholder data should not be retained or if retained then only for a limited time period.

Requirement 4: Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols such as SSL/TLS or IPSEC.

Requirement 5: Use and regularly update anti-virus software or programs. Many vulnerabilities and malicious viruses enter the network via employees’ e-mail and other online activities.

Requirement 6: Develop and maintain secure systems and applications. Security vulnerabilities in systems and applications may allow criminals to access cardholder account numbers and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches.

Requirement 7: Restrict access to cardholder data by business need-to-know. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Role-based authentication is helpful here.

Requirement 8: Assign a unique ID to each person with computer access. Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

Requirement 9: Restrict physical access to cardholder data. Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.

Requirement 10: Track and monitor all access to network resources and cardholder data. Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management.

Requirement 11: Regularly test security systems and processes. Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time.

Requirement 12: Maintain a policy that addresses information security for employees and contractors. A strong security policy sets the tone for security affecting an organization’s entire company, and it informs employees of their expected duties related to security.