Becoming and Maintaining PCI Compliance

By Michele Zoerb

If you think payment card industry (PCI) compliance is tough, you can't begin to imagine how difficult a security breach is. Just ask Heartland Payment Systems’Chairman and CEO Robert O. Carr, who recently spoke to a technology association in Atlanta about the breach that cost the company $170 million, of which only $20 million was covered by insurance.

If you think it's only the big boys who get breached, you might be surprised to hear that nearly two-thirds of the 760 data breaches analyzed in 2010 involved businesses with fewer than 100 employees, according to a 2011 report from Verizon Business. It also reported that 89 percent of the victims subject to PCI-DSS had not achieved compliance.

If your online or physical store accepts any debit or credit cards, even if you use a third-party processor (e.g., PayPal), you must be PCI compliant. Failure to meet and maintain PCI compliance requirements may result in steep fines and penalties. PCI applies to all organizations — regardless of size or number of transactions procesed — that accept, transmit or store any cardholder data.

Although maintaining PCI compliance is no guarantee you won't be hacked, it reduces the chance of a data breach by about 47 percent, according to a study by the Ponemon Institute, an independent privacy and information security research firm.

So what's the easiest way to go about becoming PCI compliant? Unless there's a specific business need to retain payment card information, don't store the primary account number (PAN). PAN data are key targets for thieves and cause organizations to do a lot more work to become PCI compliant.

However, since many organizations have a valid business need to keep card numbers and associated data, below are additional tips to achieve PCI compliance:

Keep PAN data stored on the least amount of servers and/or locations. Prevent anyone from downloading any of this information to individual workstations or personal devices.
Use network segmentation to reduce the scope of your PCI environment. Isolate servers that store PCI data by using networking technologies and access controls to reduce the portion of your environment that needs to be assessed for compliance.
Use point-of-sale equipment and applications that have already been PCI certified according to the payment application data security standard (PA-DSS), the security standard created by the Payment Card Industry Security Standards Council (PCI SSC).
Put your policies, standards and procedures in writing. Ensure they're understandable and enforceable.
Train your staff on security. Training should include password and email security, social engineering, and company security policies.
Encrypt, hash or obfuscate cardholder data so it would be unusable if a hacker were to steal it.
Maintain and audit your users and access control processes. All users should have their own ID that uniquely identifies them. Update the information and access as there are job changes.
Conduct quarterly internal and external vulnerability scans to find and remediate the latest threats to your network and internal weaknesses.
Document and follow procedures for patch management.
Focus first on securing your environment. PCI touches on the basic essentials that can still leave you vulnerable. A security expert can help you become secure and compliant.

Dell SecureWorks has created a PCI Compliance Resource Center where you can find more information and tools to help you understand PCI compliance along with ways a strong security program can simplify the PCI process.

Michelle Zoerb is senior manager, security systems at Dell SecureWorks.