Protecting Payment Card Data Wp091010

1Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities.

All marks are the property of the respective company. April 2009

PRoteCtiNg PAymeNt CARd dAtAConsiderations for Achieving and Maintaining On-Going PCI DSS Compliance

ExEcutivE OvErviEw

Businesses managing payment card data face tremendous security challenges. The cost of a security breach can be devastating in terms of lost revenue, legal costs and damaged reputation. In fact, the payment card brands may even stop a business from processing credit card and debit card payments from customers. The Payment Card Industry Data Security Standard (PCI DSS) provides a blueprint for building and maintaining a secure data network; however implementing the policies, people, processes and technologies to achieve and maintain PCI compliance can be overwhelming. This paper provides some background about PCI DSS and its effectiveness, and explains how enlisting experts to help execute your strategy can be the best way to achieve and maintain on-going compliance.

Myriad challEngEs can iMpEdE cOMpliancE plans Developed by founding payment brands of the PCI Security Standards Council, the PCI Data Security Standard strives to ensure payment account data security with a comprehensive set of requirements for IT and network departments to follow. If you are a merchant or service provider and accept payment credit cards, you must validate PCI compliance at least annually. According to Fred Kost, Director of Security Solutions Marketing at Cisco Systems, the PCI standard has been successful because of its unified approach. “It’s a global standard that applies to a lot of industries and covers diverse requirements of various companies, from the very large to the very small,” he said.

But a myriad of challenges thwart best efforts of many companies attempting to achieve PCI compliance. One reason is that deploying policies and controls across an organization takes time, during which threats and methods within the hacker community change. “The hacking community gets smarter all the time, and we’re seeing the evolution of the PCI standard to address new threats,” said Cisco’s Kost. Furthermore, merchants eager to stay competitive by deploying new technologies may not take enough time to ensure that adequate security policies and procedures are always enforced, resulting in vulnerabilities. As a result, merchants struggle with how to not only pass the PCI audit but maintain on-going compliance without over-taxing budgets and corporate resources.

More changes ensue as PCI DSS is periodically revised to fit new purchasing scenarios—ecommerce transactions, or transactions that occur when the customer hands his credit card to a retail clerk at the counter are only part of the data security dilemma. Advances in mobile devices and other technologies have given rise to new payment options. Pen-entry and other new interactive devices, pay-at-pump systems and card swipe capture devices used in smaller stores and kiosks all present a risk. “As IT professionals, we need to think more broadly about how customer data is accessed, touched, changed and moved,” said Kost.

Ensuring your compliance strategy is up to date with new requirements means you must revisit your strategy often and make the necessary changes. “You have to have the processes and policies in place and be willing to modify them based on changing requirements,” said Kost.

Compliance and security don’t stand alone—they are intertwined. It is a cycle that we loop through, and every time we do, we get better at it.

David Mahon, Vice President of Information Security, Qwest

Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities.


FlExibility within pci standard allOws FOr custOMizatiOnPCI is broad—it offers a single set of guidelines to be applied to all sorts of retailers—both large and small—because it must cover the issues faced by an incredibly diverse group of companies. For example, a large global retailer with a complex data center will have different requirements than the small doctor’s office with a server under the receptionist’s desk. “The credit card is a ubiquitous form of payment, cutting across all different forms of transaction types and organizations—from the local grocery store to global ecommerce retailer,” said Kost.

Although PCI provides a blueprint for best practices, the standard provides the flexibility for each IT department to best execute those practices to suit their particular business needs. For example, requirements 7–9 address the process of restricting user access to data, however the parameters for those restrictions are not specified, and the methods for enforcing those restrictions are up to IT staff.

Outsourcing the task of PCI compliance to a trusted partner can help organizations adapt to changes that impede compliance and capitalize on the flexibility within PCI to implement best practices in a way that maximizes the operational and security benefits. “Partnering with the right kind of organization can make a big difference in making your compliance process more efficient and improving security now and into the future.”

what is pci dss?The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to help organizations proactively protect customer account data.

Source: PCI Security Standards Council

Figure 1. the PCi Security Standards Council’s 12 requirements target key potential weaknesses in complex data networks

Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data

Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data Requirement 3 Protect stored cardholder data

Requirement 4 Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5 Use and regularly update anti-virus software

Requirement 6 Develop and maintain secure systems and applications



Implement Strong Access Control Measures

Requirement 7 Restrict access to cardholder data by business need-to-know

Requirement 8 Assign a unique ID to each person with computer access

Requirement 9 Restrict physical access to cardholder data

Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data

Requirement 11 Regularly test security systems and processes

Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security

it takEs pEOplE, prOcEssEs, pOliciEs and tOOlsTo overcome these challenges and achieve PCI compliance now and on an ongoing basis, you must have the people, processes, policies and tools in place to address the requirements that pertain to your business. This is a big commitment. Building and maintaining the right teams and processes can be much more difficult than implementing the technology. In many businesses, IT security skills are scarce. Companies face budgetary and retention issues, and may lack resources for training personnel on compliance procedures.

Partnering with a PCI certified provider is often the best way to accomplish PCI compliance goals. “PCI-certified providers are service providers that have done the hard work of going through the PCI audit process for products and services,” said Kost. “ Cisco, for example, provides reference architectures for PCI compliance that put together the various pieces of a compliance solution, so you don’t have to worry about it.” Other providers, such as Qwest, provide the services that compliment the architecture, allowing IT departments to hand off those tasks that cannot be performed efficiently in-house.

Many providers will offer testing in simulated retail environments, with POS terminals, wireless devices and Internet connections. They may also provide configuration monitoring and authentication management services. PCI audit and remediation partners offer audit review, to ensure you have the pieces in place to pass your compliance audit.

But compliance doesn’t end with the audit. PCI assessments are point-in-time audits; many companies struggle to enforce the processes and policies to maintain compliance on an on-going basis. As a result, breaches can still occur, even after a company passes its audit. And the effects of a breach are devastating. Forrester Research estimates that the cost of a security breach to the company who suffers it may amount to anywhere between $90 and $305 a record—one significant breach could cost an organization millions of dollars.1

“What you have to keep in mind is that you’re not implementing security controls on a one-time basis,” said David Mahon, Vice President of Information Security at Qwest, who offers PCI certified products and services to help companies achieve PCI compliance. “You have to have processes in place to maintain a secure system after the audit, as well.”

Enlist thE ExpErts tO Maintain cOMpliancEBecoming PCI compliant is a huge challenge and it is not a static one. Companies must be able to maintain compliance by integrating the necessary policies and procedures into their daily business operations. This can be challenging and time consuming. Enlisting a PCI certified partner can help you build and sustain an effective long-term compliance strategy, and maximize internal resources and expenses. Hosted services and reference architectures can ease the burden and simplify your ongoing PCI compliance program.

1 Top Unified Communications Predictions For 2008, by Henry Dewing with Ellen Daley and April Lawson, February 20, 2008.



CoNNeCt. SimPliFy. eNhANCe.®with Qwest Business Solutions®

Qwest is focused on helping you work smarter, with services that leverage the latest technology and award-winning support. Here are a few solutions that can address the issues covered in this solutions brief:

hosted ivr. A highly customizable, network hosted interactive voice response (IVR) solution that enables full-featured caller self service, caller prompting functionality, call recording and detailed caller data and call flow reporting. Hosted IVR can be used stand-alone or integrated with existing contact management equipment.

Q routing®. A network-hosted intelligent, inbound and outbound, multi-media contact routing solution that enables virtual agent pools, call recording, skills-based routing for voice, email and web chat. The application includes powerful agent, admin and supervisor desktop tools and cradle to grave reporting. Q Routing can be used stand alone or integrated with existing contact management equipment.

Managed backup and storage. Qwest’s fully-managed, flexible portfolio of state-of-the-art storage and backup products and services includes a managed dedicated storage solution, utility solution on a pay-for-what-you-use (utility) basis, point-in-time copy service, and a variety of backup solutions.

Managed Firewall-vpn. Managed Firewall-VPN Service is a management platform that integrates third party firewall products with Qwest monitoring, management, and administration capabilities.

cybercenter colocation. Qwest provides a full range of CyberCenter collocation services to meet any business need. Each CyberCenter facility is connected to Qwests OC192 backbone, offering customers a fully redundant solution to ensure that critical data needs are met.

why QwEstQwest delivers reliable, scalable data and voice networking solutions, across one of the largest U.S. fiber footprints. Qwest serves businesses of all sizes, ranging from small business to 95 percent of Fortune 500 companies, with industry-leading SLAs and world-class customer service.

lEarn MOrEFor more information about Qwest voice and data services for large businesses, visit www.qwest.com/business or call (877) 816-8553 to speak to a Qwest representative.

Your best bet? Look to partners with compliance experts that can help you organize the technologies, policies and processes to satisfy the PCI requirements that pertain to your business and protect against new threats by keeping pace with changing requirements. And remember, it is an ongoing process. According to Mahon, “Compliance and security don’t stand alone—they are intertwined. It is a cycle that we loop through, and every time we do, we get better at it.”

Documents

Protecting Payment Card Data Wp091010