Playing by the Rules By Sanjay Mehta, Senior Vice President, Breach Security, Inc.
It's no news that there's sophisticated and organized group of criminals who target cardholder data. In the U.S. alone, 300 million records were compromised in 2007. The infamous TJX data breach that put nearly 45 million consumers at risk was a wake-up call to the business community.
According to the Aegenis Group, a PCI consulting firm, the 2007-2008 black market value of a payment card account number was estimated between $4 and $6 in New York City. Full magnetic stripe data obtained from a payment card fetched between $25 and $35. Theft of the security codes hidden in a card's magnetic stripe enables criminals to manufacture counterfeit cards.
Given all this, how can banks and merchants mitigate their risk in 2009 through compliance with the Payment Card Industry (PCI) Data Security Standard (DSS)? How can solution providers educate organizations on strategically using PCI regulations to benefit their businesses (and not just "check off" the PCI compliance box)?
Background
In December 2004, major credit card companies adopted PCI DSS - a set of 12 requirements designed to prevent fraud and protect consumer privacy when sensitive customer data is transmitted and stored on an organization's network. All financial institutions, merchants, vendors and their agents that use "system components" to store, process, or transmit cardholder data on their networks are required to meet the PCI standard.
Banks and Downstream Merchants
While PCI DSS outlines a classic defense-in-depth security strategy, there's enough ambiguity within the standard that allows merchants to show compliance without making significant changes to security policies and practices.
Leveraging existing investments and procedures may be the path of least financial resistance to compliance but is quite often not the most effective path for long term compliance and operational efficiency. The audit process for Level 1 merchants isn't always as stringent as it should be, resulting in the certification of borderline PCI-compliant implementations. Smaller merchants (classified as Level 2, 3 and 4) that are not audited but rely on self-assessment questionnaires may feign compliance entirely, gambling they won't fall victim to a data breach and failure-to-comply penalties.
Such a lackluster approach to PCI misses the point and puts banks at the greatest risk. Issuing banks that provide credit cards to consumers are left "holding the bag" on up to 70 percent of the cost of fraud; merchants and acquiring banks take on the remaining 30 percent.
Evangelizing PCI
In 2009, banks should educate their downstream merchants on the bottom line benefits of a rigorous security implementation for PCI DSS compliance: a lower credit card processing cost structure and lower pre-transaction processing fees. Non-compliant vendors pay more per transaction.
Banks should understand the nuances in security implementations and positively reward merchants with the most robust security postures. For instance, one could argue that merchants opting to deploy a Web application firewall that complies with Requirement 6 (instead of conducting intermittent code reviews) should be rewarded with lower processing fees. With a real-time threat protection measure in place, they're less likely to succumb to an attack that hits the bank's bottom line.
Resellers, integrators and other solution providers must make ongoing PCI DSS education a priority. They should partner with technology vendors that offer robust data security solutions that align with PCI DSS requirements, including encryption, vulnerability scans, network firewalls antivirus, and the latest requirements focused on web application level controls. By recommending that organizations prepare a strong defense designed to exceed "minimum requirements," solution providers play a pivotal role in the PCI playbook.
As far as technology mandates are concerned, PCI DSS is pretty good. It's not perfect, but it's much more precise that Sarbanes Oxley, and offers a clear path to compliance if embraced with the right spirit.
Sanjay Mehta, senior vice president at Breach Security, Inc. has more than a dozen years of experience driving revenue growth and strategic business opportunities for technology companies, resellers and system integrators.
It's no news that there's sophisticated and organized group of criminals who target cardholder data. In the U.S. alone, 300 million records were compromised in 2007. The infamous TJX data breach that put nearly 45 million consumers at risk was a wake-up call to the business community. 
