The way our society exchanges good and services has come a long way. The age of the “digital consumer” has dawned. More people than ever are shopping online and making purchases using credit cards. Nearly every business existing in the modern age had to adapt to take credit cards payments. This created several issues for both merchants and consumers. Identity theft and data breaches started to become a rampant issue in the late 90s and early 00s. It has continued to be a serious and increasing concern to authorities. More than 510 million records with sensitive information have been breached since January 2005(source: https://www.pcisecuritystandards.org). These issues were exacerbated by a lack of cohesion among the credit card providers. They had no agreement upon standards, as to how the transaction process should occur and how sensitive financial data is stored. To maintain consumer confidence, action had to be taken. On September 7th, 2006, the credit card providers decided to hold a meeting on how to best protect the cardholder. The outcome of that meeting would create the Payment Card Industry Security Standards Council. The council is made of up five members, Visa, Mastercard, American Express, Discover, and JCB. The objective of the council is to oversee the continuing development of the Payment Card Industry Data Security Standard (PCI-DSS).
What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS), is a set of operational and technical requirements to protect the cardholder from data theft and abuse. The standards are meant for any entity that stores, processes, or transmits cardholder data. The council manages the security standards and revisions. The standards are also enforced by all five members of the council. Those who do not comply with PCI-DSS risk heavy fines and being blacklisted from the entire credit card industry. PCI-DSS consists of twelve major steps and numerous subsections. Below are the twelve significant steps for PCI-DSS:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other
- security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
It is important to properly evaluate your network and production environments on a routine basis. A network and endpoint audit should take place every financial quarter at the very least. Diligence is paramount to successfully protecting the cardholder.
Tips on how to implement PCI-DSS:
Implement two-factor authentication for remote access to the network. Using RADIUS servers with tokens is one way to achieve this. Another method would be to use a terminal access controller access control system (TACACS) also with tokens. Also, make sure all sensitive data is encrypted with adequate cryptography. A strong encryption algorithm would be the Advanced Encryption Standard (AES). This algorithm is an excellent method of protecting sensitive data. AES is composed of three block ciphers: AES-128, AES-192 and AES-256. Each cipher encrypts and decrypts data in blocks of 128 bits, using cryptographic keys of 128-, 192- and 256-bits. Finally, create a routine in which security logs are reviewed daily. Pattern recognition is critical in discovering the symptoms precipitating a data breach. Having daily logs reviewed can identify the warning signs early and allow prudent action to be taken before damage is done.