The credit card majors - Visa, MasterCard and American Express - are banging the drum on data security for all companies that hold credit card data, with renewed threat of fines for companies that don't meet Payment Card Industry (PCI) standards. But the new push holds opportunities for smart players in security technologies.
The challenge for resellers is to understand the PCI Data Security Standard (DSS) so they can give their customers the advice they need to process credit-card payments, and sell them the technology to stay compliant.
The basics of PCI
In September 2006 the five leading global financial institutions - American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International - jointly announced the formation of the PCI Security Standards Council, an independent body designed to manage the evolution of the PCI DSS, a set of 12 requirements intended to manage and secure cardholder data that is stored, processed or transmitted by merchants and processors. In detail, the 12 requirements break down to around 200 steps.
Any company that deals with credit card numbers - and that's nearly every business these days - is obliged to implement a list of security technologies and policies to protect that data. Unenforced policies have allowed hackers to scoop databases from corporate networks and flood the internet with stolen credit-card numbers.
The credit card companies are gearing up to penalise Australian businesses for failing to follow the guidelines and protect the financial details of their customers. One reseller told CRN that he is aware of organisations that have been fined for storing prohibited data and "more are anticipated" with MasterCard reportedly the most active, levelling up to $5000 a month in fines.
The alternative to a fine is the threat of withdrawing the use of a "payment brand"; jewellers, for instance, who couldn't process Visa card payments would stand to lose a lot of business.
So, the first rule resellers should know about PCI DSS is that every business which accepts credit cards is required to comply with every rule in the standard, regardless of whether the business or "merchant" conducts one credit card transaction a year or hundreds of thousands.
The second rule is that no one technology, nor technology alone, will make a business compliant. Third, the requirements are nothing more than what a business should already be practising as part of an existing data security policy.
The tyranny of numbers
One reason why businesses may struggle to comply with the data security requirements is the way in which each credit card company measures compliance to the same set of rules.
"The five payment brands have agreed to PCI DSS as the 'what' an organisation needs to do, how high they need to jump, we all agreed to that," says Michael Nott, manager of data security at American Express, Japan, Australia and Asia Pacific.
However, "one of the things the community doesn't really understand is that each of the payment brands has its own program for monitoring and measuring compliance with PCI DSS," explains Nott, who is also the chairman of the Technical Working Group for the PCI Council.
This means that a car-rental agency's proven compliance to the 12 steps of PCI DSS could be judged differently by Visa and MasterCard according to each credit company's program which details merchant levels and monitoring methods. Visa's program is called the Account Information Security (AIS) program; MasterCard has the Site Data Protection (SDP) program and Amex's program is the Data Security Operating Policy. Merchants are classified into three or four levels based on the number of transactions they process a year. The smaller the merchant, the less proof is required.
"There's the compliance requirements [and] there is also the concept of validation. It's important to realise the difference between compliance and validation," says Stephan Overbeek, senior security consultant at Sydney-based Shearwater Solutions.
"I always make sure my customers understand the difference. Each [merchant] level has to validate in a different way, [and] to validate compliance with PCI DSS depends on the level of the organisation," says Overbeek.
The problem for businesses is that their verification requirements can change yearly depending on how many transactions per credit card they take.
Resellers can help their customers monitor their exposure to compliance by familiarising themselves with each credit-card company's requirements. However, this is not easy or simple, as demonstrated by this American Express example for its Level One merchants.
American Express classifies businesses requiring its toughest level of verification as Level One. Businesses which make more than 2.5 million American Express transactions in a year automatically qualify, as does any merchant which has had a "data breach".
Also American Express can decide that a business should be judged at Level One even if it doesn't fall under the above criteria.
Level One merchants are expected to do an onsite assessment with an annual "executive summary" by an internal auditor, and conduct a quarterly vulnerability scan.
If an organisation is not compliant they can either fix their problems and resubmit their reports or they can submit it to American Express as a project plan that explains their security issues, their plan of action and a timeframe for addressing them.
Nott says a Level Two merchant is only required to "perform a quarterly vulnerability scan". For a Level Three merchant Amex doesn't need to see any validation documents.
"We don't need to see anything from a Level Three; we still expect them to be PCI compliant, they just don't need to prove it to us. If there is an issue we would do a forensic investigation to determine whether they were compliant.
"Our whole program is aimed around working with merchants to get them to achieve compliance, so we're looking at how we can help them or what steps they're taking to actually achieve PCI DSS compliance."
To this date Amex has not fined anyone in Australia for non-compliance but says it "reserves the right".
And then there is the question of who to report to. In the case of American Express, a business needs to prove compliance directly. Other payment brands hand over the job to the "acquiring bank", which is the supplier of the point-of-sale terminal the business uses to make the credit-card transaction.
Penalties for non-compliance are meted out in some cases by the acquiring bank, except in the case of American Express which enforces it directly.
Bear in mind that American Express' Nott is only interested in the number of Amex transactions a business processes. Even if a merchant had made millions of Visa transactions, it would be irrelevant to American Express' rules of verification.
Reseller opportunities
Other credit card companies have stricter requirements. Visa mandates that its merchants use an externally qualified assessor rather than an internal auditor.
Visa requires its Level One merchants to be assessed by a PCI Council Qualified Security Assessor (QSA) annually and an Approved Scanning Vendor (ASV) quarterly.
QSA-certified companies have qualified personnel and processes to assess and prove compliance with PCI DSS. ASVs provide commercial software tools to perform vulnerability scans of merchant systems.
Tim Smith is the security practice director for Brisbane-based Bridge Point. The information security and network integrator was certified as a QSA last year. The integrator has three qualified PCI assessors and business is "most definitely" growing as a result.
"It's really followed where the acquiring banks themselves have put pressure on the merchants to get certified and they've logically gone for the larger enterprise customers first," says Smith.
"We're almost running like a bureau service to serve smaller merchants and aggregators that just need help filling in their Self Assessment Questionnaire (SAQ) all the way to larger enterprises and government entities and gateway companies.
"For larger enterprises the main work we can do is help them compartmentalise the area that will need to be certified. For the smaller organisations the more security savvy they are the easier it is, but really it's anything from advisory or a hand-holding exercise to a full blown enterprise job. It can be anything from a total of a couple of days through to two or three months," says Smith.
Smith says most of Bridge Point's leads come from being listed on the PCI council's website as a QSA; the rest is from word of mouth and national advertising.
In Australia there are currently a handful of qualified QSAs. The criteria set for becoming a QSA is tough and on top of an annual test the council recently launched a quality assurance program where it self-assesses against QSAs to make sure they are as well versed in the standard as they claim to be, says Troy Leach, CTO of the PCI Council.
"We have a high set of criteria for the QSA and we keep them publicly available on our website," says Leach. "We want everyone to know the credentials that a QSA company must have in order to have that accreditation."
The criteria includes insurance and technology requirements as well as the ability to demonstrate "a very solid security practice as well as an internal quality assurance program", says Leach.
There are several opportunities a year for resellers to get certified as a QSA. The PCI Council runs the certification process seven times a year, appointing six or seven assessors in each batch. In the current cycle there are three Australian QSAs, says Leach.
"I've heard from the QSAs there's a regional uptick [in QSA verifications] in Australia, more so than [anywhere] else and that's exciting to hear."
Resellers working with a QSA to verify their customers' security policies need to demonstrate to the assessor how their security technology achieves the goals of the PCI DSS.
"At the end of the day the merchant has to implement it appropriately and either the merchant or the QSA has to verify that the implementation is secure. So the more the QSA knows about the reseller's specific technology the better prepared they are going to be to assess that technology," says Leach.
Murray Goldschmidt is the managing consultant and director for Sydney-based and QSA-certified Sense of Security. He says Sense of Security often receives calls from hosting providers competing for tenders that require a PCI-compliant hosting environment.
"It involves working with a variety of service providers to help their whole solution become PCI compliant," says Goldschmidt.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
