The credit card majors - Visa, MasterCard and American Express - are banging the drum on data security for all companies that hold credit card data, with renewed threat of fines for companies that don't meet Payment Card Industry (PCI) standards. But the new push holds opportunities for smart players in security technologies.
The challenge for resellers is to understand the PCI Data Security Standard (DSS) so they can give their customers the advice they need to process credit-card payments, and sell them the technology to stay compliant.
The basics of PCI
In September 2006 the five leading global financial institutions - American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International - jointly announced the formation of the PCI Security Standards Council, an independent body designed to manage the evolution of the PCI DSS, a set of 12 requirements intended to manage and secure cardholder data that is stored, processed or transmitted by merchants and processors. In detail, the 12 requirements break down to around 200 steps.
Any company that deals with credit card numbers - and that's nearly every business these days - is obliged to implement a list of security technologies and policies to protect that data. Unenforced policies have allowed hackers to scoop databases from corporate networks and flood the internet with stolen credit-card numbers.
The credit card companies are gearing up to penalise Australian businesses for failing to follow the guidelines and protect the financial details of their customers. One reseller told CRN that he is aware of organisations that have been fined for storing prohibited data and "more are anticipated" with MasterCard reportedly the most active, levelling up to $5000 a month in fines.
The alternative to a fine is the threat of withdrawing the use of a "payment brand"; jewellers, for instance, who couldn't process Visa card payments would stand to lose a lot of business.
So, the first rule resellers should know about PCI DSS is that every business which accepts credit cards is required to comply with every rule in the standard, regardless of whether the business or "merchant" conducts one credit card transaction a year or hundreds of thousands.
The second rule is that no one technology, nor technology alone, will make a business compliant. Third, the requirements are nothing more than what a business should already be practising as part of an existing data security policy.
The tyranny of numbers
One reason why businesses may struggle to comply with the data security requirements is the way in which each credit card company measures compliance to the same set of rules.
"The five payment brands have agreed to PCI DSS as the 'what' an organisation needs to do, how high they need to jump, we all agreed to that," says Michael Nott, manager of data security at American Express, Japan, Australia and Asia Pacific.
However, "one of the things the community doesn't really understand is that each of the payment brands has its own program for monitoring and measuring compliance with PCI DSS," explains Nott, who is also the chairman of the Technical Working Group for the PCI Council.
This means that a car-rental agency's proven compliance to the 12 steps of PCI DSS could be judged differently by Visa and MasterCard according to each credit company's program which details merchant levels and monitoring methods. Visa's program is called the Account Information Security (AIS) program; MasterCard has the Site Data Protection (SDP) program and Amex's program is the Data Security Operating Policy. Merchants are classified into three or four levels based on the number of transactions they process a year. The smaller the merchant, the less proof is required.
"There's the compliance requirements [and] there is also the concept of validation. It's important to realise the difference between compliance and validation," says Stephan Overbeek, senior security consultant at Sydney-based Shearwater Solutions.
"I always make sure my customers understand the difference. Each [merchant] level has to validate in a different way, [and] to validate compliance with PCI DSS depends on the level of the organisation," says Overbeek.
The problem for businesses is that their verification requirements can change yearly depending on how many transactions per credit card they take.
Resellers can help their customers monitor their exposure to compliance by familiarising themselves with each credit-card company's requirements. However, this is not easy or simple, as demonstrated by this American Express example for its Level One merchants.
American Express classifies businesses requiring its toughest level of verification as Level One. Businesses which make more than 2.5 million American Express transactions in a year automatically qualify, as does any merchant which has had a "data breach".
Also American Express can decide that a business should be judged at Level One even if it doesn't fall under the above criteria.
Level One merchants are expected to do an onsite assessment with an annual "executive summary" by an internal auditor, and conduct a quarterly vulnerability scan.
If an organisation is not compliant they can either fix their problems and resubmit their reports or they can submit it to American Express as a project plan that explains their security issues, their plan of action and a timeframe for addressing them.
Nott says a Level Two merchant is only required to "perform a quarterly vulnerability scan". For a Level Three merchant Amex doesn't need to see any validation documents.
"We don't need to see anything from a Level Three; we still expect them to be PCI compliant, they just don't need to prove it to us. If there is an issue we would do a forensic investigation to determine whether they were compliant.
"Our whole program is aimed around working with merchants to get them to achieve compliance, so we're looking at how we can help them or what steps they're taking to actually achieve PCI DSS compliance."
To this date Amex has not fined anyone in Australia for non-compliance but says it "reserves the right".
And then there is the question of who to report to. In the case of American Express, a business needs to prove compliance directly. Other payment brands hand over the job to the "acquiring bank", which is the supplier of the point-of-sale terminal the business uses to make the credit-card transaction.
Penalties for non-compliance are meted out in some cases by the acquiring bank, except in the case of American Express which enforces it directly.
Bear in mind that American Express' Nott is only interested in the number of Amex transactions a business processes. Even if a merchant had made millions of Visa transactions, it would be irrelevant to American Express' rules of verification.
Reseller opportunities
Other credit card companies have stricter requirements. Visa mandates that its merchants use an externally qualified assessor rather than an internal auditor.
Visa requires its Level One merchants to be assessed by a PCI Council Qualified Security Assessor (QSA) annually and an Approved Scanning Vendor (ASV) quarterly.
QSA-certified companies have qualified personnel and processes to assess and prove compliance with PCI DSS. ASVs provide commercial software tools to perform vulnerability scans of merchant systems.
Tim Smith is the security practice director for Brisbane-based Bridge Point. The information security and network integrator was certified as a QSA last year. The integrator has three qualified PCI assessors and business is "most definitely" growing as a result.
"It's really followed where the acquiring banks themselves have put pressure on the merchants to get certified and they've logically gone for the larger enterprise customers first," says Smith.
"We're almost running like a bureau service to serve smaller merchants and aggregators that just need help filling in their Self Assessment Questionnaire (SAQ) all the way to larger enterprises and government entities and gateway companies.
"For larger enterprises the main work we can do is help them compartmentalise the area that will need to be certified. For the smaller organisations the more security savvy they are the easier it is, but really it's anything from advisory or a hand-holding exercise to a full blown enterprise job. It can be anything from a total of a couple of days through to two or three months," says Smith.
Smith says most of Bridge Point's leads come from being listed on the PCI council's website as a QSA; the rest is from word of mouth and national advertising.
In Australia there are currently a handful of qualified QSAs. The criteria set for becoming a QSA is tough and on top of an annual test the council recently launched a quality assurance program where it self-assesses against QSAs to make sure they are as well versed in the standard as they claim to be, says Troy Leach, CTO of the PCI Council.
"We have a high set of criteria for the QSA and we keep them publicly available on our website," says Leach. "We want everyone to know the credentials that a QSA company must have in order to have that accreditation."
The criteria includes insurance and technology requirements as well as the ability to demonstrate "a very solid security practice as well as an internal quality assurance program", says Leach.
There are several opportunities a year for resellers to get certified as a QSA. The PCI Council runs the certification process seven times a year, appointing six or seven assessors in each batch. In the current cycle there are three Australian QSAs, says Leach.
"I've heard from the QSAs there's a regional uptick [in QSA verifications] in Australia, more so than [anywhere] else and that's exciting to hear."
Resellers working with a QSA to verify their customers' security policies need to demonstrate to the assessor how their security technology achieves the goals of the PCI DSS.
"At the end of the day the merchant has to implement it appropriately and either the merchant or the QSA has to verify that the implementation is secure. So the more the QSA knows about the reseller's specific technology the better prepared they are going to be to assess that technology," says Leach.
Murray Goldschmidt is the managing consultant and director for Sydney-based and QSA-certified Sense of Security. He says Sense of Security often receives calls from hosting providers competing for tenders that require a PCI-compliant hosting environment.
"It involves working with a variety of service providers to help their whole solution become PCI compliant," says Goldschmidt.
Hosted, validated
In August, Sydney-based managed security service provider (MSSP) earthwave announced that it had received its PCI certification, claiming it was the only MSSP to have done so in Australia. Earthwave has six QSA partners and it took the company around a month to become certified. CEO Carlo Minassian says he saw an opportunity as existing and new clients were increasingly requesting PCI compliance.
"They were being penalised as a result of the new standards," he says. According to Minassian, PCI DSS v1.2, which came into effect in October 2008, insists that any merchant outsourcing their security infrastructure management, such as firewall and IPS systems to a managed security service provider, must also ensure their preferred MSSP is certified.
"That's where we come in. We got ourselves certified so that our customers going through an audit can just point the auditor to us and say, 'earthwave is certified'. If I had 50 clients [and] I wasn't certified, all 50 would have to pay their QSA to audit earthwave. Because we've audited ourselves all we have to do is show them our certificate and that's it," he says.
In some cases a QSA audit is not mandatory. Instead the payment brands request a Self-Assessment Questionnaire (SAQ) to be completed. The questionnaire is intended to help merchants and service providers determine whether they are complying with the PCI DSS.
However, there are four SAQ versions based upon five different categories of merchants.
In Amex's case in the APAC region, Amex does not require organisations to complete a SAQ, says Nott. "You can still complete it as a measure of your compliance status and use that but we're not required to see it."
200 steps to success
PCI DSS involves more than 200 requirements and the majority of these are technology based,
but there are many business processes as well, says the PCI Council's Leach.
"There are requirements around background checks, making sure that those individuals who have access to the technology are upstanding citizens. One solution will never make a merchant or a service provider compliant," says Leach.
For resellers to have any success selling products around PCI it is vital for them to communicate that PCI is more than just a product. They have to understand the standards, says Leach.
"The key for the resellers is the better they understand the PCI standard and the requirements placed upon their clients the better prepared they are to sell those products."
Resellers increasingly understand general security principles, that "you have people, processes and technology in order to make any business process work and for any process to be secure. Even though they are selling the technology they still have to have a fundamental understanding and awareness of how to keep their environment secure once they've purchased 'our' technology," says Leach.
As a security expert, Minassian argues that compliance doesn't even mean security.
"PCI is not such a difficult thing to achieve, it's not rocket science. But still people struggle to maintain it because it's a discipline. Security is a discipline, it's not a product." Minassian says lots of people buy products as part of the 12 requirements but they don't know how to operate them.
Other experts agree.
"You can't just throw a bunch of tools at it and walk away - you need to make sure you follow up on things that the tools actually find," argues Amex's Nott.
"PCI DSS is very much the baseline of security. If an organisation has a good handle on its security posture and understands the risks to the company for preventing data loss then they would already have a lot security tools in place. PCI DSS really has a lot of structure around processes and people."
Finding the right technology
Having said that, certain technologies are mandatory for PCI DSS compliance and resellers have a vast range of products they can sell as part of a PCI solution.
Requirement one of PCI DSS v1.2 details the need for a firewall and requirements two and three stipulate encryption. Patch management tools could be used in requirement six and access and identity management tools for requirement seven. Requirement 11 is around testing systems and procedures and the test will only be accepted by an approved scanning vendor.
"In the first instance you need to have at least a firewall that is protecting the cardholder information," says Murray Goldschmidt from Sense of Security. "It needs to be procured. Most companies have got firewalls already but that firewall may need to be reconfigured. So [for resellers] there's a professional services [requirement]. Or [merchants] may need to get a newer firewall because [PCI says] you have to segregate the cardholder environment from the rest of the environment.
"Requirement three, which says 'protect stored cardholder data', is really around encryption and protection of sensitive information. Encryption is the most difficult or the most complex attribute of the standard to address correctly," says Goldschmidt.
"It's really where organisations struggle the most, because encryption is complicated - it always has been complicated. It can be delivered by a combination of hardware or software or both. And traditionally the products have been expensive and have to complement existing systems with third party tools," says Goldschmidt.
Scott Robertson is the country manager for firewall and VPN appliance vendor Watchguard. He says PCI hasn't taken off as quickly in Australia as in the US. So far, he says, large companies and larger retailers are implementing solutions and only small business retailers are committed to improvement.
"Essentially the framework is talking about having a segregated, trusted network separate from the core network. Watchguard sits in between the access of networks as a firewall and facilitates the traffic in and out of the network. So it's very much an integral part of any PCI solution - they need a firewall.
"When you think about designing these networks the very first piece of technology you're really looking at is something that can protect the core of the network, and that's a firewall. But certainly two-factor has become part of the [PCI DSS] as well."
TripWire provides change-detection capabilities, a technology required for requirement 10 which says merchants need to "track and monitor all access to network resources and cardholder data". Robert Kidd, vice president for Asia Pacific at TripWire, says in Australia there is a growing appreciation that PCI is important to the merchant and the consumer.
"For our channels, we have several partners. One example is Frontline where they have a specific vertical focus. The opportunity is to engage with them to identify which specific verticals need a focus around PCI and where is the opportunity and where is requirement. Then we provide deeper training to those channels and those verticals," says Kidd.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
