Caveat Vendor: PCI Is Here

Here’s one of those cold chill up your spine thoughts: Every day, there are at least two new threats to data security developed by identity thieves and Internet system hackers. And it never stops. Security pros slam and lock one gate and the hordes find another chink and slither through.
Now, here’s another real spine chiller: If they make it through and steal your customer’s data, it is your fault.

Brad Caldwell

Two thirds of the states now have laws that make it a prosecutable offense if an ecommerce merchant fails to maintain compliance with data security standards allowing hackers, phishers and other varmints to invade their system. California was, at this writing, close to passing the Consumer Data Protection Act, which would force retailers who compromise data to reimburse banks and credit unions for the costs associated with data compromise.

And don’t try the “it’s not my server, I’m just renting space,” defense. It won’t work. You collect the data, you protect it. It is a payment card industry requirement (and a legal requirement in 39 states) that everyone who collects and stores customers’ credit card and personal data to be in compliance with [Payment Card Industry Data Security Standards (PCI/DSS)]( if they are to avoid being liable for costs incurred when data is compromised. Being in compliance is, at this point, your only defense against an industry fine, credit issue levy. That sounds like a daunting task that sort of takes the fun out of life and business on the Internet. But there is an army of Anti-Hackers who can help.

What is PCI/DSS?

Brad Caldwell is one of the founders of a company with a very cyber sounding name —Security Metrics, which is in the business of testing websites for data security and vulnerability. Brad actually understands all this PCI stuff and knows how you can protect yourself without a staff of hundreds in your IT department (a department you probably don’t have of anyway). We asked Brad to explain to us what PCI/DSS is.

CALDWELL: What happened was all the credit card companies had all of their own data security systems and standards and they were all different. So all of the large (retail) companies came to them and said we need to have one standard. So the credit card companies got together and created a standard that they all agreed to, which is what is now the Payment Card Industry Data Security Standard. It is all about card data security. When a card brand (e.g. Visa, MasterCard) needs the industry to comply with certain security issues, they add it to the standard and issue a date of compliance requirement.

PEC: So the question comes, who actually is liable for compliance to PCI/DSS or the protection of customer and credit card data?

CALDWELL: It is the merchant’s responsibility. The merchant is the one who is trying to attract people to purchase goods on their server. The credit card brands have determined that it is up to the merchant to be secure. What we are really talking about is, anyone who collects, stores, or transmits card data, which is pretty much anyone who takes credit cards (for payment). What PCI asks is that a merchant who has an IP that touches any kind of data be tested for security and the ability to withstand threats. If you simply have a brochure type site up that doesn’t sell anything online or collect any data, you don’t need testing. Now, if you have an office and QuickBooks and you store data in QuickBooks and you are connected to the Internet, you have to have that firewall and connection tested.

PEC: Compliance, testing, firewalls, IPs, data storage, touching the Internet, it all sounds complicated and expensive.

CALDWELL: It was, in the past. Before I started Security Metrics I was involved in selling Word Perfect for Linux online and I was concerned about hackers and security. I looked around then, and the best deal I could find was for $80,000 and that was just the first assessment. Now it’s a lot easier and much less expensive.

PEC: So how does a merchant begin the task of testing for and coming into compliance with PCI?

CALDWELL: Well, they can start by calling a company like ours. Rather than the merchant having to understand all the levels of compliance our compliance consultants can ask a few simple questions and determine what needs to be tested and how.

PEC: What physically takes place in a test or scan?

CALDWELL: That’s a good question. We actually had a customer call up and say, “I scheduled your test for 9 this morning and nobody showed up. What a scan is, is we have systems in which are stored information on thousands and thousands of problems (vulnerabilities). Our system looks at a website and compares all of those issues with what is on that site or server. If it finds a problem, it tells you how to fix it. You fix the problem and retest. It doesn’t cost any more money to retest. When the system shows you with no vulnerabilities, then you complete a self assessment questionnaire, which deals with things the scan can’t see, like your security and privacy policy. From there, you are compliant. If after you are compliant, you get hacked, you should be in good shape because you are in what is called “safe harbor.” If you are in safe harbor and you get attacked, the credit card companies have said they won’t fine you and you have a viable defense against prosecution under the new laws.

PEC: What about new threats, things that come to light after or between scans?

CALDWELL: If you are using a service like ours, the credit card companies recognize that you are trying to be secure. But you may not be secure; you may have what we call a Zero Date Exploit — something somebody just found out about this morning, for example. Now, if you didn’t have a service like ours you would be in trouble. But if you have been scanned and were compliant you could say to the company ‘I was compliant —I was tested a month ago and I had no problems.’

PEC: What are ramifications for a merchant who just ignores the whole security thing and doesn’t try to comply?

CALDWELL: Well, when there is a data breach and a credit card company has to reissue cards and reimburse cardholders, somebody has to pay for that. The issuer isn’t going to pay, because the merchant is the one who lost the credit card number from his system. So normally what is going to happen is there is an assessment that says you are going to have to pay for, say, 10,000 cards.

PEC: Is there a situation where the merchant can become criminally liable?

CALDWELL: There are 39 states that now have laws protecting credit card data. And we have been asked by the credit card brands that our data could be used for evidentiary purposes. We haven’t seen criminal cases yet, but we’re seeing civil lawsuits being filed — the TJ Max case comes to mind. But I think we’re going to have that (criminal prosecution) happening on a fairly large scale. Without certification that you are compliant with PCI/DSS, you are liable for prosecution should your data be compromised.

PEC: Where does the merchant start, if he/she doesn’t know if they’re in compliance?

CALDWELL: They can call us (or a company like us — one that is certified by the payment card industry). Our consultant will ask some questions about the site, how they take cards, how they store data, the privacy and security policy. They will look at the site with them while they are on the phone. Based on that conversation and what we see on our risk assessment console, we may recommend scanning an IP or several IPs. Our service is $140 a year per IP ($199 for two) to provide quarterly scans and assessments. When the merchant gets our assessments they need to look at them and fix whatever vulnerabilities may have come up. The merchant may also do manual scans whenever they want to at no extra cost. For instance, they may want to scan as a way of checking to see if their fixes took. Merchants might want to think about PCI/DSS compliance like they thought about anti-virus software on their computer. It is a fact of life. In the modern world of the massive Internet, with millions of computers accessing the system, it is unthinkable to collect other people’s data and not protect it. What is happening now is the onus is on the merchant. That is what PCI/DSS is all about. The good thing about it is that companies like Security Metrics have made it easy and quite affordable to comply and protect yourself and your customers.

SecurityMetrics is a Qualified Payment Application Security Company (QPASC) offering security appliance with vulnerability assessment, intrusion detection and intrusion prevention functionality services. The company has more than 800,000 clients. It is a privately held corporation headquartered in Orem, Utah.

Michael A. Cox
Michael A. Cox
Bio   •   RSS Feed