In today's card-centric business and consumer environment, millions of consumers and businesses utilize various types of payment cards to complete billions of retail purchases and transactions at the register, on the web, through the mail and over the phone.
To have the right to process payment card transactions, retail organizations must comply with the Payment Card Industry Council's Data Security Standards (PCI DSS). PCI DSS requires organizations to protect cardholder account information throughout the transaction lifecycle, from the point of sale, data transfer and storage of account information.
Retail organizations that process payment card transactions often store cardholder account information in distributed data repositories that have become targets of organized criminals, who steal account data and use it for illicit purposes.
Organizations that fail to comply with the PCI DSS standard or those that suffer a breach during a period of non-compliance face heavy fines, can potentially lose the right to process payment card transactions, and often face severe and costly civil litigation proceedings. The cost of fines and litigation can be devastating. In the high-profile case of TJX (owner of T.J. Maxx, Marshalls, Home Goods and A.J. Wright retail chains), the company reported a spend of $202 million in response to the breach that compromised the cardholder account information of as many as 40 million customers. The money is being spent to handle more 20 lawsuits brought against it by banks and consumers in the U.S. and Canada and to pay settlements with credit-card associations. Compliance violation related fines can be as high as $500,000 per incident and the cost-per-data-file compromised can reach $302.
Organizations are spending millions of dollars and pouring countless man-hours into building compliant networks and systems. Though the PCI Council's DSS provides comprehensive requirements that retail organizations must follow to have the privilege of processing payment card transactions, it doesn't identify any specific technologies to enable compliance other than firewalls. Too often, organizations are left to interpret the standard on their own and develop their security strategy and implementation plan, then prove they are in compliance with the Council's mandate to:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
It's safe to assume that virtually all retail organizations that rely on networks to transact business and process payment card transactions use firewalls and anti-virus solutions as essential building blocks in their access and security strategies. However, IT professionals know that firewalls and anti-virus solutions aren't the only technologies needed to address the Council's mandates. The tougher questions that remain for retail industry IT professionals are “How can I be sure the solutions I have deployed are effective?” and, “How can I make responsible buying decisions for the future?”
There are the age-old practices of relying on analysts and solutions providers to solve the problem. However, even IT departments relying on this decision method should have a basic set of criteria checked off before signing a purchase order.
When getting ready to make purchasing decisions aimed at PCI DSS compliance look for solutions that:
- Enable granular segmentation inside of the firewall so that access to data repositories and applications can be governed inside of the network perimeter
- Implement a solution that can provide enforcement of policies and monitoring of user activities for reporting.
- Are quick and simple to deploy and manage
- Have high transaction processing capabilities so that enterprise-level throughput can be supported
- Are flexible and scalable so that changing business priorities and access policies can quickly and easily be implemented
- Are cost-effective so that PCI DSS compliance initiatives can be completed within or under budget
This is by no means a comprehensive set of evaluation criteria but it is a solid starting point to understanding what is needed to ensure PCI DSS compliance.
One more thing to keep in mind is that during the past several years a number of vendors have emerged that provide point solutions for problems PCI DSS compliance causes. During times of economic uncertainty, your organization may tend to shy away from new solutions; don't let “newness” be a deterrent. Often times “proven” solutions from established vendors end up being nothing more than remarketing of old products. PCI DSS has acted as a catalyst for many of the truly new innovations that are on the market today and are well-suited to do the job, come with attentive support that only small organizations can provide, and are more cost effective.