Data Security In A Wired World
May 1, 2009 Michele Donohue
Meet the other 12-step program – the Payment Card Industry Data Security Standard (PCI DSS). There are 12 basic components to ensure safety measures are in place to mitigate credit card security risks. But under those 12 steps are more than 200 sub-requirements and many organizations aren’t reading the fine print.
Any credit card merchant, from large companies to small businesses and nonprofits, is subject to PCI compliance developed by the PCI Security Standards Council (PCI SSC) members – American Express, Discover, JCB, MasterCard and Visa. The 12 steps include measures such as maintaining a firewall, encrypting cardholder data on public networks, using antivirus software and testing security systems. PCI compliance becomes an entangled web of information technology and legal requirements that can often be confusing.
“It’s one of those areas that it’s a bit of a minefield unless you have the time, expertise and budget to cover it adequately,” said Robin Fisk, charity technology expert at Advanced Solutions International (ASI), in Alexandria, Va. Fisk said that small and medium enterprises (SME) don’t usually have the resources in infrastructure and management to maintain PCI compliance on their own.
Nonprofits face the same infrastructure problems as businesses, with an added burden. Usually a nonprofit will process more transactions for donations than a typical SME will handle for business, according to Fisk. The sheer volume of donation transactions via credit cards might make nonprofits “more exposed, perhaps, to the risks of doing something wrong,” said Fisk.
There are four merchant levels based on transaction volume. A Level 1 merchant has the highest level of transactions, at 6 million or more, and is the only level to require a compliance report completed by a Qualified Security Assessor (QSA) for an annual on-site assessment. An individual with QSA certification performs PCI compliance audits and usually works for a PCI security firm.
Level 2 merchants (1 million to 6 million transactions) and Level 3 merchants (20,000 to 1 million transactions) undergo an annual Self-Assessment Questionnaire (SAQ) for validation requirements. An annual SAQ is recommended for Level 4 merchants (less than 20,000 transactions), but not required for validation.
SAQ is then broken into five validation categories, depending on how cardholder information is obtained. For example, an organization that outsourced all cardholder data would fill out a different SAQ than a merchant that uses a stand-alone terminal with no electronic cardholder data storage.
For nonprofits that don’t have a solid IT department, even just the SAQ can be difficult. “A lot of times these things are written by these highly technical people for [other] technical people. So I think we have to understand that the first breakdown can just be simply in the fact that the communication is likely targeted for an audience that might not be with that nonprofit,” said Greg Hammermaster, president of Sage Payment Solutions, a division of Sage North America, based in McLean, Va.
“So, if you don’t have that background it can be difficult to actively answer self-examination questions. The PCI auditors are trained in the exact interpretation of each rule,” said Hammermaster.
The SAQ requires a “yes” or “no” response to questions. But, some of the compliance questions paint broad brushstrokes while breaches can happen within small security holes. For example, one SAQ question asks: “Are all paper and electronic media that contain cardholder data physically secure?” Nonprofits can simple check off “yes” without considering the minute details.
Printouts of cardholder data might be in a locked filing cabinet, but you must consider if that space is secure and how many people have access to it. If the organization has cardholder data on a computer, is that information encrypted? Can the information be transferred to an external memory device, such as a USB drive, and how safe is that portable information? Experts explained that the simplistic questions might give an organization a false sense of security if the person completing the SAQ doesn’t fully understand all PCI compliance issues.
“Quite frankly, it sometimes takes a lawyer just to understand the questions. If you’ve been through them, even trying to understand whether it’s a documentation requirement or implementation requirement or automated, you really have to parse the wording of the question just to understand. And most people have a lot of problems doing that,” said Gabe Fineman, in-house counsel for ASI.
“You tend to want to answer the questions that best fit your current situation,” said Hammermaster. “By having a third-party auditor you will not have that bias. If what you have is your self-examination with your in-house staff that isn’t trained, they might be trying to finagle it to fit within their structure.”
He said an organization should be fine with the SAQ if it has a person knowledgeable on PCI and its evolving policies. The SAQ not only evaluates the organization’s current security status, it also makes organizations more aware about the importance of security on a long-term, continuous basis, according to Hammermaster. A PCI assessment with a QSA, although not required by merchant Levels 2 to 4, might set the bar and make all staff aware of compliance issues.
Outsourcing any cardholder transactions to a reputable, PCI-compliant vendor might be the easiest way to get through a SAQ. By outsourcing any cardholder information and processing, an organization places most of the compliance burden on the third-party supplier.
“If, however, you are doing a lot of processing yourself and you chose, as an institution, whether you are a retailer, a dry cleaner or a charity, if you are going to keep that cardholder data electronically, you then fill out a different questionnaire which is 240-some questions, 30-pages long and you have got a new hobby,” said Walt Conway, Certified Payment-card Industry Security Manager (CPISM) and PCI consultant for the National Association of College and University Business Officers (NACUBO) and The Treasury Institute. Conway also is co-editor of a collaborative PCI DSS blog between NACUBO and The Treasury Institute, at TreasuryInstitute.org/blog.
Conway recommended that organizations not retain any electronic cardholder data. “There is no need for it. Full-stop, end of discussion. There is no need. None. Nada. Zip,” he said. “I [as an organization] still maintain the relationship, but all that payment stuff is away from me at a hosted, secure Web site by someone who does this for a living. There are a lot of requirements and if you do it as your living, it’s a cost of doing business. If your business is a charity or nonprofit or education – this is not your business and you don’t want to get into it,” he said.
“By using a virtual terminal or gateway, you’re going through a secure server that is outsourced and PCI certified, has all the appropriate security measures in place, so that the transaction is happening off-site in a very secure way,” said Hammermaster. These third-party providers undergo a far more rigorous battery of audits than individual organizations because they are in the business of PCI compliance.
“From a security perspective, the virtual terminal gateway removes the storage and processing from the organization’s local systems. There just really isn’t a necessity for most organizations, especially in the nonprofit sector, to have that credit card number within your technical environment,” said Hammermaster.
“Unless you have a certain budget and certain expertise and time and management controls in place, it’s almost a no-brainer. You actually have to go outside of your organization to a third party to process this information,” said Fisk. “Because what you don’t want to be doing is holding that information permanently or semi-permanently on systems that you aren’t sure are compliant with PCI.”
By going through a SAQ, experts hope that organizations will toss bad habits that would affect PCI compliance. Conway said one common misconception is that credit cardholder information is necessary for organizations to handle reoccurring transactions, such as monthly giving. “Work with your bank. They have facilities for doing recurring transactions,” Conway said. “You don’t need that card number. And I wish I had a nickel for every development department that doesn’t know that. I could retire.”
An organization that decides to outsource cardholder information should be aware that just because it stops holding information now does not mean everything is secure. Conway recommended going over old database information to make sure to purge any credit card numbers that might have been stored.
Organizations should ask a third-party provider for credentials as a PCI compliant service provider, not as a vendor. If possible, ask a third-party provider to add a statement of continued commitment to PCI compliance in a contract, he said.
“The world is different and it’s risky and it’s dangerous,” said Conway. “And if you want to take plastic, you’re going to play by the rules.” NPT