PCI Risk Assessment Tips OfferedCouncil Issues Guidelines to Address Security Shortcomings
In its just-released guidelines for ongoing risk assessments, the Payment Card Industry Security Standards Council notes three specific areas for improvement.
The guidelines, which are intended for any organization that handles credit or debit card data, offer specific recommendations for risk assessments, such as how to create an internal risk-assessment team and address risk reporting.
But Bob Russo, general manager of the PCI Council, points out that card data is only as secure as the weakest link in the payments chain. Compliance with PCI-DSS is the responsibility of all organizations and businesses that handle card data, he stresses. They must ensure that all links in the payments chain keep card-data protections up-to-date.
"The standard requires an annual risk assessment, because the DSS validation is only a snapshot of your compliance at a particular point in time," Russo says.
Requirement 12.1.2 of the PCI-DSS states that any organization that processes or handles payment cards must perform a risk assessment at least annually. The PCI Council's new recommendations include the need for:
- A formalized risk assessment methodology that fits the culture of the organization;
- A continuous risk assessment process that addresses emerging threats and vulnerabilities;
- An approach that uses risk assessments to complement, not replace, ongoing PCI Data Security Standard compliance.
While the PCI Council does not enforce compliance, merchants, processors and others found to be out of PCI compliance after a breach or some other event will likely face steep fines from the card networks.
"Performing a risk assessment at least annually will help you identify the security gaps and address them," Russo says. "The council received a lot of requests for clarity here. We hope the guidelines help them in their efforts to establish an annual process."
Addressing Common Threats
The guidelines, issued Nov. 16, point out that where risk-assessment processes are not already in place, organizations need to establish well-defined methodologies.
"Organizations will need to define and document their risk-assessment methodology, identify individuals who will need to be involved, assign roles and responsibilities and allocate resources," the guidance suggests.
Other recommendations include:
- Turning to other industry sources, such as the International Organization of Standardization and the National Institute of Standards and Technology, for examples of industry-accepted risk-assessment methodologies;
- Building assessments around business processes, assets, threats and vulnerabilities;
- Creating a risk calculation matrix to quantify and qualify risks.
35 Threats Identified
A special interest group comprising banking institutions, merchants, security assessors and technology vendors developed the guidelines, which include a list of 35 identified threats, vulnerabilities and risks most common to card-data security.
Among the vulnerabilities are weak password policies, firewalls not configured for adequate Internet and network security and the transmission of unencrypted cardholder data. Others threats and vulnerabilities include:
- A lack of awareness about socially engineered schemes, such as phishing;
- Insufficient system hardening and malware protections;
- Compromise of sensitive data via intentional or unintentional internal breaches;
- The theft or replacement of payment terminals.
Recent Card Breaches
Card breaches over the last two years, including intrusions at payments processor Global Payments and point-of-sale compromises at the Penn Station restaurant chain and at Michaels craft stores, have put a spotlight on PCI vulnerabilities.
The PCI Council and processors have responded in the last year by offering programs to help smaller merchants and businesses enhance card security practices.
In August, the PCI Council launched a new training program that directly addresses ongoing security flaws at the point of sale. The new Qualified Integrators and Resellers Program is designed to educate and train POS device and system integrators and installers about the nuts and bolts of PCI compliance, emphasizing the roles they play in POS security.
The program is the council's response to breaches that have resulted from poor POS installations, which can leave remote access portals vulnerable to attack, Russo says.
Heartland Payment Systems, a payments processor that in 2009 suffered a breach that exposed 130 million U.S. debit and credit cards, also has spearheaded efforts to address POS and card security.
In the wake of breaches suffered by Penn Station and other Heartland clients, Heartland began assisting its merchants with post-breach investigations and ongoing education about security vulnerabilities that can result from POS hardware and network upgrades (see Heartland Takes Aim at POS Fraud).
John South, Heartland's chief security officer, says the processor is offering advice because many merchants lack security expertise. "Their specialty is not in securing networks," he says. "And many have little or no experience in installing hardware or software to do that."
And in April, just a month after its North American server suffered a breach that exposed 1.5 million debit and credit card accounts, Global Payments began taking steps to promote PCI compliance recommendations for its merchants. The company enlisted two PCI qualified security assessors - SecurityMetrics and Trustwave - to assist smaller merchants with PCI risk assessments.
"The best way to obtain your compliance is to validate with a qualified secured assessor," Global stated on its website when the offer was announced.
But Russo stresses precautions and adequate measures will vary from organization to organization. "Size is just one of the many factors," he says. "A smaller organization, for instance, has fewer assets that they have to consider. But the core components of the risk assessment are really going to be the same."