In-Depth

Why IT Must Act Now to Meet New PCI Data Security Standards

A bevy of vendors -- including most prominent services providers -- have announced new payment card industry-oriented services.

• By Stephen Swoyer
• 04/15/2008

Come 2010, most organizations that accept credit cards (or payment cards, in industry parlance) are going to have to grapple with a new set of regulations, dubbed the Payment Card Industry (PCI) Data Security Standard (DSS).

In fact, organizations that want to be in compliance with PCI DSS by the time it goes live in 2010 are already grappling with the DSS standards. Thankfully, they have help: several vendors -- including most prominent services providers -- have announced new PCI DSS-oriented services, similar, in many cases, to the services they’ve traditionally marketed for regulations such as Sarbanes-Oxley Act of 2002 (SOX) and Gramm-Leach-Bliley Act (GLBA).

From the perspective of many merchants (or anyone who deals in electronic PCI transactions), the PCI DSS is a godsend: it supplants no less than five competing standards (i.e., Visa’s Card Information Security Program; MasterCard’s Site Data Protection; American Express’ Data Security Operating Policy; Discover’s Information and Compliance; and the JCB’s Data Security Program). To make sense of it all, Visa, MasterCard, and others formed the Payment Card Industry Security Standards Council, which (by late 2004) succeeded in aligning the disparate PCI policies into a single (unified) PCI Data Security Standard.

That’s the backstory. The portion of the PCI DSS spec that’s of interest to most customers was finalized about 18 months ago (in September of 2006) with the publication of a 1.1 version that revised (and in places helped clarify) the 1.0 spec. Then, in October of last year, Visa introduced several new Payment Applications Security Mandates that -- it claimed -- would help companies comply with PCI. To wit: a company that uses third-party payment applications must ensure that these services comply with Visa’s Payment Application Best Practices (PABP) guidelines. The catch, of course, is compulsory: Visa’s Mandates must be implemented by July 1, 2010.

That’s just over two years away, which -- in the world of compliance -- isn’t much time. More to the point, the pressure’s already on some resellers: as of January 1, 2008, any new merchant that wants to conduct PCI transactions must be using PABP-sanctioned applications. Visa announced a series of other interim deadlines (e.g., July 1 and October 1, 2008; October 1, 2009, in both cases, for merchants that process Visa PCI traffic), too. The upshot, experts say, is that the onus is on merchants -- or any vendors that conduct PCI-based business -- to act fast.

That’s one reason why a bevy of services specialists -- including Computer Sciences Corp. (CSC), Electronic Data Systems (EDS) Inc., Hewlett-Packard Co. (HP), and IBM Corp. -- have all introduced PCI-oriented services offerings. Some have been more aggressive about it than others.

Consider HP, which used last week’s RSA Security conference as a springboard to tout its own PCI offerings -- as well as a coming-out gala of sorts for its new security services arm, HP Secure Advantage.

HP’s newest offerings comprise a kind of hodgepodge: i.e., the productization of existing tools or services (e.g., offerings that were developed in-house by HP’s services arm), as well as new products or services.

The point, officials say, is that -- even though HP might be perceived as the new kid on the block, security- or PCI-wise -- its vaunted services arm has been grappling with these issues for quite some time.

“Security is probably not the first thing that comes to mind when you think of HP, but we actually have a surprisingly large amount of assets and technologies,” says Gary Lefkowitz, director of Secure Advantage products for HP. “Secure Advantage is really all about taking all of the assets that we have and taking all of the IT and know-how and products and calling some attention to the fact that we can provide this to our customers.”

Consider HP’s inaugural PCI offering, a new scanning service that it plans to market to new and existing customers.

“HP is now offering a PCI scanning capability that we didn’t offer before, and part of this is technology and folks that we brought over from some of the recent acquisitions we made,” says Eric Peterson, who heads up application security efforts for HP’s software group.

“PCI is really driving a lot of the decisions that folks are making these days in terms of how they’re securing their assets. Folks who are running sites that are doing credit card transactions online are getting put out of business if they’re getting compromised and they’re not PCI-compliant.”

In a sense, experts concede, PCI compliance is an even more serious proposition than SOX: after all, no one has yet gone to prison for flouting SOX compliance; flouting PCI compliance, on the other hand, can get you barred from conducting electronic transactions -- effectively putting merchants out of business.

“We’re offering a PCI Scanning Service that’s focused on Web applications and e-commerce applications. We’re offering capabilities today to help you ensure that you’re in compliance [with the PCI DSS specifications],” Peterson comments.

HP doesn’t propose to do all of the fishing for its customers, either: instead, Peterson indicates, the services giant expects to teach customers to fish for themselves, so to speak: “The intent is to provide individual customers with the ability to run regular, ongoing tasks in their environments, so customers can ensure their ongoing compliance [with the PCI DSS standards].”

There’s no sliver bullet for PCI compliance, Peterson concedes, but education, effective scanning, and throughout validation of third-party application providers is as good a solution as any. The good news, he says, is that many large e-tailers are already well on their way -- it’s just smaller shops, or organizations whose business models don’t depend exclusively on Web-based transactions, that need to be brought up to speed. “PCI is a process. It’s a set of steps you have to take as a company, as an organization, [to be compliant],” he indicates. “What we’re offering is a complete end-to-end solution -- services plus technology plus software -- that provides you with the ability to get up to date fast.”

To a degree, customers are already under the gun, he argues. “There’s a deadline for PCI compliance in the middle of [2008], so at that point if you’re processing credit cards online and you’re not compliant, you’re going to be in trouble. Our services piece can provide that PCI certification,” he says.

“Yes, people like Amazon -- where online transactions are their bread and butter -- they probably started a little while ago, but things like PCI have really come along and put real structure around how credit card payments are processed. Even a company like Amazon is gong to have to be doing these things [i.e., auditing and testing for compliance] probably monthly because it’s so critical [and] because of the volume of transactions they do.”