With data-theft incidents making headlines, credit card issuers are putting the heat on merchants, financial institutions and other organizations to comply with complex security standards. The consequences of non-compliance are severe — they could literally put a company out of business.

The Payment Card Industry (PCI) Data Security Standard (DSS), mandated by Visa, MasterCard and other card issuers, requires “all merchants with internal systems that store, process or transmit cardholder data” to comply with 12 key data protection measures and submit to security audits. Under the rules, companies must protect cardholder transaction data through logical and physical access controls, activity monitoring and logging, encryption, and regular network scans. Companies could face penalties of up to $500,000 for breaching customer credit card information.

PCI DSS Version 1.2 became available on Oct. 1, 2008. The update is designed to clarify technical requirements, improve flexibility, and address new and evolving risks and threats.

“The new release of the PCI data security standard is increasing the pressure on banks and other organizations to move toward PCI compliance,” said Lantz Litchfield, VP of Professional Services, FusionStorm. “FusionStorm stands ready to help organizations meet the challenges associated with this new standard.”

Evolving Standard

Since the distribution of DSS version 1.1 in September 2006, the PCI Security Standards Council has worked with merchants, banks and other organizations involved in credit card transactions to address real-world threats and DSS implementation challenges. Based upon their feedback, DSS version 1.2 incorporates existing and new best practices, provides further scope and reporting clarification, eliminates overlapping sub-requirements, and consolidates documentation. It also provides an enhanced FAQ and glossary to facilitate understanding of the security process.

While the updated standard is designed to anticipate, identify and mitigate future security threats, it will not include any new core requirements beyond the existing 12 in place. These requirements include maintaining a working firewall, updating security patches and antivirus programs, and encrypting transmission of cardholder data across public networks.

Other requirements include assigning unique IDs to employees with computer access and tracking them, and changing vendor-supplied defaults for system passwords and security measures. Furthermore, merchants must regularly test security systems and processes, maintain information security policies for employees and contractors, restrict physical access to cardholder data, and track all access to network resources and cardholder data.

Finding Vulnerabilities

A FusionStorm Security Assessment can help determine if your organization is adequately protected from threats. The first step is a Security and Compliance Audit, based upon the Information Assurance Methodology (IAM) developed by the National Security Agency (NSA).

First, FusionStorm’s security and compliance specialists will review your organization’s information security policy to verify that it supports your business needs, is in line with industry best practices, and supports compliance with state, federal and industry-specific regulations such as the PCI DSS.

FusionStorm will also review and analyze your procedures, processes, devices and configurations to ensure that the designed architecture effectively enforces the organization’s security policy. A gap analysis is included in each section’s report, with business-appropriate recommendations on how to close the gap between the current and desired security postures.

The second step in the process is a Security Device Health Check, a hands-on verification of the configuration and maintenance of the actual security devices within your IT infrastructure. These devices can include firewalls, VPNs, routers and switches, IDS/IPS devices, encryption appliances, content filters and antivirus solutions.

Next, FusionStorm provides independent third-party vulnerability assessments. Vulnerability testing identifies and comprehensively scans networked systems to detect security weaknesses. Vulnerability assessments can be external (Internet-facing), internal (LAN-based) or custom (targeted to meet the specific requirements of your environment). A vulnerability assessment will also include recommended remediation steps.

Finally, FusionStorm provides independent third-party penetration testing. A penetration test provides not only a functional verification of the security architecture, but also tests your organization’s incident response capabilities.

“Hackers are constantly looking for vulnerabilities that could allow them to take control of all or part of the server and potentially steal credit cards numbers and other information. Our security and compliance services are designed to help prevent that kind of activity,” said Litchfield.