PCI compliance is a problem for more than 85 percent of merchants, according to Paul Giardina, Senior Vice President for marketing for Protegrity, Stamford, CT, a company that provides data protection technology.
Giardina, who discussed these security issues at the 2006 Teradata Partners Conference, in late September in Orlando, Fl, says that companies should pursue “defense in depth,” adding different layers of security as risk and the value of the data to be protected increases.
PCI is one of several new laws that businesses have had to concern themselves with the last few years, according to Giardina. It incorporates some of the elements of Canada’s PIPEDA, HIPAA, several state laws and other international regulations.
Even though Visa and MasterCard have required the compliance for more than 18 months in order for merchants to protect themselves from fines in the event of a data breach. But less only 15 percent had met PCI standards by January, according to a Visa survey. A Protegrity survey showed similar results.
According to the Protegrity survey, less than 5 percent of merchants had passed the PCI assessment and a little more than 30 percent had started their assessment. Nearly 20 percent failed their initial PCI assessment, about the same percentage that said they were just starting the PCI compliance process. Fully one-quarter of merchants had yet to start their PCI compliance process.
Even the percentage from Visa’s survey has doubled in the last nine months; the large majority is still short of the standard, which includes 12 different steps (for more information, see www.pcisecuritystandards.org/pdfs/ pci_dss_v1-1.pdf).
Giardina recommends prioritizing projects based first on which security holes present the highest risk to the company (i.e., adding firewalls for personal computers) and then using ease of implementation as a secondary prioritizing factor.
So firms should first test themselves for each of the 12 PCI requirements and rate the risk factor from 1 (low) to 5 (high), and do the same thing for the difficulty of fixing the security deficiency. “Go for the low-hanging fruit,” Giardina says.
Following this approach also shows that a firm is taking a methodical approach to data security, one of the factors that different regulatory authorities use in determining the liability of an organization.

Visa USA and the U.S. Chamber of Commerce recently listed the following as the five top causes of data breaches and protection solutions:

Storage of magnetic stripe data

The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card’s magnetic stripe in violation of the PCI Data Security Standard. This can occur because a number of POS systems improperly store this data, and the merchant may not be aware of it.

Missing or outdated security patches

In this scenario, hackers are able to penetrate merchant or service provider’s systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.

Use of vendor supplied default settings and passwords

In many cases, merchants receive POS hardware or software from outside vendors who install them using default settings and passwords that are often widely known to hackers and easy to guess.

SQL Injection

Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant’s Internet applications (e.g. shopping carts). According to Protegrity’s Giardina, (see above item) SQL injection is one of the new popular security intrusion methods that hackers are using today.

Unnecessary and vulnerable services on servers

Servers are often shipped by vendors with unnecessary services and applications that are enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack. As part of its effort to help businesses keep their data secure, the U.S. Chamber is distributing the Visa security alert to its full membership of small and mid-sized businesses nationwide. In addition, the chamber will also be working with its national network of local chambers of commerce to further ensure this valuable information reaches as many businesses as possible. The Visa alert along with helpful answers to data security questions can be found at the Chamber’s web page www.uschamber.com/sb/security.

The Global ATM Security Alliance and the ATM Industry Association recently released “Best Practices for Protecting the Customer’s Personal Bank Account and Identity.” This international manual brings together best practices for both multichannel security for financial services and the prevention of identity theft. The publication represents the minimum security guidelines for fraud management within the retail banking environment.
The idea for the best practices arose when cross-channel fraud increased markedly last year, with compromises at one delivery channel, whether on POS devices or during Internet banking, leading to fraud committed at, say, the ATM. In 2005, for example, well over 50 percent of ATM fraud in the US originated in POS compromises.