PCI DSS: Prevention is the Best Defense
By Pete Goldin
(Technology Editor Pete Goldin brings us up-to-date on PCI DSS and its effect on parking worldwide.)
Although the Payment Card Industry Data Security Standard (PCI DSS) is gaining global recognition, many parking facility operators around the world do not realize this standard applies to them.
The PCI Security Standards Council – established by the world’s largest credit card companies, including American Express, Discover, JCB, MasterCard and Visa – has developed the PCI DSS to direct merchants on exactly how to protect cardholder data.
Compliance with the standard is a requirement for any merchant anywhere in the world that stores, processes or transmits credit card data. However, says Bob Russo, General Manager of the PCI council, merchants outside the U.S., especially in emerging economies, are not always aware of the standard.
In fact, Russo says he spends much of his time traveling around the world educating merchants, banks and governments about this important standard.
The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other crucial measures to help merchants proactively protect customer account data. At the core of PCI DSS are the following requirements:
• Build and maintain a secure network by deploying a firewall and avoiding vendor-supplied defaults for system passwords and other security parameters.
• Protect stored cardholder data and encrypt transmission of cardholder data across open public networks.
• Maintain a Vulnerability Management Program by developing and maintaining secure systems and applications, as well as using and regularly updating anti-virus software.
• Implement strong access control measures that restrict access to cardholder data on a business need-to-know basis; limit physical access to cardholder data; and assign a unique ID to each person with computer access.
• Regularly track and monitor all access to network resources and cardholder data, and test security systems and processes.
• Maintain an Information Security Policy.
PCI and Payment
One of the parking industry’s PCI challenges is the popularity of the unattended payment terminal (UPT). Russo notes that the UPT presents a different set of challenges, when compared with an attended terminal. That the payment terminal is unattended is, in fact, an inherent security issue, he says.
Second, a UPT has more moving parts than an attended terminal. UPTs generally have keypads, screens, and a printer for receipts or exit cards, and these components are all contained in a cabinet that must be secure. In addition, each one of those devices has to follow a standard to be secure.
The PCI council manages two additional standards that guide merchants in selecting technologies that have been evaluated for PCI compliance.
It assesses off-the-shelf applications via the PA-DSS (Payment Application Data Security Standard) and payment terminals that process PINs (Personal Identification Numbers) through the PTS (PIN Transaction Standard). Developers have the option of bringing applications to the PCI council or one of its assessment companies to have the technology validated. Once certified, the applications are listed on the PCI council website.
“Choosing an application that is already PCI compliant does not make you totally PCI compliant. However, it makes it easier to become compliant if you are using a certified application,” Russo explains. He adds that it is not mandatory for developers to get applications assessed or for merchants to purchase equipment listed on the site.
Still, in-house payment applications developed by merchants or service providers must be secured in accordance with the PCI DSS.
‘More About Security Than Compliance’
Russo stresses that any parking facility anywhere in the world that processes credit card transactions must be PCI DSS compliant.
“First of all, if you are not compliant, look at what you need to do to become compliant right away, because this is basically the law – you need to be compliant,” he advises all parking lot owners and operators. All the necessary compliance information is available at the PCI council website – www.pcisecuritystandards.org – including educational material, a compliance guidance document and a list of third-party assessors.
“In today’s economy, the worst thing that can happen is that your customers walk away,” Russo says. “If you have a breach at your parking lot, because you are not secure, your customers might not come back.
“In the event of a (security) breach, fines are imposed from the credit card companies to the acquiring bank that processes the credit card transactions, and they pass it down to the merchant. But the fines are the least of your worries,” he adds. “If your customers walk away, you are out of business.
“Plus, once there has been a breach, there are going to be lawsuits,” Russo says, “and it is going to cost you so much money and take so much time away from running your business that it just makes more sense to comply with the standard. It’s faster, it’s easer, it’s cheaper, and you’ll be secure.
“PCI DSS is more about security than compliance,” Russo notes. “The PCI DSS guidelines are best practices in the security industry, not just for credit card data but any data you want to protect. If you become secure, compliance follows as a byproduct. Your best defense against a (security) breach is to be complaint with this standard.”
That is why, Russo says, merchants should focus on becoming secure, not on becoming compliant. When a merchant focuses only on compliance, it becomes a check-the-box exercise, and if they don’t follow through, they are not really secure. In addition, while merchants might be compliant at a point in time, they rapidly fall out of compliance if they are not following the PCI DSS guidelines on a regular basis.
As a poignant reminder of why the PCI council exists in the first place, Russo warns parking facility operators that credit card thieves are out there right now developing new ways to commit fraud.
“They are becoming more sophisticated, there is no question about that,” Russo concludes. “It is an arms race to try to stay ahead of these guys. They have nothing to do all day except figure out ways to steal your credit card data.”
Article Abstract from May, 2010