Providing protection for credit card information travelling over the Internet has always been a smart practice for the sake of all parties involved. Now, because of PCI DSS, it is not only smart, but mandatory..
THIS WHITE paper explores these standards and regulations—some firmly in place, some emerging, others in the formative stage—and describes the recommendations or requirements they impose for using encryption and related technologies. The reader should bear in mind that this area is a fast-moving target. Today’s recommendations are tomorrow’s requirements, and new standards are arising all the time.
There are many ways to steal credit card numbers, but scavenging through garbage cans in search of receipts has given way in recent years to intercepting transmissions between customers making online purchases and their suppliers—a method that is much easier, not to mention cleaner. Since using credit for payment is a very popular way for commerce to be conducted online, the buyer’s credit card number must at some point be transmitted electronically to the seller; and if it is unencrypted or inadequately encrypted, stealing it can be easy.
Of the approximately 650,000 complaints about fraud, which the American Federal Trade Commission received each year in the period of 2004 to 2006, identity theft was the subject for a consistent 35 per cent to 36 per cent of the time. 21per cent of banking institutions have either suffered a security breach during the past two years, or don’t if they have. Another 35 per cent have been victims of a phishing attack during the past one year. The rampancy of these destructive practices gave rise in years past to a clamour for government regulation of electronic commerce, but the credit card companies that generally had to foot the bill for all the online carelessness felt they could not afford to wait. They knew that SSL certificates provided the necessary protection for sensitive information and that they can be easily implemented by e-commerce companies and other institutions that transmit and receive credit card information over the Internet. They also knew that without pressure to act, many of these companies would be slow to adopt the technology.
Therefore, in 2005, the world’s biggest credit card issuers including MasterCard, Visa, American Express, Discover, and the JCB International Credit Card Company formed a consortium for the purpose of establishing adequate and consistent data security measures that must be used by all merchants, banks and service providers that store, process, or transmit card holder data. In 2005, this consortium issued version 1.1 of this set of measures and called it the Payment Card Industry Data Security Standard (PCI DSS). In subsequent years, as both the technology and the thieves became more sophisticated, the consortium enhanced PCI DSS and it is expected to continue doing so for the foreseeable future. PCI DSS covers many kinds of vulnerabilities that can exist in electronic commerce and one of its foremost provisions is to require adequate encryption of card holder data while it is being transmitted. Specifically, it requires strong cryptography such as 128-bit encryption—the minimum level provided by VeriSign Server Gated Cryptography (SGC) SSL certificates for over 99.9 per cent of site visitors. While this level is considered adequate as of the date of this writing by both PCI and VeriSign, it will not always be sufficient.
To future-proof against faster, smarter methods for code cracking and against tightened restrictions in response by PCI, companies can enable far stronger 256-bit encryption, also available from VeriSign and others, depending on the host system operating system and browser used.
Specifically, PCI DSS requires encryption for public network Web traffic, SSL VPN for remote access solutions, e-mail encryption (TSL, S/MIME, PGP or desktop-to-desktop) and IPSec VPN to protect payment card information. These requirements apply not only to data in motion but also data at rest in databases, web servers, and applications that store and/or process credit card data. PCI DSS also requires that crypto keys and their transmissions and storage be effectively managed. While not mandated by the standard, it is also recommended that organisations provide visibility into the SSL traffic to detect threats and employ Web gateway solutions that offer SSL scanning and policy enforcement for encrypted traffic. Finally, for organisations that adhere to the standard by employing adequate encryption, it makes sense to plainly publicise that fact to customers, thieves and PCI enforcement bodies by prominently displaying widely recognised indicators of the safety of their e-commerce websites, such as the VeriSign Secured® Seal.
The credit card companies that comprise PCI are very serious about compliance and have set up rigorous validation processes and penalties for those who breach the standard. While these practices vary somewhat from issuer to issuer, MasterCard’s Site Data Protection Plan and Visa’s card holder Information Security Programme are representative. They each require an annual on-site security audit for any merchant that processes more than six million transactions per year or has suffered a security breach that resulted in an account compromise and for any service provider that processes credit card information or serves as a payment gateway. Other merchants and service providers are required to fill out and submit an annual self-assessment questionnaire in lieu of the on-site audit.
In addition, all merchants and service providers must perform a quarterly network scan. The penalties for violators are severe. They may face higher processing fees or, in more severe cases, can even be barred from using or processing PCI member credit cards at all. In extreme cases, credit card companies issue substantial fines. Visa, for example, levies penalties of up to $500,000 for each instance of non-compliance while American Express fines merchants up to $15,000 per day.
Providing protection for credit card information travelling over the Internet has always been a smart practice for the sake of all parties involved. Now, because of PCI DSS, it is not only smart, but mandatory.