Key strategies for successfully securing financial data - By Joel Friedman, Chief Security Officer


FinancialTimes.com, Published: September 26 2008While every organisation has unique security requirements, a chief concern for many is protecting their customer’s credit card data. Stolen financial information and identity theft not only creates loss of revenue, clients, and partners, but it can result in significant fines and opens the door to lawsuits and loss of the public trust. This concern must be addressed in the initial stages of IT planning and should be integrated with all standard operating procedures at every level of the organisation.

A common misconception is that Chip and Pin is sufficient for data security. But the Chip and Pin is only a physical security control and has no effect on transactions where the cardholder is not present This includes transactions made over the internet or telephone. In the case of internet transactions the consumer is still required to enter critical cardholder data which is transmitted to the remote server. The transmission, storage, and access of that card data falls into the domain of global PCI DSS compliance standards.

A critical first step is to assess whether or not you need to be and/or are PCI DSS compliant. PCI DSS is the global payment card industry security requirement for entities that store, process, or transmit cardholder data. Basically, just about anyone who has credit card information entering their servers, even momentarily, is subject to PCI DSS compliance regulations.

In addition, any third party that accepts or processes payment cards must be PCI DSS compliant. Examples include managed service providers, e-commerce host providers and payment gateways. 
The PCI DSS standard incorporates industry best practices into a specific and definitive set of requirements. PCI DSS is driven by all the major card brands – Visa, MasterCard Worldwide, Discover Network, American Express and JCB.

A good first step towards meeting PCI DSS standards is to assess your current compliance posture. Here is a checklist of a few core components to help you identify areas where you are in compliance as well as areas of improvement.

  • Cardholder data is encrypted, and CVV2 data is not stored.
  • Employees are required to use two-factor authentication to access remote IT resources.
  • Company conducts (or uses automated real-time) log review, storing those logs for the required one year retention period and then protecting the archived logs from modification via integrity checks. File and system integrity monitoring has been implemented to alert appointed contact person if any unauthorised critical system settings or files are altered. Company follows the proper four change control procedures as outlined by the PCI DSS specification (document impact and rollback procedures, receive management approval, and perform operational testing).
  • Company has designed multiple network segments and configured network security devices in accordance with PCI DSS specification.
  • Company has implemented patch management services to guarantee patches are applied within the required 30 days.
  • Comprehensive policies and procedures which adhere to section 12 of the PCI DSS are in place.
  • Company is utilising Intrusion Detection, Vulnerability Assessment and Anti-malware services.
  • Penetration testing is conducted regularly.
  • In-house IT facilities meet PCI DSS physical security requirements including 90 days of video retention in data centres.
  • Web Application Firewall or code review to protect against the Top Ten Most Critical Application Vulnerabilities as defined by the Open Web Application Security Project.

After assessing your company in light of these criteria you may be ready to turn to a PCI DSS Services Provider. When chosen carefully, the right provider will give you maximum value for your investment as you rely on their expertise and experience to guide you towards full PCI DSS compliance.

Ultimately, achieving PCI DSS compliance assures a vital aspect of data security and signals to your customers and stakeholders that you are a trustworthy partner.