Features

As governments around the world step up efforts to protect citizens from the potentially devastating effects of payment card data theft, merchants are being asked to comply with a new security standard.

At least one US state has already taken the legislative route in its fight against identity theft. Last month, Minnesota became the first to enact into law the Payment Card Industry Data Security Standard (PCI DSS).

What the PCI DSS standards are asking for are very, very logical and very sensible things that any security-minded organization should be following

Fred Hopper - corporate security director, Metaca

PCI DSS is a standard developed by the world's major credit card companies, including Mastercard, Visa and American Express. It is aimed at businesses that process credit or debit card transactions and consists of 12 control objectives to protect data.

"The US states, because of a number of lawsuits going against some of the big retailers, are looking at what needs to be done (about the issue)," said Mary Kirwan, a Canadian IT security consultant.

The massive data breach suffered last year by retail giant TJX, in which credit card data of millions of its customers were stolen by a hacker, has prompted many governments to take action to increase the protection of personally identifiable information.

Credit card firms have asked merchants to have a plan to comply with PCI DSS by June 30, 2007. Many US states, meanwhile, are expected to take Minnesota's lead, Kirwan said. "Right now, the approach in the US in some cases is to make this a problem of the retailers, and I am not sure at all that that's necessarily the way to go."

The Canadian government is also looking into ways to protect cardholder data, but Kirwan said Canada may not take legislative action.

After all, Canada already has existing federal privacy legislation, PIPEDA, which mandates organizations to provide ways of securing personal data and other sensitive information that are under their custody.

Attempts are also being made in the US, however, to enact privacy legislation at the federal level. That would provide consistent protection as well as a common framework for securing data, Kirwan said.

"If you have different laws in every state, it will be extremely difficult to [be compliant] and I think that is a situation we want to try to avoid here [in Canada]," she said.

Kirwan stressed the best strategy is one where each player in the transaction process has a responsibility to make the data secure.

Although legally enforcing PCI DSS may not be the best course of action, security experts said the framework can be used as a basis for implementing IT security, even if they don't process payment card transactions.

Fred Hopper, director of corporate security, IT and quality at Toronto-based credit card manufacturing firm Metaca, said his firm is not subject to PCI DSS, but the information security standards implemented in his organization are similar to the principles of the PCI DSS.

"What the PCI DSS standards are asking for are very, very logical and very sensible things that any security-minded organization should be following," said Hopper.

For instance, the first requirement under the PCI DSS is building and maintaining a secure network by maintaining a firewall configuration to protect the data, Hopper said.

The standard also prohibits the use of vendor-supplied defaults for system passwords, another protection measure that's very basic to network security, said Hopper.

He compared the PCI DSS to the lengthy and extensive IT security standard ISO 17799. "PCI DSS covers a lot of the same, but it's much more concise and easily adoptable for a good chunk of businesses out there that don't have a full-time IT security person."

Despite its applicability, however, the PCI DSS was designed for the payment card sector and many of its provisions apply only to organizations with cardholder data, said Simon Tang, security and privacy partner at Deloitte's Toronto office.

"If you talk about physical security, it goes into specifics as to how you should be shredding paper. Sometimes it's very difficult to generalize that requirement to other companies because it depends on their data classification," Tang explained.

The following are among the 12 requirements under the PCI DSS:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data (highlighting encryption as a critical component for protection)
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know