The newspaper headlines alone are enough to make an IT-security officer's stomach churn. "4 million Hannaford customers have credit card numbers stolen" read one publication earlier this year after the regional supermarket chain was hit by a data-security breach. The cardholder data was accessed from Hannaford Bros. Co.'s computer systems during the card verification transmission process.
While regulations such as PCI DSS (Payment Card Industry Data Security Standard) exist precisely to prevent such catastrophes and protect cardholder data, achieving compliance can be challenging. However, according to a recent Aberdeen Group study, "PCI DSS and Protecting Cardholder Data: Year-over-Year Progress in Achieving, and Sustaining, Compliance," there are some best practices worth considering. The study's author and Aberdeen analyst, Derek Brink, recommended taking these five steps:
1. According to Aberdeen, 77 percent of best-in-class companies have conducted formal risk assessments, and 68 percent have conducted vulnerability assessments for all system components in the card-processing environment. That requires "looking for network vulnerabilities, uncached systems, known exploits that haven't been remediated and any opportunity for your network to be penetrated," said Brink. This can be accomplished in a variety of ways, from implementing vulnerability-scanning tools to turning to a third-party security solution provider to evaluate and monitor applications.
2. It's not enough to simply saddle an IT manager with the responsibility of maintaining PCI DSS compliance. Rather, Brink recommended appointing a high-level executive or creating a team that is dedicated to this business-critical task. "If you select someone to specifically own a PCI compliance project and be responsible for it, it's much more likely that you'll be successful. Clear ownership is really a key success factor in achieving compliance," he said.
3. Aberdeen reported that 76 percent of best-in-class companies have segmented their network to isolate systems that store, process or transmit cardholder data from those that do not, thus reducing the scope of the PCI compliance effort. But for all its benefits, Brink pointed out, "The biggest challenge is that companies don't do it. Every single qualified security assessor that I speak with recommends segmenting as the first step to take. Yet it's amazing how many companies don't take that step."
4. Simply put, data can't be compromised if it no longer exists. Said Brink, "If you don't have the data at all, then you've reduced the scope of your compliance. We've seen best-in-class companies willing to re-architect parts of their systems in order to eliminate storage altogether." In fact, Aberdeen reported that 50 percent of best-in-class companies have eliminated storage of cardholder data and sensitive authentication data post-authorization.
5. Technology alone won't save the day. "It's amazing to me how few companies are investing in awareness and training issues like protecting card holder data," said Brink. "Companies spend quite a bit on compliance, security tools and technologies to address PCI DSS requirements but they haven't invested in training their people to a large degree." Educating employees on the ins and outs of compliance, however, can broaden accountability, heighten awareness and greatly reduce the possibility of security breaches .