Ten Ways To Secure Web Data Under PCI

3. Have Fewer Data-Handling Systems

All systems that have access to the transaction data or card data at rest fall under the PCI DSS, and they're an expensive part of any assessment. So it makes sense to segment off parts of the network--and the employees involved with those parts of the network--from access to card data. This approach reduces the number of systems that fall within the scope of PCI requirements, increases security, and cuts compliance costs. "Being able to chop off big chunks of your infrastructure and saying it has nothing to do with processing transactions--that's a big help," says Chris Eng, VP of Veracode, an application security company.

A key part of this approach is to log transactions without logging the credit card numbers. "Logging is absolutely essential, and people don't do enough of it," says Jerry Hoff, VP of static-code analysis at WhiteHat Security, a Web application security provider. "But make sure that the sensitive data itself isn't logged."

4. Get Rid Of The Data

Online merchants can outsource their processing infrastructure, letting a third party handle all payment processing details and take on much of the responsibility--if not liability--for the data. "If your store sells snowboards online, then securing credit card data isn't something that you should have to focus on," Hoff says.

Companies that don't hold onto card data tend to take security more seriously and suffer fewer breaches, says the Ponemon Institute. In a survey of 670 U.S. and multinational IT managers, it found that 85% of companies that didn't retain primary cardholder data didn't suffer a breach over a two-year period. Only 40% of companies that retained data suffered no breach in that same time period.

One piece of data that the business should never retain, although many do: the card verification value, or CVV, code. "They see it as a way to increase the likelihood that the transaction will be approved," Trustwave's Rosenberg says, "but the problem is that you aren't supposed to have that data after the transaction has cleared."

Getting rid of the data reduces the PCI burden tremendously. Rather than having to comply with all 12 requirements, you can narrow your focus to two requirements: blocking access to data (requirement nine) and maintaining a policy that addresses information security (requirement 12).

You still must check your store for compliance and fill out a self-assessment questionnaire, but the overall effort is less onerous, Heartland's South says.

Just segmenting the network and minimizing retention of card data won't make your company PCI compliant, says Evan Tegethoff, a PCI solutions architect with security services firm Accuvant. No merchant can ever eliminate the scope of PCI requirements, but it can reduce them. If a third party is handling your company's data, you're still responsible for confirming that the third party is protecting the information.

The same goes for technology. Buying a PCI-compliant data protection product won't automatically make your company PCI-compliant. "Merchants frequently think, 'Let me go buy something that's PCI-compliant, and then I'm done,'" PCI SSC's Russo says. Data security technology must be adjusted to a company's needs and monitored to ensure that it's protecting all of the right data.

5. Check Out Partners

Merchants that outsource to a service provider but retain some ability to check transactions are less likely to reduce the scope of their PCI compliance, says Troy Leach, CTO at PCI SSC. "The challenge is that there is typically some sort of access to that cardholder data," Leach says. "If there is, that brings their entire environment back into scope."

You'll also want to gather information on your partners' PCI compliance. Managed service providers handle a lot of card data, making them attractive to attackers. Third parties administered 76% of systems that were breached last year. And when a breach happens, the liability generally rests with the merchant.

Ask for documentation of a third party's PCI compliance status, including a self-assessment questionnaire. Key areas to be aware of:

>> Hosting services must comply with PCI and, in particular, have a vulnerability remediation process in place, including timely patching and updating of their server software.

>> Any payment application used as the transaction engine for a store should comply with a separate set of standards: the PCI Payment Application Data Security Standard. A compliant program needs to, among other security measures, log transactions, not store full mag-stripe data, provide secure authentication, and encrypt all communications over public networks.

>> Web application scanning vendors must qualify as PCI-compliant to be listed as compliant on the pcisecuritystandards.org site.