Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:05 PM

Ten Ways To Secure Web Data Under PCI

PCI compliance can create headaches for companies that do online commerce. Is your e-business ready?

3. Have Fewer Data-Handling Systems

All systems that have access to the transaction data or card data at rest fall under the PCI DSS, and they're an expensive part of any assessment. So it makes sense to segment off parts of the network--and the employees involved with those parts of the network--from access to card data. This approach reduces the number of systems that fall within the scope of PCI requirements, increases security, and cuts compliance costs. "Being able to chop off big chunks of your infrastructure and saying it has nothing to do with processing transactions--that's a big help," says Chris Eng, VP of Veracode, an application security company.

A key part of this approach is to log transactions without logging the credit card numbers. "Logging is absolutely essential, and people don't do enough of it," says Jerry Hoff, VP of static-code analysis at WhiteHat Security, a Web application security provider. "But make sure that the sensitive data itself isn't logged."

4. Get Rid Of The Data

Online merchants can outsource their processing infrastructure, letting a third party handle all payment processing details and take on much of the responsibility--if not liability--for the data. "If your store sells snowboards online, then securing credit card data isn't something that you should have to focus on," Hoff says.

Companies that don't hold onto card data tend to take security more seriously and suffer fewer breaches, says the Ponemon Institute. In a survey of 670 U.S. and multinational IT managers, it found that 85% of companies that didn't retain primary cardholder data didn't suffer a breach over a two-year period. Only 40% of companies that retained data suffered no breach in that same time period.

One piece of data that the business should never retain, although many do: the card verification value, or CVV, code. "They see it as a way to increase the likelihood that the transaction will be approved," Trustwave's Rosenberg says, "but the problem is that you aren't supposed to have that data after the transaction has cleared."

Getting rid of the data reduces the PCI burden tremendously. Rather than having to comply with all 12 requirements, you can narrow your focus to two requirements: blocking access to data (requirement nine) and maintaining a policy that addresses information security (requirement 12).

PCI Prevents Breaches
64% of PCI-compliant companies had no cardholder data breach in last two years
38% of noncompliant companies were breach free
Data: Poneman Institute's "2011 PCI DSS Compliance Trends Study"

You still must check your store for compliance and fill out a self-assessment questionnaire, but the overall effort is less onerous, Heartland's South says.

Just segmenting the network and minimizing retention of card data won't make your company PCI compliant, says Evan Tegethoff, a PCI solutions architect with security services firm Accuvant. No merchant can ever eliminate the scope of PCI requirements, but it can reduce them. If a third party is handling your company's data, you're still responsible for confirming that the third party is protecting the information.

The same goes for technology. Buying a PCI-compliant data protection product won't automatically make your company PCI-compliant. "Merchants frequently think, 'Let me go buy something that's PCI-compliant, and then I'm done,'" PCI SSC's Russo says. Data security technology must be adjusted to a company's needs and monitored to ensure that it's protecting all of the right data.

5. Check Out Partners

Merchants that outsource to a service provider but retain some ability to check transactions are less likely to reduce the scope of their PCI compliance, says Troy Leach, CTO at PCI SSC. "The challenge is that there is typically some sort of access to that cardholder data," Leach says. "If there is, that brings their entire environment back into scope."

You'll also want to gather information on your partners' PCI compliance. Managed service providers handle a lot of card data, making them attractive to attackers. Third parties administered 76% of systems that were breached last year. And when a breach happens, the liability generally rests with the merchant.

Ask for documentation of a third party's PCI compliance status, including a self-assessment questionnaire. Key areas to be aware of:

>> Hosting services must comply with PCI and, in particular, have a vulnerability remediation process in place, including timely patching and updating of their server software.

>> Any payment application used as the transaction engine for a store should comply with a separate set of standards: the PCI Payment Application Data Security Standard. A compliant program needs to, among other security measures, log transactions, not store full mag-stripe data, provide secure authentication, and encrypt all communications over public networks.

>> Web application scanning vendors must qualify as PCI-compliant to be listed as compliant on the pcisecuritystandards.org site.

chart: Where stolen data comes from

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.