According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.
According to the Ponemon Institute survey, restricting access to card data on a "need-to-know basis" (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve. QSAs reported that the three most common business reasons for storing cardholder data are:
In order to service these customer's requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.
QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.
Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.
So what's the best way to both satisfy the requirements of PCI DSS and still make secured data transparent to applications? The strategy QSAs recommend is to lock down the cardholder data with technologies that:
These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.
But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all. Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.
The point is that the QSA's three recommendations go beyond the basic requirements of the PCI DSS standard to actually secure the credit card data at the host - and to ensure that the data isn't misused when the data is at rest or while being transferred.
Linoma Software's [now HelpSystems] data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.
Industry security analysts will still complain that PCI DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn't provide that value. Consequently, we need to analyze what the QSAs are recommending, and then build on PCI DSS Version 2.0 to implement the best possible data security for our customers' credit card data.