Payment Card Industry Data Security Standard (PCI DSS)
The #1 reason to buy a Written Information Security Program (WISP) or PCI DSS Policy is having a written security program in place is mandatory for all Merchants, regardless of their size. The PCI Security Standards Council even makes that point clearer with a new site aimed at smaller merchants that you can check out for yourself at this site: https://www.pcisecuritystandards.org/smb
This is the real reason why you should care about PCI DSS, since it is arguably the most critical issue facing businesses in terms of Information Security liabilities. You may have overlooked the fine print when you signed your merchant agreement, but if you do accept credit or debit cards, you are legally bound to be compliant with the PCI DSS.
The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These compromises cover the full spectrum of organizations, from the very small to very large merchants and service providers.
A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:
- Regulatory notification requirements
- Loss of reputation
- Loss of customers
- Potential financial liabilities (for example, regulatory and other fees and fines)
Insurance Generally Will Not Cover Your Loss If You Cannot Prove Documented PCI DSS Compliance
Post-mortem compromise analysis has shown common security weaknesses that are addressed by PCI DSS, but were not in place in the organizations when the compromises occurred. PCI DSS was designed and includes detailed requirements for exactly this reason — to minimize the chance of compromise and the effects if a compromise does occur.
Investigations after compromises consistently show common PCI DSS violations, including but not limited to:
- Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data.
- Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3)
- Default system settings and passwords not changed when system was set up (Requirement 2.1)
- Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4)
- Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5)
- Missing and outdated security patches (Requirement 6.1)
- Lack of logging (Requirement 10)
- Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5)
- Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4)