Understand card data processes: It's important to have an end-to-end understanding of the processes involved in transmission of payment card data for effective PCI-DSS compliance. An organization must have knowledge of how and where its card data is being accessed, transmitted and stored. So, knowing where your card data lies, is the biggest pain-point for companies looking for PCI-DSS compliance.
Ask yourself whether you really need to store card data: Many organizations in the BFSI, BPO and retail industries have made credit (or debit) cards an integral part of their processes. These businesses often feel the need to store card data for some of their processes, though it might not really be required. Companies dealing in card data must therefore reevaluate at their processes when preparing for PCI-DSS compliance. This will help the companies find out whether there is a business need to store such data--whether they can carry on their processes without storing card data.
Many retailers may have applications which are not certified under standards like PA-DSS, and may end up storing information which is not permitted under PCI-DSS compliance requirements. One such example is maintaining records of the blackened stripe, which contains data that is not supposed to be stored. If you have no alternatives but to store card data for business processes, then the company must state a specific duration for which it needs to be stored; beyond this period, there's no real business need to possess this data.
Protect stored card data: Once you know that card information is being stored in your environment, it must be protected by means like encryption to make PCI-DSS compliance easier. Tokenization is one of the newest technologies being used for protection of card data. It basically provides an alternate ID to identify the card while using the card for transaction. It replaces the card number with a specific ID which is unique to that card number. After that, for any transaction, this specific ID is used instead of the actual card number; this method drastically reduces the risk of exposure of card data during transmission.
Use PA-DSS certified applications: Many banks, service providers and retailers may have legacy applications that were developed without keeping security in mind. These applications may store prohibited card information or may not support the encryption control mandated by PCI-DSS compliance needs. Hence, ensure that whatever applications involve usage of card information should be PA-DSS certified.
Segregate systems dealing in card information: Design your environment in such a way that you segregate critical components from the not-so-critical components. Segregate systems which involve the processing and storing of card data from non-critical systems, because it will be easier to put security controls around certain systems than to secure all systems at the same time.
First plug bigger loopholes and risks: If you are implementing PCI-DSS compliance for a large enterprise (retailer or service provider), the best way is to follow a risk-based approach. This basically translates to having a framework for categorizing risk. For instance, storing prohibited information or unencrypted card data is a bigger risk than not having a smaller control like as a firewall. Try and first close the bigger risks and loopholes so that you minimize the risk of fraud-like situations. Of course, the PCI-DSS compliance certification can be achieved only after you have met all the requirements. Securing card data should be the first priority; aspects like network security, server security, and HR policies can be dealt with later.
About the author: Parin Lapasia is manager-consulting services at Control Case, a Qualified Security Assessor with the PCI security standard council. Parin has been involved in several PCI-DSS compliance implementations in India.
(As told to Dhwani Pandya)
This was first published in July 2010