PCI: Is Your Institution Compliant?

Recent Assessments Find Flawed Security Practices
PCI: Is Your Institution Compliant?
Since the Heartland data breach was announced in January, there's been no shortage of discussion about the Payment Card Industry Data Security Standard (PCI DSS) and its requirements of merchants and payments processors.

But what about financial institutions?

Banks and credit unions store large amounts of cardholder data, but often show little awareness of PCI requirements, say security experts, including the Qualified Security Assessors (QSA) who test for PCI compliance.

"Many of these banks do have cardholder data risks that are relevant to and should be covered by their own efforts to comply with PCI-DSS," says Jim Cowing, a QSA and PA-QSA at Digital Resources Group, a San Mateo, CA-based risk assessment firm. "Their lack of understanding and willingness to embrace the value and depth of [PCI is] a real barrier to promoting adoption within the financial institution."

Anatomy of a PCI Assessment
Denise Mainquist, a QSA at ITPAC Consulting, Lincoln, NE. recently assessed PCI compliance at a large regional bank. Here is what she found:

Issuer information (security code, magnetic stripe data) was commingled with other account information on a flat network. "The issuer argued that they had no obligation to provide any special protection of cardholder information," Mainquist says.
Paper statements containing human readable card numbers, along with name, address, and other information, much like the customer bank statements from other large banks.
The issuer was sending out activated cards through the mail to "safe" zip codes to save money on activation services.
Credit card numbers were also the account number for Home Equity Line of Credit (Heloc) and Business Line of Credit accounts, so almost everyone in bank had unmonitored access to credit card information.
Lists of credit card numbers were forwarded (unprotected) to outside marketing firms for use in marketing campaigns.
Unencrypted emails (internal and external), including credit card numbers, were standard documentation practice.
Imaging systems contained credit card numbers on vouchers, checks, etc. Access to images was not well-controlled.

"When I compare the risk of loss at a merchant to the amount of unprotected credit card information in a bank," Mainquist says, "I think that card brands need to shift their focus."

Attitude: PCI is 'Nothing New'
PCI compliance prescribes hundreds of the most comprehensive security practices, based upon a large body of work to define the types of security risks that face today's organizations. "Financial institutions have been responsible for many types of their own security - including physical, data and network security requirements -- well before PCI was defined," says Cowing.

The problem is: Some information security professionals may discount the large body of security practices well defined under PCI because it is "nothing new" to them, or else they see PCI as beyond their scope since they are not directly involved with merchants and the related body of data security issues. Among the PCI compliance issues that Cowing says some financial institutions may be ignoring:

The rigorous network vulnerability scan requirements defined under PCI, including both internal and external network scanning for OS, network and web application layer type scans.
Wireless scanning and IDS (Intrusion Detection System) aimed at identifying rogue wireless that could present a significant risk to their corporate networks.
Turning off all unnecessary and undocumented ports, protocols, daemons, etc. that run on older default server configurations.
Encryption of cardholder data within their own environments.

Struggling With PCI
Branden Williams, Director of VeriSign's PCI Practice, says many banking institutions "struggle with understanding the scope of PCI in their environment because they do multiple functions, such as issuing, acquiring, deposits, and issuer processing."

Williams' advice to financial institutions: "For starters, they should understand where all their data is and get a clear picture of how it is used."

Larger financial institutions have this understanding in pockets or silos, he adds, "But they struggle when trying to see the big picture. After they know where their data is, delete and purge from all the areas they don't need it (laptops, workstations, old servers, FTP areas, etc.), and harden security around the areas they do".

Getting to a homogeneous environment also seems to be a struggle for financial institutions, Williams says. "It's amazing how many financial institutions provide the means for an individual to wander in and compromise a single unpatched endpoint. It's more than possible, it's probable," Williams says.

If financial institutions would focus on good data security and keep PAN (primary account number) data as a confidential/sensitive element in their plan, "They stand to outperform merchants trying to do the same thing," Williams says.

Other actions recommended by the experts:

Obligations of issuers to protect cardholder information needs to be examined/communicated;
Major system changes are needed to reduce the spread of credit card numbers by using unique account numbers as key;
Stricter controls over imaging systems;
Documentation practices at banks, in general, need to be reconsidered.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.