PCI: Is Your Institution Compliant?Recent Assessments Find Flawed Security Practices
But what about financial institutions?
Banks and credit unions store large amounts of cardholder data, but often show little awareness of PCI requirements, say security experts, including the Qualified Security Assessors (QSA) who test for PCI compliance.
"Many of these banks do have cardholder data risks that are relevant to and should be covered by their own efforts to comply with PCI-DSS," says Jim Cowing, a QSA and PA-QSA at Digital Resources Group, a San Mateo, CA-based risk assessment firm. "Their lack of understanding and willingness to embrace the value and depth of [PCI is] a real barrier to promoting adoption within the financial institution."
Anatomy of a PCI Assessment
Denise Mainquist, a QSA at ITPAC Consulting, Lincoln, NE. recently assessed PCI compliance at a large regional bank. Here is what she found:
"When I compare the risk of loss at a merchant to the amount of unprotected credit card information in a bank," Mainquist says, "I think that card brands need to shift their focus."
Attitude: PCI is 'Nothing New'
PCI compliance prescribes hundreds of the most comprehensive security practices, based upon a large body of work to define the types of security risks that face today's organizations. "Financial institutions have been responsible for many types of their own security - including physical, data and network security requirements -- well before PCI was defined," says Cowing.
The problem is: Some information security professionals may discount the large body of security practices well defined under PCI because it is "nothing new" to them, or else they see PCI as beyond their scope since they are not directly involved with merchants and the related body of data security issues. Among the PCI compliance issues that Cowing says some financial institutions may be ignoring:
Struggling With PCI
Branden Williams, Director of VeriSign's PCI Practice, says many banking institutions "struggle with understanding the scope of PCI in their environment because they do multiple functions, such as issuing, acquiring, deposits, and issuer processing."
Williams' advice to financial institutions: "For starters, they should understand where all their data is and get a clear picture of how it is used."
Larger financial institutions have this understanding in pockets or silos, he adds, "But they struggle when trying to see the big picture. After they know where their data is, delete and purge from all the areas they don't need it (laptops, workstations, old servers, FTP areas, etc.), and harden security around the areas they do".
Getting to a homogeneous environment also seems to be a struggle for financial institutions, Williams says. "It's amazing how many financial institutions provide the means for an individual to wander in and compromise a single unpatched endpoint. It's more than possible, it's probable," Williams says.
If financial institutions would focus on good data security and keep PAN (primary account number) data as a confidential/sensitive element in their plan, "They stand to outperform merchants trying to do the same thing," Williams says.
Other actions recommended by the experts: