Press Room

In The News
PCI Lessons from the Processing Trenches

By Aaron Bills, ounder and Chief Operating Officer, 3Delta Systems, Inc.

When news first broke about the malware-related breach at Heartland Payment Systems a few weeks ago, some industry observers and analysts jumped into the ensuing fray by suggesting that the Payment Card Industry Data Security Standards (PCI DSS) for processing and protecting customer data had become irrelevant and should be eliminated. After all, they argue, what good are data security standards if a large, PCI-compliant company such as Heartland could fall victim to a breach?

What utter nonsense.

In the ten years our company has been in the B2B and B2G payments processing business, we've seen exceptional strides by our industry to foster better data security and enable those who process, store or transmit payment card data establish stronger technical and operational requirements for safeguarding cardholder data. The PCI standards are a big reason why.

Some people mistakenly believe that PCI compliance equates to bullet-proof invincibility against a data breach. It doesn't.

Becoming PCI-certified doesn't magically shield a business from losing data or provide impenetrable security against hackers or malware. The PCI's 12 standards are not a panacea for solving all security ills, nor are they static. Like information technologies themselves, they are a continual work in progress. And they remain very good security industry standards in much the same way that the International Organization for Standardization (ISO) 9000 is a very good worldwide benchmark for quality management in manufacturing and service organizations.

Let's say, for example, that you buy a car from an ISO 9000-certified manufacturer that has adopted a quality system designed to minimize defects and focus on continuous improvement. This ISO 9000 standard conveys certain controls and processes are in place at that manufacturer to produce a quality car. It doesn't guarantee, however, that your new car will be completely free of defects.

It took the automobile industry a decade to recalibrate its attitudes and business processes before adopting quality improvement as a core management practice. Between the mid-80s and mid-90s, the quality of cars produced by American auto manufacturers improved measurably. Were there subsequent quality-control issues? Certainly. But there were fewer of them.

Like the auto industry, payment processors, the major credit card associations and merchants have come a long way over the course of a decade in understanding the need for and establishing data security practices as a management best practice. And the PCI standards have proven to be an excellent roadmap for security self-regulation throughout our industry.

Like quality manufacturing improvement, IT security improvement requires daily vigilance and work. One doesn't "get PCI compliant" automatically, nor is it an annual audit event. PCI compliance is both a fundamental business process and a way of life inside an organization. It's ongoing. It involves continual evaluations of what you're already doing and can still do to become better at database encryption, authentication and securing data-at-rest and data in motion.

I'd be the first to admit that good payment system security is difficult. It's especially difficult in complex systems that allow user access.

Payment processing systems are like a mosaic. Viewed from a distance, they appear to be one image. But up close, you see a thousand individual yet interconnected pieces that make up that single image.

Managing each piece of an information security mosaic in a payment processing company is a dynamic, complex task with multiple operating components, resource needs and requirements that constantly change. Managing and optimizing technology operations and resources so they're well-protected requires, among other things, configuring data centers and firewalls against possible intrusions, updating core systems and assets such as hardware, software and network architecture as well as staying abreast of IT governance requirements and training staff. Security is also contextual, depending on the environment in which the organization operates and the circumstances that expose its vulnerabilities.

While no payment system on earth is 100% hack-proof, every processor can and should manage the risk of a potential data breach by solving for the concept of "graceful failure." By assuming your system will fail at some point and that perpetrators will gain access to your most sensitive information, regardless of the security countermeasures in place, processors must plan for a layered, deep-defense approach to secure their system so that if one safeguard fails, others can detect and counter an attack. That's why we don't rely on a single security technique or technology to protect 3Delta Systems' operations and infrastructure.

Malware hackers can write code to evade common detection systems that rely on signatures, such as antivirus software. But a malware signature can only be thwarted after it's been discovered and added to a database of known signatures. Developing malware to penetrate a complex payments processing business isn't easy, and I believe such knowledge isn't widespread. But security tools on the mass market today may not catch this type of malware, which could lead to a breach, as Heartland discovered. So what else can be done to help a payment processing system fail gracefully and quickly recover?

File- and system-integrity monitoring technologies are a good augment for a secure, multi-layered payment processing system. Think of these technologies as a "Neighborhood Watch" for your computer. They automatically sound alerts for "things that don't belong"-out-of-pattern, unexpected events-whether they're intentional changes made by a system administrator or unintended, such as a failing hard drive or a malware attack. When the monitoring system finds anomalies, it sends up a flare, immediately summons your IT staff that something is wrong-akin to police responding to a Neighborhood Watch emergency call. The integrity-monitoring technology's function is to sound the alert. It becomes the professional IT staff's job to evaluate that alert.

I'm also a firm believer in continuous training and learning-not just about technology, but how hackers in the real world are able to penetrate sophisticated computer networks. We routinely meet with federal law enforcement officials-the U.S. Secret Service, FBI and the Department of Justice-to discuss the latest cyber attack prevention and security techniques. We attend their briefings and we learn from what they're experiencing on the front lines.

While there will always be varying degrees of risk involved with accepting card payments at the merchant level, protecting customer cardholder data and complying with PCI and government rules to ensure companies keep sensitive information secure is a significant undertaking-a responsibility that grows exponentially the larger a business becomes.

While our systems and our customers' data are as secure as we know how to make them using today's technologies, we're always on the lookout for ways to toughen our defenses and get better at what we do.

We find that by embedding the PCI standards and a deep ethic of security awareness throughout 3Delta Systems, our business is better-run. And by learning from the very difficult lessons of companies whose data has been breached, we can all improve our own systems and countermeasures industry-wide.