I found this useful for explaining what one actually has to do to become PCI compliant.  Here are the 12 general requirements for PCI Compliance in more or less plain English.

Compliance with the Purchasing Cardholders Industry (PCI) Data Security Standard (DSS) is required for all merchants that process credit cards. Since MVaaS companies many times integrate with their customers’ POS systems, obtaining certification for PCI compliance has become increasingly important. It likely will become a minimum requirement for video service providers in the years to come.

So every so often we see stories like this one, and the topic is reinvigorated.

Was this “fraud” made possible through the lax controls? The federal authorities have not determined this. But be sure that vendors don’t want the negative publicity that comes with being the unknowing facilitator.  Count MVaaS vendors among them.

“We regret to inform you that your credit card information may have been compromised.”

That’s how the letter started (or something to that effect).  Nice that they didn’t wait until paragraph 2 for the punchline, so I didn’t need to read on.

This is the second time that I have received a letter like this.  The other was from a state government indicating that my SOCIAL SECURITY NUMBER “may have” been written on the tax forms that were mailed to my home.  Ouch!

The credit card industry and many vendors who accept cards are on the case.  In fact, the industry-wide efforts around PCI Compliance Certification have been a frequent topic on these pages. (links for your convenience – Credit cards and video – not peanut butter and chocolate  What is PCI?  Why should I worry about PCI?  Why most DVR vendors do not even know what PCI is?  PCI myths debunked  Why compliance does not equal security  PCI nightmare  Hopefully the last PCI post for a while  Why do retailers care about PCI again?  Don’t forget about the card hold environment! )

I know that the industry players will continue to strengthen their methods.  I’m also proud of Envysion’s contributions to these efforts.

Just check out the attached article on CNN that highlights how 40 million credit card numbers were stolen from about a dozen retailers.

The flaw that was exploited to get this credit card information was in the retailers local area network. The article indicates that the criminals put sniffers on the companies’ wireless in-store networks and were able to syphon off millions of credit card numbers. As the article is talking about the prosecution of the crooks, the actual crimes likely took place years ago, which means that all of these retailers have probably completely buttoned up their store networks to ensure this type of thing doesn’t happen again.

Think any of these companies are going to let a non-PCI compliant video service (or digital signage, or Musak or any other network-based service) run on their local store networks? MVaaS and traditional providers alike had better get moving towards PCI compliance or risk not making it out of the starting gate with retailers in the future.

Yesterday, I wrote about the most common PCI audit failures. Today, I’ll share a few that Envysion encountered. The biggest one? Writing down what was obvious for us to do in the first place. Take our firewall for example. My chief network architecture, Darren Loher (who is a frequent poster to this blog) selected a great firewall to buy (Cisco) and determined the policy and configuration needed. He also engaged a terrific security consulting firm Inspekt Security to assist. Our firewall configuration was 99% compliant day one. However, we didn’t have a written policy in place to require us to have the configuration already installed. We also didn’t have a firewall request change form or a firewall change review meeting. We have those now.

Sometimes the hardest part is the documentation!

I was flying my boat to the moon the other night, when John Glenn asked me to review the list of PCI requirements still to be completed (or remediated, in PCI argot). The list … shows we haven’t started … almost 270 items to go … its all blank … oh no … beep-beep-beep and my alarm clock wakes me up. Yet another PCI nightmare is over. The good news, however, is that we are done with this process and now technically have passed our PCI-DSS audit. Woo-hoo!

What were the pitfalls we encountered? Verisign has a nice list of the top PCI audit failures. The areas where companies most commonly fail are generally what you might expect: failure to protect stored data, failure to test security systems and processes, failure to assign user’s a unique id to access a system, failure to install a strong firewall configuration, etc.

However, there are a couple of areas in the top 10 that are pretty frightening to discover still exist in 2008, such as failure to change default system passwords and failure to restrict physical access to cardholder data.

How did Envysion do against the averages?

I’ll share that tomorrow.

Drew Mize, vice president of product management and marketing at The Pinnacle Corporation wrote a very interesting short piece on PCI Myths that is worth reading. Unfortunately, its only available via the print copy of the magazine for the Association for Convenience and Petroleum Retailing.

Two of the most salient points are first, that it’s the end-user owner/operator who is responsible for the fines and ongoing penalties if there is a PCI-related issue. This is the case even if your equipment vendor claims they are PCI compliant.

Second, here is a sure-fire way to determine if your equipment or service provider is really PCI aware. Ask them to recommend at least one certified PCI auditor. They should always be able to reference the auditor that performed their PCI audit. If not, “start asking the hard questions!”

Caveat Emptor

Most traditional DVR vendors answer the PCI question with the simple response “The DVR doesn’t process credit card transactions; therefore it does not have to be PCI compliant”. Unfortunately, this response ignores the fact that any DVR that is Internet accessible is a serious risk to the merchant’s PCI compliance, unless it meets the PCI-DSS standards. Why? Because if the DVR isn’t secure, a “bad guy” could potentially gain un-authorized access and then use it as a platform to steal card holder information.

If you hear the above response from your DVR vendor, walk away from them, as quickly as you can!

Do end users really care about this? Well, here are a series of concerns from one enlightened end user with over 500 locations (quick service):

However, they [DVR] must meet the PCI standards for a networked device since it would reside on the same network as our back office system and POS systems:

• Some sort of Firewall should be present on the DVR. Need to show that the DVRs are being properly managed as far as timely installation of security patches and port management. A sampling of the DVRs would need to be included in annual penetration tests.
• The DVRs should be able to provide an audit trail of access to the device.
• Documentation would need to be provided to our auditors when we have these annual PCI audits showing how security on the DVR is managed and monitored.
• If [Service Provider] utilizes a central server to record the data from our stores, meaning they have connectivity to our store network, then the data center where that server is located must meet PCI standards.

These are just a few of the concerns…in short, PCI-DSS certification is quickly become a mandatory requirement.

Not convinced yet, next week I’ll share an RFP for 6000 stores that talks about PCI … have a great Memorial Day.