Security Steps for Compliance Purposes? Why Not Just for the Sake of Security?

All too often I hear businesses ask the question, “What do I need to do to be compliant with XYZ regulation?”.    When I hear this, I know right off the bat, this company is in for a rough road ahead of them.  The goal of proper network security precautions should not be to meet a compliance or regulatory requirement, but instead to secure your data.  If businesses took common precautions to protecting data, they would find themselves in compliance for most regulations, industry requirements, PCI, and even tort laws.

For gicks and kiggles, let’s take a look at requirements for PCI-DSS, GLBA, SOX, HIPAA, FACT Act, PIPEDA, and EU Privacy (EU Data Protection and E-Privacy Directives) to just name a few.   These alphabet soups stand for:

PCI (Payment Card Industry Data Security Standards)  - Basically defines a set of rules, procedures, and policies that must be followed for companies across the globe that accept credit cards.

GLBA (Gramm Leach Bliley Act) - Establishes a set of Safeguards and Privacy Rules for financial institutions and those that provide financing options for their clients.

SOX (Sarbanes Oxley) - Contains 11 titles that describe specific mandates and requirements for financial reporting.  Applies to publicly traded companies.

HIPAA (Health Insurance Portability and Accountability Act) - Applies to companies involved in the health care industry and how to handle personal health information data.

FACT Act (Fair and Accurate Credit Transactions Act of 2003) - Basically contains provisions to help reduce identity theft.

PIPEDA (Personal Information Protection and Electronic Documents Act) - Think GLBA for businesses that operate in Canada.

EU Privacy (EU Data Protection and E-Privacy Directives) - Europe is quite a bit different from the US.  In Europe, privacy is a fundamental human right.   The general rule is to not allow the collection of private data unless permitted to by law.

Right off the bat, people think, “Man, that’s a lot of regulatory requirements”.  Especially when you look at companies that operate in many states and countries.  The fact of the matter is, many of the requirements overlap.

I tried to create a list of some of the most common security precautions that should be taken from a  high level perspective across the above alphabet soup.  Admittedly, there are a number of details missing.  I then cross referenced these and tried to find some of the overlap.   Because many regulations are not very explicit there could be arguements made either way as to whether or not a particular step should be implied and taken.  The basic goal of this chart is to illustrate the overlap.  In addition, to point out that as new laws and regulations are enacted, if you look at security holistically, you will find yourself ahead of the game and not only better securing your data but also meeting existing and future requirements.  It’s a large chart, so you may have to click here to see it all.

Security Steps and Associated Regulation

Of course, many probably also have questions about which of the above apply to them.  Again, another basic chart is below.  Again,  it’s a large chart, so you may have to click here to see it all. If you are in doubt, you can always contact me or one of our consultants at Nuspire.

What Regulations Apply to What Companies

So, I urge you to not look at security steps for the purpose of meeting a compliance issue.  If that’s your goal, you are missing the point.  You will also find yourself going through process after process over and over again every time a new regulation or requirement affects you.  This reactive approach to security can get very costly and cause a lot of unnecessary grief.

Small Merchants and PCI Compliance - Part 2: Management Buy-in

So, as a small merchant you now know that you have to be PCI compliant.  If not, you can read my last post here on the topic.  As discussed in my last post, you should start with an IT Policy and an IT Security Policy.  Now, I was going to write my next post here on the topic of writing an IT Security Policy; however, thanks to a tweet I received from @securitypro2009, I don’t have to.  Instead there is an excellent article that can be found written recently by Jennifer Bayuk aptly titled:  “How to Write an Information Security Policy”.

Perhaps the biggest issue for PCI compliance that I’ve encountered is getting management on board for the process.  In most cases, I have found this easier said than done.  On a regular basis, we provide security consulting to GM dealers across the US via an IDL (Interactive Distance Learning) broadcast that is sent across GM’s satellite network to all their retailers/dealers.  One of the topics discussed, is getting management buy-in.  I thought I would take a few moments to share the tips presented during the IDL via this forum as well for your benefit.

1. For starters, when approaching management about this topic it is best to be prepared.  A worksheet is something that will come in handy to ensure you cover your basis, demonstrate your knowledge, and also show that you “did your homework” on the topic.  The format of this worksheet should be kept simple.  Just lay out the 12 requirements, and from a high level see if you can answer “Comply” or not to each of them.  If you can’t answer them, state that too as it may be an indicator that you need to seek outside help.  If there is any requirement you know is “Not Compliant”, highlight this for future reference.
2. Review your worksheet.  If there is a large percentage of “Not Compliant” or “Unknown” status’, then you now have your first bit of ammo when speaking to management to get your buy-in.
3. You will also need to provide some points to rationalize becoming compliant.
   1. Why is it important that management addresses PCI?  Example answer:  “Compliance is a requirement if our business wants to continue accepting credit cards as a form of payment.  Since our company’s (Acme, Inc.) credit card income amounts to 70% of our revenue, losing this stream would be detrimental to our operations.  In addition, if we fail to comply and maintain our compliance, and are found to be in a breach we will also be subject to fines and penalties.  These fines and penalties will not only come from the payment card brands, but also from the banks, injured parties, law suits, etc…  Not to mention the fact that our company name would be slung through the mud as word is released to the public.”
   2. Why is the recommended solution the best solution?  Example answer:  “As you can see from my worksheet, there are a number of questions and topics that we simply cannot answer.  I think with the level of importance this is, it would be prudent to bring in a consultant to help us address this issue the most effectively.  I would hate to have us spend money in areas that are not needed only to find out there are still gaps in areas that are needed.”
4. You want to make your rationale as persuasive as possible.  Think in terms that the manager would be thinking.  Emphasize points such as cost savings, customer impact, avoidance of fines and penalties, or even spinning it positively as a chance for growth.  For example, why not publicize the fact that you have taken necessary efforts to protect your customer’s credit card information.  Doing so could make customers feel more confident about doing business with you as opposed to somebody else!
5. Also, start by talking to some consultants early on in the process and research.  Obviously, if you’re reading these articles, you’re on your way.  You may be surprised how much of this you can do on your own without having to hire an outside service (especially the documentation and writing of policies pieces).

I hope this helps getting you on your way to getting management buy-in to PCI compliance.  If you are a manager, perhaps some of the examples above will help you see why this is important.  In closing, I wanted to share a great quote I read on a PCI board recently:

“When it comes to PCI, there is no such thing as certified. There’s compliance and validation. Compliance is a state of being. Validation is a check on compliance. They are distinctly separate. There have been validated companies that have been compromised, but there has never been a compliant company compromised. Inaccurate validation abound for sure. It makes sense why compliance is required everywhere along with varying degrees of validation.”

Small Merchants and PCI Compliance

Are you ready? As you may or may not be aware, starting next summer ALL merchants including the smallest will be required to become PCI compliant. With this in mind, many acquiring banks have already started mandating compliance amongst their merchants. Some merchants, however, will be caught off guard unfortunately.

There are a lot of misconceptions, rumors, and falsehoods floating around about what is required for these small merchants in terms of compliance fulfillment. One of the main misconceptions is the belief that, as a small merchant, there is a different set of obligations that must be met. This is false. The core principles and accompanying requirements are the same regardless the size of the merchant. These are:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

Some of the example misconceptions I have heard include:

Rumor: As a small merchant, I do not need to secure my cardholder data environments at each location.
Fact: As a small merchant, you must protect your cardholder data per all the requirements in Requirement #3

Rumor: Unless my acquiring bank tells me I have to be compliant, it is not necessary.
Fact: Even if your acquiring bank does not inform you of your obligations under PCI, you are still required to be compliant.

Rumor: As a small merchant, we have a different set of rules for compliance.
Fact: Large or small, all merchants have the same principles and obligations for PCI compliance. The only differences are in reporting requirements back to your acquiring bank.

Once again, I know small merchants will have many questions when it comes to their obligations under PCI. This will be a challenging feat for many of these merchants to meet. I suggest you contact one of our consultants at Nuspire and we can help answer questions you may have. My advice in this area for the small merchants is to start by getting a handle on what you have for IT systems on your network(s). Here are some questions that will get you started on the right track:

1. Do you have an IT Policy? If not, start creating one right away.

2. Do you have a Information Security Policy? If not, start creating one right away.

3. If you have multiple locations do you know what is on these networks? If not, start an inventory and network survey project to see what you have and how it is configured.

4. Is there consistency across your network? You can see how, the survey above will come in handy in determining this.

5. Do you have a budget for possible network changes? Chances are there will be gaps that you will be found during the process that need to be re-mediated.

If you start with the above, and then contact a consultant, you will be ahead of the game. The worse thing you can do is wait until the last minute. Consultants from Nuspire can be reached via telephone at 248-896-6150 or email at info@nuspire.com.