Electronic payment systems create an ecosystem — the actions of one participant have an impact on all. This has been seen repeatedly when a single organization fails to protect consumers’ payment data, resulting in increased costs for all retailers and banks.
Each time there is a breach, such as the one impacting TJX, all card issuers must increase their reserves against anticipated fraud losses. The Payment Card Industry (PCI) Data Security Standard (DSS) means to improve the overall health of the payments ecosystem by ensuring individual participants behave responsibly.
However, DSS is a statement of what must be done without providing the blueprint for how it should be done. Payment system participants must seek out the best practices that meet these requirements. This is an intimidating task for organizations that focus on the arcane art of data security, and even more daunting for organizations whose core competency is high-speed processing or retailing. This article means to simplify some of the complexity, for the benefit of these businesses.
12 Best Practices
DSS includes 12 tenets, each expressing an accepted data security best practice. Most are straightforward, such as “an organization should change the default administrator passwords for their relational databases and networks,” since criminals frequently try default administrator passwords as a first attack. Other tenets state that organizations should maintain include the following:
- Firewalls to keep out unwanted network intrusions
- Anti-virus software to block malicious applications that skim passwords or key strokes
- Physical security for the systems that process payments
Two other requirements, however, introduce new concepts and complexity to the organizations processing payments: DSS 3 states that cardholder data must be protected when stored, and DSS 4 states cardholder data must be encrypted when transported, inside or outside the originating organization. Understanding and acting on these security standards requires an understanding of the three principal classes of electronic data:
- Real-time transaction (or messaging) data
- Volatile production data
- Accumulated data
Transaction, Production and Accumulated Data
Within electronic payments, real-time synchronous exchanges of data, or transactions, make up the class that is most perceptible to the public. The retail community expects that purchase authorizations occur quickly, never taking more than a few seconds when a purchaser is standing at the point-of-sale.
This ensures a positive experience for the purchaser and maintenance of labor costs. Because of the expectations of high reliability and low response time, this kind of data is best protected by the use of hardware devices at the point of sale, supporting systems tailored for that specific purpose alone.
Production data is the up-to-the-moment view of outstanding balances and new transactions. It is required by those who have extended credit to the consumer and support the retailers accepting electronic payments. A card issuer extending credit may have millions of customers.
They need to keep a precise account of how much credit each customer has used compared to the buying limit, even if the individual is visiting many retailers and making many purchases in a short time. The database of this accurate accounting information, then, is changing constantly, as purchases and returns are made, payments processed, and fees applied.
The data for a consumer making a transaction must be located and analyzed against the sponsoring organization’s business policies, also within the short transaction response time. Protecting this data is best done with tools provided by the database vendor. These organizations that build and tune the respective database processing engines are best suited to provide the solutions that meet both the performance and data protection expectations.
The third class, accumulated data, frequently represents the greatest risk to the payment systems participants and, overall, the electronic payments ecosystem. As transactions occur, different systems aggregate very large masses of this sensitive data for different needs. This data then passes between the retailer and banks that support them, those banks and payment networks, and other third parties.
Interception or theft of a large file of accumulated payment data is an extremely tempting target for criminals. All these different players exchanging large aggregations of data will have disparate IT infrastructures and underlying operating systems. Therefore, protection attached to the data itself, rather than to the means of transport or processing applications, is essential.
Guarding the Data
To reduce operational costs and data center complexity, a solution protecting accumulated data should do the following:
- Be commercial off-the-shelf (COTS) — encryption for data protection is a specialized field, both professional implementation and ongoing support is mandatory.
- Support the major enterprise operating systems with a consistent implementation to ensure easy exchange of DSS-protected data.
- Offer in-line application integration to minimize both risk of exposure and impacts on processing windows.
- Work equally well for high-speed, unattended processes as for ad hoc, user-driven processes.
- Apply security directly to the data so it remains protected even if intercepted or skimmed — in other words, a data-centric approach to protection rather than application-centric or electronic transport-centric approaches.
Joe Sturonas is chief technology officer and Jeff Cherrington is vice president of product management at PKWARE, a provider of data security and file compression solutions.