Every ten weeks or so, more than 1,400 physicians pay
the Royal College of Physicians a fee - typically £800 - to take
examinations, and most of them pay via the RCP's purpose-built
website. For this, the RCP must comply with a credit card security
standard called thePayment Card Industry Data Security Standard(PCI DSS), or be refused support from its sponsoring
bank.
"We're not doing a vast number of serviceable transactions,"
says Christopher Venning, the RCP's IT network and support manager,
"but they just said to us, 'in order for us to provide you with
this service, you will have to be
PCI compliant'."
This requirement has formalised the college's information
security arrangements. "It makes you document stuff very formally -
it was an aid to thoroughness," says Venning. "It was a fabulous
thing to be able to sell to the people paying for the website. It
was no longer a debate about the business risks of this versus the
cost of that. To be compliant, the business had a defined
route."
Code audits
Venning says he feels lucky that the RCP's project was a
greenfield site - a project involving 45 VMWare virtual machines
across seven HP blades, with a consolidation rate of six virtual
machines per blade. It made complying with PCI standards relatively
simple, he says, but adds, "The hiccup was that we were working on
the 1.0 standard and then along came 1.1, which threw us on a few
things."
One of the biggest challenges was making certain all the
developed website code was secure from SQL injection, cross-site
scripting, cooking poisoning and other
hacker attacks. Without specific protection, the PCI DSS
requires a code audit but, because it is greenfield, Venning was
able to employ a Barracuda web application firewall.
"It's an expensive box, but I think it's saved us money," says
Venning, explaining that without it, continual audits of code
versions would prove costly.
However, there is still a need for periodic testing to preserve
system security, he says. "There is a requirement to have an
external penetration test. We use Integralis to do a three-monthly
check. They had nothing to do with building the site or any of the
configurations, and they do it without knowing any internal
details. We give them the URL and an account to log in on, and they
take it from there."
Once inside, a hacker might go anywhere, so any connected
systems must also comply with the standard, says Venning, who
fought to keep the payment card system boxed-in. "We provided a
level of isolation between the rest of the college site and this
stuff, so that we didn't have to expand the scope of the PCI into
everything else, which would have been impossible," he says. "We
spent quite a lot of time doing that isolation, which includes
special treatment of interfaces and all the data feeds."
This is where Venning is grateful his project was greenfield and
did not include hundreds of linked-together legacy systems, each
with proprietary interfaces and communications channels.
Legacy complications
Such a system would be a nightmare to make compliant, which
might explain why a recent survey by secure transaction specialist
The Logic Group revealed that only 11% of retailers, financial
services institutions and other businesses that accept card
payments are fully
PCI DSS compliant.
Bob Russo, general manager of the PCI Security Standards
Council, will not comment on the number of compliant retailers,
saying that is a matter for the payment card companies. But,
echoing Venning's comments, he admits the standard can be difficult
for established businesses to achieve.
"It takes many large merchants a very long time to become
compliant," he says. "It's not that they don't want to be
compliant, it's that they are using legacy systems that are 10 or
15 years old. It's easier to create a new application and build
security into it than it is to take a 10-year-old application and
retro-fit it with security. The last thing you want to do is break
your business while you're trying to secure it."
But times have changed, and although not every hacking attack is
successful, Russo says you can bet the hackers will try to break
in. "Security is a responsibility of being in business," he says.
"You get the trust and you get the loyalty of your customers. You
need to return that favour by making sure their data is
secure."