Legacy retailers find payment card security a tough standard

Every ten weeks or so, more than 1,400 physicians pay the Royal College of Physicians a fee - typically £800 - to take examinations, and most of them pay via the RCP's purpose-built website. For this, the RCP must comply with a credit card security standard called the Payment Card Industry Data Security Standard (PCI DSS), or be refused support from its sponsoring bank.

Every ten weeks or so, more than 1,400 physicians pay the Royal College of Physicians a fee - typically £800 - to take examinations, and most of them pay via the RCP's purpose-built website. For this, the RCP must comply with a credit card security standard called the Payment Card Industry Data Security Standard (PCI DSS), or be refused support from its sponsoring bank.

"We're not doing a vast number of serviceable transactions," says Christopher Venning, the RCP's IT network and support manager, "but they just said to us, 'in order for us to provide you with this service, you will have to be PCI compliant'."

This requirement has formalised the college's information security arrangements. "It makes you document stuff very formally - it was an aid to thoroughness," says Venning. "It was a fabulous thing to be able to sell to the people paying for the website. It was no longer a debate about the business risks of this versus the cost of that. To be compliant, the business had a defined route."

Code audits

Venning says he feels lucky that the RCP's project was a greenfield site - a project involving 45 VMWare virtual machines across seven HP blades, with a consolidation rate of six virtual machines per blade. It made complying with PCI standards relatively simple, he says, but adds, "The hiccup was that we were working on the 1.0 standard and then along came 1.1, which threw us on a few things."

One of the biggest challenges was making certain all the developed website code was secure from SQL injection, cross-site scripting, cooking poisoning and other hacker attacks. Without specific protection, the PCI DSS requires a code audit but, because it is greenfield, Venning was able to employ a Barracuda web application firewall.

"It's an expensive box, but I think it's saved us money," says Venning, explaining that without it, continual audits of code versions would prove costly.

However, there is still a need for periodic testing to preserve system security, he says. "There is a requirement to have an external penetration test. We use Integralis to do a three-monthly check. They had nothing to do with building the site or any of the configurations, and they do it without knowing any internal details. We give them the URL and an account to log in on, and they take it from there."

Once inside, a hacker might go anywhere, so any connected systems must also comply with the standard, says Venning, who fought to keep the payment card system boxed-in. "We provided a level of isolation between the rest of the college site and this stuff, so that we didn't have to expand the scope of the PCI into everything else, which would have been impossible," he says. "We spent quite a lot of time doing that isolation, which includes special treatment of interfaces and all the data feeds."

This is where Venning is grateful his project was greenfield and did not include hundreds of linked-together legacy systems, each with proprietary interfaces and communications channels.

Legacy complications

Such a system would be a nightmare to make compliant, which might explain why a recent survey by secure transaction specialist The Logic Group revealed that only 11% of retailers, financial services institutions and other businesses that accept card payments are fully PCI DSS compliant.

Bob Russo, general manager of the PCI Security Standards Council, will not comment on the number of compliant retailers, saying that is a matter for the payment card companies. But, echoing Venning's comments, he admits the standard can be difficult for established businesses to achieve.

"It takes many large merchants a very long time to become compliant," he says. "It's not that they don't want to be compliant, it's that they are using legacy systems that are 10 or 15 years old. It's easier to create a new application and build security into it than it is to take a 10-year-old application and retro-fit it with security. The last thing you want to do is break your business while you're trying to secure it."

But times have changed, and although not every hacking attack is successful, Russo says you can bet the hackers will try to break in. "Security is a responsibility of being in business," he says. "You get the trust and you get the loyalty of your customers. You need to return that favour by making sure their data is secure."




Read more on Hackers and cybercrime prevention

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close