The Payment Card Industry data security standard created by Visa, MasterCard, and other payment services has emerged as a primary driver of IT security spending and some serious rethinking of how data and systems are secured. And with good reason. If the severe fines levied by Visa and its PCI partners aren't enough to persuade companies to invest in encryption, application firewalls, and other security measures, the threat of a costly and embarrassing data breach is enough to convince anyone.
"TJX is the new poster child for why PCI compliance is essential," says George Peabody, director of the emerging technologies advisory service at Mercator Advisory Group, which specializes in research and consulting for the payments industry. "Large merchants are working hard to meet the deadlines." TJX is the parent company of T.J. Maxx, Marshalls, and other retailers.
So are large credit and debit payment-processing firms such as Intuition Systems, which is trying to get out in front of the demanding PCI compliance requirement -- coming in 2008 -- that requires organizations to use application firewalls. Whereas a network firewall is more concerned with blocking malicious data traffic coming into a company's network, an application firewall provides IT shops with information about requests coming to their Web applications. "They let you know if a request is normal or a possible attack," says Intuition CIO Jean-Pierre Zaiter.
Intuition has since February been using Imperva's SecureSphere Web application firewall appliances. Zaiter found them particularly useful in protecting the various custom-made payments-processing applications Intuition has developed for its clients -- primarily merchants and retailers. "Because our customers ask for changes to these applications on a fairly frequent basis, we would have to retest each version of each application for compliance with PCI," Zaiter says.
Thus far, Intuition has spent as much as $250,000 on the hardware and software needed to achieve its own PCI compliance. This number excludes the labor costs associated with implementing the technology and the other IT projects that don't get done because PCI is such a high priority.
While it's not been proven that PCI compliance equals data security, it's clear that one of the biggest data breaches reported this year came from a company that was not PCI compliant. TJX last week announced in its first quarterly earnings statement that it took a $12 million hit, or 3 cents per share, because of the loss of more than 45 million credit and debit card numbers that were stolen from its IT systems over an 18-month period.
This fiasco almost makes Visa's fines for noncompliance -- which can be tens of thousands of dollars per month -- seem like a slap on the wrist. "Large break-ins like TJX are exactly what they're trying to prevent with PCI," Peabody says.
The cumulative pressure heaped on companies that accept and process credit and debit card payments is likely to a positive effect on data security, as it'll pressure merchants, payment issuers, acquirers, and processors to upgrade their security. PCI raises the bar for encryption, requiring compliant organizations to separate encrypted traffic from other network traffic. "We came up with a solution that was a load-balanced encryption process that moves traffic for encryption away from the rest of the network traffic," Zaiter says.
State legislators are riding the wave of data breach fears to give PCI an even sharper bite. Texas's House of Representatives last week unanimously approved a measure that would make PCI compliance a state law and force merchants and vendors that suffer a breach to reimburse banks and credit unions for costs incurred in blocking the use of compromised cards and issuing new ones if that business was not PCI compliant at the time of the breach. While some are leery of getting the government involved in enforcing an industry standard, Peabody says, "It certainly can't hurt compliance to have another source of consciousness rising out of statehouses."