The recent TJX Companies Inc. data breach refocused attention on credit card security, retailers and the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS is to the credit card industry what Sarbanes-Oxley (SOX) has been to publicly held companies. It's pushing them to comply with the PCI Security Standards Council guidelines, the most recent of which was drafted in September 2006. It forces card issuers and processors to invest in the necessary compliance technology and training or face crippling consequences. Those who don't can be heavily fined or barred from issuing or accepting cards from any council members. And, because the council consists of a consortium of five powerful card companies: Visa, MasterCard, American Express, Discover and JCB; not complying can effectively ban a bank from issuing cards or a merchant from accepting them.

PCI DSS is not groundbreaking; it is simply a set of information security standards no different than those at any large bank or publicly held corporation. But it has molded security throughout the credit card industry lifecycle, from how banks issue cards to how retailers accept them.

During the TJX breach, hackers stole an undetermined number of credit card accounts, some of which dated back to 2003; as a result, dozens of banks reported incidents of fraud from the compromised cards. Also, because TJX had stored old account information instead of deleting it, the company violated a PCI requirement, which mandates that a company remove data it no longer needs.

In total, there are twelve PCI DSS-required controls. They cover access management, network security, incident response, network monitoring and testing and information security policies. PCI DSS critics claim, in some cases, that it's too restrictive; it interferes with how companies set up firewalls and antivirus software, for example, and is too vague in other areas like incident response and network monitoring.

Additionally, these twelve controls are grouped together under six PCI DSS "control objectives." They include:

-Build and maintain a secure network: Ensure firewalls are installed and that changes to rules are adequately logged. Web servers that must access the Internet should be in a DMZ. Database servers holding customer account information should be inside the company's network, protected by a firewall. Note: For the most part, these requirements are already part of the networking staff's routine job responsibilities.

-Protect cardholder data: Stored account numbers must be encrypted or truncated, and customer data must be disposed of when no longer needed. This was the fatal mistake in the TJX case. Encryption over public networks for data in motion should be done using SSL.

-Maintain a vulnerability management program: This control covers a wide range of requirements. It requires antivirus software on all servers and workstations, and recommends everyone follow guidelines from the Open Web Application Security Project (OWASP) for developing Web applications.

-Implement strong access control measures: Restrict access to systems with account numbers and ensure user accounts are audited to remove outdated or malicious accounts. Stored passwords should also be encrypted.

-Regularly monitor and test networks: Requirecust regular vulnerability scans, reviews of server logs and the installation of intrusion detection or prevention systems (IDS and IPS).

-Maintain an information security policy: Draft an information security policy that covers access control, network and physical security, and application and system development. It's important to keep the policy updated as systems and needs change, and to make sure it's distributed to system users.

The standard also requires that PCI compliance be certified by two separate outside consultancies. And with that in mind, numerous consultants now offer PCI compliance services.

Source