Many companies are aware of the Payment Card Industry Data Security Standard (PCI DSS). It’s a fairly ubiquitous standard that has been driving payment security for several years now. While opinions vary as to the effectiveness of the standard, one thing that is not disputed is that it’s certainly gotten attention from all corners – industry, consumer and government. While government at the federal level has been relatively slow to move, those at the state level are filling that regulatory vacuum.

Last week, Washington state became the latest  state to pass a law codifying some or all of the PCI DSS. The Washington law (HB 1149) goes into effect July 1, 2010 and requires any company that processes 6 million or more payment card transactions per year and that sells goods or services to Washington residents to “take reasonable care” to protect payment card data.  Companies that suffer a breach can be liable for the costs of re-issuing payment cards.

What is interesting here is the fact that the law specifically states that entities are considered to be in compliance with the law if they have had an annual PCI DSS assessment and received a certificate of compliance.  For those familiar with PCI DSS this leads into an interesting debate in and of itself -”Just because a company has a Certificate of Compliance does that mean that they are, in fact, compliant?”   Though the law says this certificate is “non-revocable,” it will be interesting to see how that actually plays out.  The card brands certainly recognize the difference between being compliant and being validated as compliant – that the validation is simply recognition that, at the time the assessment was conducted the entity was compliant.  Ongoing compliance is another matter entirely.

The passage of this law continues the trend started by Minnesota, in which states pass laws to codify some or all of the PCI DSS.  Minnesota’s law reinforced the prohibition on storing sensitive authentication data after authorization.  Last year, Nevada passed a law requiring PCI DSS compliance for any entity that stored, processed or transmitted cardholder data.  Several other states already have similar legislation before their legislatures.

Part 1: 

Recently while meeting with a potential client I was reminded that there is still quite a bit of confusion about the risks associated with data compromise.  One of the questions raised highlighted some of the confusion.  The person asked how a potential hacker would even know that their company existed on the Internet.  When I was explaining how IP addresses worked she again asked how a hacker could know “their specific IP address.”  While those of us who have some technical background likely find this question somewhat basic, it is a common misconception that hackers will not be able to find a particular company’s IP address on the Internet and therefore the company is not at risk of attack. 

While a blog does not allow a detailed discussion of internetworking technologies, it is important to understand that every computer (server, laptop, desktop etc.) that is  Internet accessible has what is known as a ‘routable’ or ‘public’ IP address.  Without this you could not access your favorite news site.  While we are all used to typing in the domain (www.cnn.com) name of the site we wish to visit the domain name is associated to an actual IP address.  As an example you can reach www.cnn.com by either typing the domain name or the IP address 157.166.255.19.  The names are resolved through a service known as Domain Name Service or simply DNS.  

To identify the IP that your currently using you can visit www.whatismyip.com.  This will show your existing IP address.  (at least the IP of your firewall but this is a post for later).  If you have a public IP address (which you do or you would not be able to access the Internet) then your IP is visible to the entire Internet. 

So now you are likely wondering how a particular criminal may know where your house is located since you don’t have a registered domain name.  To have Internet service you signed up with an Internet Service Provider  like ATT or Comcast.  These ISPs have rangest of registered IP addresses that they provide to their clients.  If a criminal can find a particular IP range of a service provider they can scan the range and identify active systems associated with the IP addresses. For example ATT ‘owns’ the IP range 12.0.0.0 – 12.255.255.255.  While this is a very large range of IP addresses, I can scan any of the IPs in the 12.x.x.x range an potentially locate a system. 

The short answer is that if your company or home computer is able to access the Internet it has an IP associated with the connection.  Firewalls and other technology can provide protection but the Internet edge device (firewall, router, or even your computer) will be visible to the Internet at large.

In the next post we will continue the discussion and talk about how the criminals can actually access the systems once they are found.

Chris Mark, ProPay’s EVP of Data Security and Compliance, will will be speaking at the 2010 ETA Compliance Day panel on End to End encryption.  This should be a very interesting panel as the End to End discussion is the hot topic for 2010.  Be sure to catch Chris after the panel and say hello.

According to a new study published by the Ponemon Institute the costs of data breaches continue to rise. In 2005 the cost per breached record was $138 and rose to $202 in 2008 for a nearly 46% increase in the cost per record. A more compelling statistic is that the ‘lost business’ component grew almost 38% over four years. This indicates that customers are getting inreasingly unhappy with businesses that experience data breaches and are showing their dissatisfaction by taking their business elsewhere. In fact 84% of surveyed consumers expressed increased concern or anxiety over lost data.

It should come as no surprise that companies that experience data breaches are hit hard both financially and reputationally. Many of the companies that I speak with express a greater concern over the reputational aspect than the financial aspect. I am reminded of a major franchise that had a single store found to have rats. The headline in the newspaper did not read “XYZ franchise #3 has rat problem” it read: “XYZ company has rats”. We see a similar situation in the payment card industry. If a franchisee experiences a data breach it is the parent company that is going to take the hit to their reputation.