PCI Compliance Requirements Put Burden on Satellite Sector
Payment cards are the life blood of the modern retail industry. The ability to quickly and reliably transport large numbers of credit card transactions fueled the early growth of the VSAT industry, making satellite technology the de facto network standard in the retail segment, but big changes have occurred within the payment card industry that are having major ramifications.
How will these changes affect retailers who rely on VSAT technology and how will the changes affect satellite service providers?
The Birth of PCI
Credit card companies always have been security conscious, but all of the major card brands had similar but disparate security standards. In September 2006, Visa, Master Card, American Express, Discover, and Japan Credit Bureau (JCB) officially created the Payment Card Industry Security Standards Council and threw their collective weight behind a single common security standard for payment card data, which is known as the PCI Data Security Standard (PCI DSS). PCI DSS is a set of requirements designed to safeguard credit card data, and the standard applies to anyone who transmits, stores or processes payment card data. The PCI Data Security Council oversees and administers the PCI Data Security Standard and believes that data security is everyone’s business. The council is doing its best to create a global sense of community for those associated with the payment card industry, and the number of participating organizations is up to 622. The council is broken down into different groups and, as the need arises, Special Interest Groups (SIG) are created to tackle specific technological challenges and provide input to the PCI Working Group. Satellite technology is included in the Wireless SIG, along with Wi-Fi and Bluetooth technologies.
There are 12 guidelines that apply to every company that stores, transmits or processes payment card data. PCI compliance is mandatory, and conformity to the requirements is not trivial or cheap. Failure to meet the requirements can be severe, ranging anywhere from fines — up to and including electronic excommunication — by the major card processors.
PCI Compliance: A View from Outer Space
“It isn’t enough just to provide a bit pipe anymore,” says Tim Tang, marketing director of the Business Solutions Group at Hughes. “In the beginning, Hughes provided customers connectivity. Later, we optimized their networks. Now satellite service providers must be PCI complaint. If you aren’t compliant, retailers can’t use your network. The requirements are extremely burdensome, and it is imperative that we do more than just transmit data.” Hughes’ client base includes a large number of enterprise customers that send payment card data over their networks. At last count, the company serves more than 50,000 gas stations, 40,000 retailers and 17,000 restaurants, with the number of credit cards transactions averaging somewhere between 5 million and 6 million per day. In addition, as a PCI compliant “merchant,” Hughes processes payment card transactions for more than 500,000 users of the HughesNet service in the consumer and SME segment.The PCI Data Security Standard is updated on a three-year cycle. “Whenever new regulations come out, there are deadlines for enforcement,” says Tang. “PCI-DSS Version 2.0 was recently released, and there is a big push to get everyone upgraded, but there is a practical reality to the challenge. System upgrades can be very costly and, combined with a bad economy, many retailers were falling behind on their schedules. When confronted with the challenges, the council softened their deadline a bit, allowing companies who weren’t going to be compliant by this coming July to have an upgrade plan in place, but they have to stick to the plan and make the required upgrades.”The Council categorizes merchants by size and has different requirements for compliance accordingly. Level 1 includes merchants who process more than 6 million credit card transactions per year. A typical convenience store chain can reach that number with just 20 locations. Level 1 merchants also face an annual on-site audit by a security firm certified by the council. Merchants classified as levels 2-4 handle fewer numbers of transactions each year and must complete an annual self assessment. In addition, all merchants must have quarterly network scans performed by a PCI Approved Scanning Vendor.
Satellite service providers must meet the same PCI requirements as a payment gateway, which is an entity that acts as a front end to a card brand. “Although we technically aren’t a payment gateway, we are treated as one by PCI and fall under the same scrutiny when it comes to security,” says Scott Hutchinson, director of application engineering at Spacenet. Network security has become much more important to network operators and their customers as satellite networks intermingled with the Internet. PCI requirements take security requirements to a new level, forcing satellite service providers to take on new duties, including log management. Credit card terminals communicate with central servers, and logs of every transaction are kept as an audit trail. Intrusion detection systems and intrusion prevention systems monitor transactions and filter out anomalies from routine network traffic. Every irregularity, which might be a hacker attempting to penetrate security, must be screened by a human to ensure there is not a vulnerability. Logs are required for evaluation should a security breech occur.
LogRhythm specializes in log management and security information event management (SIEM) and sells tools to collect and monitor logs required by PCI. Recent changes in PCI guidelines were significant regarding central log tracking, and many service providers understand that it is demanding and costly to develop and maintain their own in-house log monitoring tools. “The primary regulation of concern to application monitoring is the new regulation PCI PA-DSS 4.4, which states that payment applications must facilitate centralized logging,” says Eric Knight, knowledge engineer at LogRhythm. “Although this is a seemingly small change, there are some big issues which must be addressed. This means that many environments were not logging their applications before. It also means custom collection and rules for log repositories and SIEM technologies are likely to be required. These types of changes make it much more challenging for companies with home grown logging systems to be complaint,” he says.
Point-of-sale terminals run the gamut from simple card-swipe systems to stand-alone computers. A good example of a complex point-of-sale terminal is a new-generation gas pump, which offers more services but increases the potential of a security breech. Scoping, or segmenting the local area network at a retail location in order to minimize the scope of a PCI audit is a hot topic. “The biggest challenge to a PCI audit is at the store level,” Hutchinson says. “A good example is a LAN-connected card reader in a store. The C-store owner may want to add another PC to the LAN to provide back-office functionality, but that is a security risk. The goal is to limit the card holder data environment. Spacenet’s Prysm Pro incorporates a router and firewall and provides logical and physical LAN segmentation. This approach ensures that the credit card data is isolated and protected.”
VSAT networks previously were considered to be secure, and credit card data traversing them was not required to be encrypted, but that has changed. PCI now considers data that is sent over the air “not secure,” and due to the change, credit card data transactions now must be encrypted over a satellite network. “The PCI Council doesn’t specify a specific encryption algorithm,” Hutchinson says. “The language in the latest requirement states only that a ‘strong cryptographic algorithm’ must be used.’ Whenever you add data encryption to payload data it adds overhead, which, in turn, requires more space segment and drives the prices up for end users.”
Satellite networks are not the only wireless devices affected by the new requirements. Wireless LANs also have come under scrutiny. “Many retailers use wireless access points inside their stores to simplify wiring, and many allow customers to access the Internet through the wireless infrastructure,” says Tang. “Hackers may sometimes set up rogue wireless access points on the retailer’s store network and then sit in their cars in the parking lot and steal credit card information. To meet the PCI requirements on a quarterly basis, someone from the retailer would physically have to go on site with a wireless scanner to check for rogue wireless access points. The original wording was very ambiguous and the requirements were extremely burdensome. The retailer either had to send a technician to the store, or ship a wireless analyzer and then scan for rogue devices. Last October, the council changed the language which allows some options. Hughes now provides PCI Wireles Scanning Services which automates this process. An access point is installed at all locations that continuously monitors for wireless devices. Rogue devices are automatically identified and blocked. We can even send a technician to the remote location to remove the unauthorized device.”
The U.S. Federal Trade Commission estimates that 9 million Americans are affected by identify theft every year. While it is hard to place an exact figure on the financial losses of merchants and financial institutions, but the number is overwhelming. As a direct result, the payment card industry is moving to make sure companies community provide the highest level of security for card holder data. “The importance of PCI compliance is growing. Changes in PCI requirements happen quickly and are often significant, making them a challenge to meet by the specified deadline,” Tang says.
While helping to ensure the security of card holder data, PCI requirements effectively have become a stiff barrier to entry for new satellite service providers. No longer can a satellite service provider buy an uplink, equip it with baseband hardware and offer data transmission services to retail clients. A provider’s entire operation must now be PCI compliant, or else the credit card processors will not do business with them. As the requirements to be PCI compliant become even more stringent, look for existing VSAT providers to offer even more value-added services to their core transport services and the number of competitors serving the retail segment to shrink.
Greg Berlocher has been active in the satellite industry for twenty five years and is the President of Transcendent Global Networks LLC.