3. Define requirements versus best practices.
"My recommendation is to make sure you are not over-engineering to start with," says AMR's Hagerty. Others concur. "You need to look at what the regulators and auditors are asking for, and then create the process to answer that," says Donnelly at the Philadelphia Stock Exchange. The PSE gets some 1,200 change requests per year to its systems. "We used to go through the hard-copy paper trail for changes to our systems, but now we key in the change number and we can e-mail it to the SEC before they come down here for an audit." Today the PSE tracks all its application changes electronically using a system from Serena Software.
Any changes are monitored in the system via a CIO dashboard, which replaced a large whiteboard matrix. Donnelly says tracking changes to systems electronically is more reliable. "If you automate and get rid of the human element, you get rid of an array of potential violations." In the case of the PSE, even a change as simple as a new electrical switch being installed on the trading floor can pose a potential risk. "There is always a chance that a change like this could take out a whole floor," Donnelly says.
In the retail industry, the scramble is on for all companies that process 6 million or more Visa card transactions or 1 million American Express card transactions a year to comply with the industry's new data security rules. All large merchants and retailers that accept credit cards, such as Home Depot, Safeway, OfficeMax, Chevron and Target, have no choice, assuming they want to continue doing business with the card companies and their issuing banks and financial institutions.
In fact, many major retailers are still struggling to get their systems in shape to meet the Sept. 30 deadline for voluntary compliance with the Payment Card Industry (PCI) data security standards. "There are a lot of organizations working diligently toward compliance," says Scott Laliberte, director of Protiviti's global information security practice.
This is a case where what's required, at least by law, falls short of the standards the industry itself has set. The retail industry, led by the major credit card companies, has implemented 230 data security controls that retailers and service providers storing data for banks or merchants must put in place if they want to continue doing business with the card issuers.
"The credit card associations are trying to regulate this themselves along with their member banks," says Laliberte. The aim of the controls is to protect cardholder data from security breaches and fraudulent uses. The result: The likelihood of a data breach involving cardholder information drops," Laliberte says, "but there is no 100 percent security against having a problem."
The merchants must follow each PCI data audit standard, comply with that control, and have a qualified data security firm certify that they have complied. "Some companies are still in a mad scramble to meet the Sept. 30 deadline," Laliberte says. In addition to having an audit of their controls done by an independent agency, each merchant must submit to a quarterly network scan by a qualified vendor to check for network vulnerabilities.
One of the biggest IT hurdles merchants will have to clear to be PCI standard-compliant is the encryption requirement. "With high-volume processing systems, data encryption slows things down," Laliberte explains. "High volumes are not conducive to encryption." One retailer that had older systems had to replace them with new network equipment in 2,000 stores. Why? "The older equipment can't support these new data standards," says Laliberte.