An upcoming update of a credit card standard offers an opportunity to assess overall security, says Symcor's Della Shea. James Hale reports.For any organization that wants to do business without using cash, the Payment Card Industry Data Security Standard (PCI DSS) is akin to table stakes: It's both a contractual agreement with card issuers and a guarantee of security to customers. Complying with its 12 principles is not an option for those who store, transmit and/or process cardholder data, and remaining compliant means keeping pace with the standard as it evolves to reflect emerging security concerns. Introduced by the world's five leading card companies in December 2004, and managed by the PCI Security Standards Council (PCI SSC), the standard is updated every three years after extensive consultation with a wide range of players.
On the eve of a new version of the PCI DSS – set to be released on Nov. 7, and take effect Jan. 1 – many eyes are on the card industry to see what changes the new standard will bring. In advance of the release, those in the know are guarding the specifics, but in general terms it is anticipated to address issues of what falls within the scope of the standard, as well as network segmentation (i.e., where cardholder data resides within network devices), and defense fortification to ward off specific threats that have been identified since the 2010 release. In addition, the new requirements are likely to address card data handling in mobile, cloud and e-commerce environments in the wake of previous guidance issued by the council.
In some quarters, interest in the new release reflects concerns that the revised standard will add to the burden of compliance. After all, even the PCI SSC admits that understanding and implementing the dozen requirements, with their hundreds of sub-categories, can be daunting, especially for merchants without a large IT department or the resources to outsource compliance guarantees to a qualified security assessor (QSA) that the council has approved. Meanwhile, some skeptics question the continued relevance of the standard in the face of new technologies, such as tokenization, point-to-point encryption and chip cards. Still others are far more optimistic, like Della Shea, chief privacy officer for Symcor, a Toronto-based financial processing company owned by Canada's largest three banks – sees the new release as an opportunity to refocus on overall security.
Shea is one of a number of observers who believes that companies have placed too much emphasis on merely meeting the minimum requirements set out in the 12 steps.
“We need to get back to the original spirit of the PCI DSS,” she says. “Too often, companies take a ‘checkbox' approach and just try to be compliant for its own sake. They're missing the larger picture.”
Bob Russo (left), general manager of the PCI SSC, likens compliance to putting deadbolts on your house: You can install the locks to qualify for home insurance, he says, but how secure is your home if you don't use them? “PCI standards are just a springboard to overall security for organizations entrusted with cardholder data,” he says.
Craig Spiezle, executive director and president of the Online Trust Alliance, a Bellevue, Wash.-based nonprofit whose goal is to promote innovation in online transactions, agrees. “Compliance is just a slice in time, a minimum threshold,” he says.
Shea, whose company provides services to more than 100 clients in the retail, banking and telecommunications sectors, says that if meeting PCI compliance can be compared to climbing Mount Everest, maintaining compliance is like living on the mountain. One mistake that many companies make, she says, is viewing compliance as merely a technical issue. That approach can be expensive and limiting.
“You need to take a business approach to compliance,” she says. “That means you need to have a business model, you have to fully understand it and you must be able to replicate whatever success you achieve.”
An enterprise-wide approach is critical, she adds. “You can't maintain PCI compliance unless all your stakeholders are completely onboard. It's very easy to separate issues into silos rather than sharing information and creating a common compliance culture.”
And, creating that culture throughout an organization demands strong and effective operational and governance models, she says, espousing some sound business basics that are often preached within corporations. Her ideal approach to compliance management begins with having key milestones and a dedicated budget. Next, it requires that someone maintains overall responsibility and follows through with a program of education, communication and proven change management principles.
Given the high stakes involved in handling consumer card data, failure is not an option, she says. “The goal of achieving and maintaining security in this environment forces you to be pragmatic.”
One of the significant benefits of Shea's approach in creating a culture of PCI compliance is that it incorporates enough rigor to allow organizations to succeed – even if they choose to assess their own PCI DSS compliance (an option offered by the PCI SSC), rather than using a QSA. This is particularly attractive to smaller merchants who are reluctant to commit funds to external assessors, which include more than 300 organizations that range from specialty suppliers to global giants like AT&T, Fujitsu and Verizon.
One of those giants' leading compliance specialists recognizes the challenges facing smaller merchants. “Just trying to understand the full extent of your risk profile can be a major challenge for a small business without a dedicated security team,” says Chris Mark (left), PCI practice director for AT&T Security Solutions. That does not make them any less attractive targets for data predators, he says, or any more likely to survive an attack, citing a recent PwC survey that shows that some 70 percent of small businesses that sustain data breaches do not recover.
Mark recently published a white paper explaining his concept for a “PCI compliance spectrum” that is intended to make it easier for organizations to understand how compliance applies to them. “The PCI DSS is not binary, and companies should not approach the controls as all or nothing,” he says. “Having a firm understanding of the nuances of the PCI DSS, and the applicability of the standard, can help companies save time and money on their compliance projects while reducing their risk.”
Other experts agree. “It's all about risk mitigation,” says Paul Grégoire, a QSA specialist with Symcor. “If you can define your risk of data breaches, then you can do the proper kind of assessment and mitigate it.”
Some organizations that handle payment card transactions have identified a different sort of risk related to PCI DSS compliance, and their defiant stance has cast a shadow on the dawn of a revised standard. The most prominent example is a landmark federal lawsuit filed in March against Visa by the Nashville, Tenn.-based retailer Genesco, which operates 2,500 stores that include Johnston & Murphy, Lids Locker Room and Journeys. The suit contends that Visa had no legal standing to fine Genesco $13.3 million for a 2010 data breach. Visa counters that Genesco was not compliant with PCI DSS, which gave the card brand the right to remove money from the retailer's merchant account (MasterCard, which is not named in the suit, fined Genesco $2.2 million for the same alleged violation).
The Genesco case, which is scheduled for trial in 2014, is reminiscent of an earlier suit filed by Cisero's Ristorante and Nightclub in Park City, Utah. In that case, the celebrity-friendly eatery claimed that U.S. Bank should not have been able to hand over $90,000 in PCI compliance-related fines to Visa and MasterCard.
While the Genesco and Cisero's cases generated widespread media coverage, there has been lower profile grumbling about PCI rules from within the retail and hospitality sectors. The National Retail Federation (NRF) is on record as stating that PCI compliance “was created to cover up flaws in the card brand's payment system.” While calling the fines levied against retailers “arbitrary,” the NRF maintains an online education resource center to help its members understand the issues surrounding compliance.
Russo of the PCI SSC also stresses the need for education. He says his organization works with various partners to create awareness about PCI DSS. “We generate a lot of guidance documents, but we can't make people read them,” he says. “That said, we've seen a marked difference in awareness. At this point, we are satisfied that anyone who accepts cards is at least familiar with PCI as an acronym.”
He dismisses the notion that PCI DSS will be rendered less relevant by emerging technologies that are already prevalent in the card industry in Canada and Europe – such as chip-and-PIN. “It will remain relevant because we are still seeing very basic types of data breaches. Holes still exist in the traditional system, and hackers are still going after low-hanging fruit.”
He points to the retail franchise model as an example, noting that out of 40,000 outlets in a food chain, for example, it is likely that some local operators leave themselves – and other parts of the organization – vulnerable. “If I'm a hacker, I can be assured that someone in that chain has not bothered to change the default password that headquarters issued. When holes like that remain, why would I bother to go after mobile payment data?”
Other observers argue that PCI DSS remains hugely relevant. “PCI creates trust,” says Geoff Noakes, director of business development for Symantec and a board member of the Online Trust Alliance. “It confirms requirements on everyone in the payment card ecosystem. Consumers can't possibly know if a specific merchant is safe, but PCI answers that doubt.”
In addition, Noakes says, new technologies, like Square's smartphone card processor, have become PCI compliant as they have come onto the market.
“As long as organizations handle cardholder data, PCI DSS compliance will remain relevant,” says AT&T's Mark, who believes that new technologies will help eliminate the burden related to processing data, but never eliminate existing compliance requirements.
And for those organizations that find PCI DSS too confounding and compliance certification too taxing?
“Maybe they shouldn't be doing card business,” says Symcor's Shea. “If your business includes doing non-cash transactions, then you must incorporate PCI DSS into your business model.”