Policy, Compliance

Cover story: PCI persists

September 8, 2006

"Installing the tools was the easy part, the hard part was truly understanding what the requirement was for us," Hampton says. "I was thinking we should be able to lean on our processor to provide us with the information to help us comply. Unfortunately, I think they were as clueless as we were."

So Sara Lee had to go directly to the card companies to get clarification before it could even begin strategizing about how to comply.

Unfortunately for the PCI, Hampton's experience is not unique. Luckily, though, credit card companies have taken note. Within the past several months, companies such as Visa have been intensifying efforts to educate customers about PCI DSS. Additionally, the companies are soon expected to make a move that should help clarify and better enforce DSS with the hopes of speeding up compliance.

The industry is rumored to be weeks away from announcing the first major round of updates to DSS since the deadlines hit in July 2005. Also imminent is the establishment of an independent enforcement organization that represents all card companies.

Meanwhile, it has been a year since the deadline for PCI DSS, but the majority of PCI merchants are still not in compliance yet. According to Visa U.S.A. figures, only about 24 to 25 percent of Level 1 merchants — those with the most transactions and most risk — are compliant.

While some of this has to do with what some believe to be lack of clarity in the rules, experts believe that there are a number of factors at play. According to executives at VeriSign, one of the companies certified by the card companies to assess merchant compliance, the market is still adjusting to the rules even now.

"We see some companies that are still struggling with just the basic elements of compliance where plans are still not even formalized," says Branden Williams, national PCI practice lead for VeriSign. "People are realizing as they get into this [that] there is a lot of strategic type work that has to be done, and it involves things that are just outside of the information security world."

Part of the problem is also that some merchants who have seen it as a pass-fail test would rather take the risk of being caught out of compliance than work at a task that they believe they can't accomplish.

"A lot of people perceived it as a pass-fail test," says Marv Goldschmitt, vice president of business development for Tizor Systems, which provides data auditing and protection solutions for regulatory compliance, data security and business assurance. "And being a pass-fail test in a complex environment is a very difficult thing to accomplish. If you put a high enough barrier for people, and you say, ‘You've got to meet this,' and people know they aren't going to meet it, in some cases, they won't try."

But there are strong indications that this attitude is changing. According to Amer Deeba, vice president, strategic alliance for Qualys, customers are beginning to realize that PCI is a process and not a one-time activity.

"Vulnerabilities are discovered on a daily basis, and a continuous assessment and remediation process on a given network becomes a requirement to maintain a strong security posture," he says. "PCI provides a best practices framework to secure an infrastructure and protect customers' sensitive data. Typically such a process has to be audited on a regular basis in order to make sure that these best practices are met."

Some of that attitude shift might be a result of better education from the card companies, who are trying to bolster knowledge about the standards with free educational offerings.

"One of the things we've been doing over the last quarter is we're putting far more emphasis on merchant training," says Martin Elliott, vice president for emerging risk, Visa U.S.A. "We've been meeting with major acquirers and their merchants to host merchant and acquirer training sessions, specifically on the PCI data security standard. We've had fairly large turnouts at all the sessions. They're well received and they go a long way in helping improve understanding on what the PCI DSS requirements are."

PCI insiders believe that the current low rate of compliance is partially attributable to the fact that many merchants are still in the middle of fixing problems that have already been identified during initial PCI compliance assessments.

According to Visa statistics, a little more than half of its largest merchants by volume of transactions already have a report of compliance in process.

"So they've completed their on-site review and they are in the process of remediating any findings," Elliott says. "The projections from the member banks that work with these merchants are telling us that the vast majority of them will have their remediation completed by the end of the year. If all holds true, you could have a good two-thirds of the market compliant by the end of the year."

In the meantime, Visa and the other card companies will likely also speed the process with an impending update to the regulations. While there have been no formal announcements regarding changes to DSS, word is out that PCI will be announcing the first major changes to the rules since the deadline in 2005.

"From what I can gather, the majority of the changes are not additions, but rather clarifications of some of the key areas of the standards," says Jennifer Mack, director of compliance management for Cybertrust. "So, what are some good mitigating controls for encryption, around firewalls, database access, audit logging — some of those key areas that the majority of merchants are struggling to understand what is good enough to meet the standard, and still stay secure without spending a ton of money."

Also under speculation is the establishment of what will likely be called PCI Corporation, or PCI Co. While Elliott couldn't give many details, he confirmed that Visa is in active discussions with other card companies and banks to create a standards body that will be responsible for maintaining and managing PCI DSS.

Goldschmitt and Mack are among many in the industry who believe that this new body will provide the kind of teeth that PCI DSS has been lacking, especially among lower-level merchants.

"One of the things that has really hampered compliance is there is a great degree of postponement going on — people saying ‘I don't have to do anything yet because nobody is really beating down my door,'" says David Taylor, vice president of data security strategies for Protegrity Corporation, which provides enterprise-wide data security management solutions. "MasterCard and Visa didn't have any substantial staff to do this. I've heard internal reports from both organizations that they really couldn't go after anyone below level one. So PCI Co. is the group that's supposed to beat down the doors."

When the PCI security standards were first unveiled, there was a lot of backlash from merchants who felt the rules were adding unnecessary complexity and expense to their operations. But a number of factors over the past several years have prompted sentiments about PCI standards to turn a corner.

"What you're seeing is a greater realization on the behalf of all the stakeholders that this is not just simply a Visa initiative or our competitors' initiative," says Elliott. "Data security really translates to brand protection. They want to protect their customers' information because they don't want to find themselves on the cover of a national publication."

Many of those who have already put the best practices in place to become PCI compliant are true believers in the standard. They believe stronger enforcement will go a long way toward improving security best practices across the board.

"The ones who are serious about it are very serious about it," Goldschmitt says. "The intelligent companies are looking at it as part of a total overall picture, not just an isolated event."

Hampton at Sara Lee agrees. He believes the PCI rules are just what some reluctant businesses needed to shore up data security. "Frankly, having been on the external consulting side prior to the standards, it was very difficult to get the business owners to invest in anything that wasn't driving revenue," he says. "I talk to a lot of industry people, and I hear a lot from other professionals who say ‘This is a great thing for us. Finally I'm getting the backing to do what we've said needed to be done for a very long time.'"

 

VALIDATION:
Visa changes merchant levels

Though news of substantial changes to PCI DSS is still forthcoming, there are already rumblings preceding the rule's evolution. Visa announced a change in its merchant validation levels that will effectively bolster the DSS compliance requirements for about 1,000 of its merchants.

The expanded qualifications will most notably bump up more companies to the second-highest tier by classifying them as those who processed 1 million to 6 million annual transactions, regardless of the channel. Visa had previously categorized Level 2 as processing 150,000 to 6 million ecommerce transactions each year.

David Taylor, vice president of data security strategies for Protegrity Corporation, says he believes that this shift is a precursor to expected announcements about both new rule amendments and PCI Co.

"If you put together this with the pending announcement for PCI Co., the corporation that is going to manage PCI compliance, what they're doing is saying, ‘If we get PCI Co. announced, what we are going to do is broaden the scope of who PCI Co. is responsible for monitoring,'" he says.

— Ericka Chickowski

 

SETTING STANDARDS:
PCI Data Security

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other parameters.

Protect cardholder data

3. Protect stored data.

4. Encrypt transmission of data and sensitive information across public networks. Maintain a vulnerability program

5. Use and update anti-virus software.

6. Develop and maintain secure systems.

Implement strong access control

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems. Maintain an infosec policy

12. Maintain an information security policy.

Source: Visa U.S.A.

prestitial ad