Making the Compliance CaseBy Ericka Chickowski | Posted 2008-01-30 Email Print
Remember the TJX customer-data debacle? 94 million credit cards were stolen by hackers. PCI—the payment card industry's security standard—could have minimized the damage. Comply now or repeat the retailer's record-setting breach.
Making the Compliance Case
TJX’s disinclination to undertake the costs to execute meaningful security improvements vividly illustrates the push-pull relationship credit card processors such as Visa, MasterCard and American Express have had with merchants since the uniform data security standards were first established in 2004.
According to Gartner research analyst Avivah Litan, compliance pushback is common at most organizations, which view security as a cost center—or a drain on revenue and profit because it offers no appreciable return on investment. “Unless you’ve been contacted by your bank and you’ve got a deadline and someone’s breathing down your neck, you’re not going to spend extra on security,” Litan says.
Ever since the payment card industry first released its set of security standards, credit card companies have been walking a fine line between maintaining client satisfaction and cardholder security.
“They are as dependent on the retailers as the retailers are dependent on them,” says PayPal’s Barrett, who serves on the PCI Security Standards Council’s advisory board. “The only thing they can do is essentially what they’ve been doing, which is [considering] how you cajole the industry into complying. How do you shame them? How do you persuade them financially, by either giving them credits where appropriate, or giving them debits where appropriate?”
Since 2005, some of that leverage has been attained through fines levied by the card companies onto bank processors, which then pass the cost down to those merchants in PCI violation. Visa is the only company that has publicized the extent of its enforcement efforts: The company reportedly dinged its merchant members for a total of $3.4 million in 2005 and $4.6 million in 2006.
Until recently, though, these fees were mostly a blunt weapon against the most egregious offenders. According to a Gartner analysis, the majority of past years’ fines were levied in the most extreme cases—either as a result of a breach or because the company was still storing sensitive data from cards’ magnetic strips that could give criminals the means to manufacture counterfeit cards. Instead, the payment card companies have tried to target much of their effort toward education and awareness campaigns.
In September 2006, the card companies rolled out the PCI Security Standards Council in conjunction with its first major refresh of the standard, PCI
In October 2007, Visa reported that compliance rates among Level 1 merchants had jumped from 36 percent in December 2006 to 65 percent. Among Level 2 merchants, compliance had risen from 15 percent to 43 percent during the same time period. All told, these vendors make up two-thirds of Visa’s transaction volume.
While a high level of noncompliance remains, it is clear that the card companies are making headway.
“There is unanimous agreement among all affected players in the PCI space that there have been considerable improvements in PCI education, outreach, communication and standardization of requirements,” said Javelin strategy and research analysts in a November 2007 paper on PCI compliance. “Two years ago, merchants were focused on why they needed to comply. Now, the majority of merchants are more concerned about how they can become PCI-compliant and successfully expedite the process.”
“The court filings and proceedings surrounding the
Nevertheless, ambiguity, high costs, and fear of inhibiting productivity, as was the case with
Technically, Compliance Is Tough
PCI mandates security measures that any merchant should already have in place. Nevertheless, compliance is fleeting among larger retailers and other organizations because of the complexity of security technology and the difficulties of increasing security without impeding productivity and operations.
“From the folks I’ve talked to, I would say there are just pieces that aren’t in compliance for most large merchants,” says Diana Kelley, head of the security division of technology analyst firm Burton Group. “There will be a couple of things that were flagged on the audit, and those things may be very difficult for them to fix.”
In many cases, Kelley says, PCI compliance is an issue of dealing with legacy systems that are difficult to harden without breaking. According to VeriSign, a provider of security services and digital certificates, most organizations fail the third PCI requirement: full database encryption. Many older databases need to be restructured to accommodate full encryption, an arduous process that Gartner says could take up to two years to complete.
“These systems are usually business critical; retailers can’t withstand that kind of performance hit,” says Phil Neray, vice president of marketing at Guardium, a database security company.
The payment card industry is not unsympathetic to such technical challenges. PCI allows for a compensating control that lets an organization install database monitoring in combination with medium-level encryption until it can employ full database encryption.
“The benefit is that it doesn’t require any changes to your database or your applications,” Neray says.
Even if affected organizations do everything they can to comply with PCI, they still can’t control their vendors. This has become one of the major PCI compliance issues: vendors failing to provide PCI-compliant products and services, making it more difficult for organizations to receive certification.
The National Aquarium’s PCI compliance was delayed until January because of its ticketing vendor, Paciolan. Although Paciolan released updates last year that brought its venue ticket purchasing systems into compliance, the early version of those updates broke a number of the aquarium’s systems. As a result, the organization had to wait for fixes from its vendor to become compliant.
A service provider could pose similar problems. Considering that Hughes, as a managed services provider, is only one of nine
In addition to the standards themselves, some believe the auditing ecosystem developed by the PCI Security Standards Council needs improvement.
According to the council’s requirements, the annual on-site audit review “is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is stored, processed or transmitted.”
The typical audit includes not only a review of security logs, IT procedures and the like, but also a penetration test of systems that handle cardholder data. The entire audit process can take anywhere from a couple of days to many months, depending on how many problems the auditor flags and how long it takes for the business to correct deficiencies.
The difficulty is that there aren’t many auditors certified by the council to conduct these assessments, and the guidelines are nebulous enough to be open to interpretation.
“The real challenge is to find a more standardized way of [determining] how the qualified security assessors work—how this whole ecosystem works,” says Rani Osnat, vice president of marketing at database security firm Sentrigo. “Because the problem right now is that you may have three different PCI-accredited auditors do a PCI audit for you, and you could get three different results.”