Making the Compliance Case

Remember the TJX customer-data debacle? 94 million credit cards were stolen by hackers. PCI—the payment card industry's security standard—could have minimized the damage. Comply now or repeat the retailer's record-setting breach.

Making the Compliance Case

TJX’s disinclination to undertake the costs to execute meaningful security improvements vividly illustrates the push-pull relationship credit card processors such as Visa, MasterCard and American Express have had with merchants since the uniform data security standards were first established in 2004.

According to Gartner research analyst Avivah Litan, compliance pushback is common at most organizations, which view security as a cost center—or a drain on revenue and profit because it offers no appreciable return on investment. “Unless you’ve been contacted by your bank and you’ve got a deadline and someone’s breathing down your neck, you’re not going to spend extra on security,” Litan says.

Ever since the payment card industry first released its set of security standards, credit card companies have been walking a fine line between maintaining client satisfaction and cardholder security.

“They are as dependent on the retailers as the retailers are dependent on them,” says PayPal’s Barrett, who serves on the PCI Security Standards Council’s advisory board. “The only thing they can do is essentially what they’ve been doing, which is [considering] how you cajole the industry into complying. How do you shame them? How do you persuade them financially, by either giving them credits where appropriate, or giving them debits where appropriate?”

Since 2005, some of that leverage has been attained through fines levied by the card companies onto bank processors, which then pass the cost down to those merchants in PCI violation. Visa is the only company that has publicized the extent of its enforcement efforts: The company reportedly dinged its merchant members for a total of $3.4 million in 2005 and $4.6 million in 2006.

Until recently, though, these fees were mostly a blunt weapon against the most egregious offenders. According to a Gartner analysis, the majority of past years’ fines were levied in the most extreme cases—either as a result of a breach or because the company was still storing sensitive data from cards’ magnetic strips that could give criminals the means to manufacture counterfeit cards. Instead, the payment card companies have tried to target much of their effort toward education and awareness campaigns.

In September 2006, the card companies rolled out the PCI Security Standards Council in conjunction with its first major refresh of the standard, PCI DSS1.1. In addition to the council’s outreach efforts, the major credit card brands have driven adoption in the past year by establishing compliance deadlines for the largest merchants, to create a heightened sense of urgency. Visa set a deadline of Sept. 30, 2007, for merchants with more than six million transactions per year, Level 1 merchants, warning that they would be fined $25,000 per month thereafter for noncompliance. Similarly, those merchants with one million to six million transactions annually, Level 2 merchants, were given a Dec. 31, 2007, deadline, with $5,000 fines hanging over their heads.

In October 2007, Visa reported that compliance rates among Level 1 merchants had jumped from 36 percent in December 2006 to 65 percent. Among Level 2 merchants, compliance had risen from 15 percent to 43 percent during the same time period. All told, these vendors make up two-thirds of Visa’s transaction volume.

While a high level of noncompliance remains, it is clear that the card companies are making headway.

“There is unanimous agreement among all affected players in the PCI space that there have been considerable improvements in PCI education, outreach, communication and standardization of requirements,” said Javelin strategy and research analysts in a November 2007 paper on PCI compliance. “Two years ago, merchants were focused on why they needed to comply. Now, the majority of merchants are more concerned about how they can become PCI-compliant and successfully expedite the process.”

The colossal TJXbreach boosted PCI compliance and gave the PCI Security Standards Council newfound credibility, according to Javelin and other industry observers. Enterprises often step up standards compliance and security efforts following a major breach at a peer company. Some observers are hopeful that the worst-case scenario has forced retailers to finally pay attention to what the payment card industry has been preaching for years—they are not only vulnerable, but accountable.

“The court filings and proceedings surrounding the TJXcase have illustrated the vital importance of protecting this data properly, and having a functional information security program in place,” Barrett says. “And I think that this stage—the level of fines, settlement costs, reserves, etc., that TJXhas now held aside for this—has absolutely and vitally illustrated how important it is that companies don’t take this stuff for granted, and that we do make sure that they are properly protecting this information.”

Nevertheless, ambiguity, high costs, and fear of inhibiting productivity, as was the case with TJX, gives some organizations cause to delay or ignore security standards. As a result, the chorus of consumer complaints is causing federal and state lawmakers to consider legislating standards similar to PCI.

Technically, Compliance Is Tough

PCI mandates security measures that any merchant should already have in place. Nevertheless, compliance is fleeting among larger retailers and other organizations because of the complexity of security technology and the difficulties of increasing security without impeding productivity and operations.

“From the folks I’ve talked to, I would say there are just pieces that aren’t in compliance for most large merchants,” says Diana Kelley, head of the security division of technology analyst firm Burton Group. “There will be a couple of things that were flagged on the audit, and those things may be very difficult for them to fix.”

In many cases, Kelley says, PCI compliance is an issue of dealing with legacy systems that are difficult to harden without breaking. According to VeriSign, a provider of security services and digital certificates, most organizations fail the third PCI requirement: full database encryption. Many older databases need to be restructured to accommodate full encryption, an arduous process that Gartner says could take up to two years to complete.

“These systems are usually business critical; retailers can’t withstand that kind of performance hit,” says Phil Neray, vice president of marketing at Guardium, a database security company.

The payment card industry is not unsympathetic to such technical challenges. PCI allows for a compensating control that lets an organization install database monitoring in combination with medium-level encryption until it can employ full database encryption.

“The benefit is that it doesn’t require any changes to your database or your applications,” Neray says.

Even if affected organizations do everything they can to comply with PCI, they still can’t control their vendors. This has become one of the major PCI compliance issues: vendors failing to provide PCI-compliant products and services, making it more difficult for organizations to receive certification.

The National Aquarium’s PCI compliance was delayed until January because of its ticketing vendor, Paciolan. Although Paciolan released updates last year that brought its venue ticket purchasing systems into compliance, the early version of those updates broke a number of the aquarium’s systems. As a result, the organization had to wait for fixes from its vendor to become compliant.

A service provider could pose similar problems. Considering that Hughes, as a managed services provider, is only one of nine U.S.companies certified under PCI to transmit credit card information, there are probably numerous gaps within many organizations’ outsourcing chains.

In addition to the standards themselves, some believe the auditing ecosystem developed by the PCI Security Standards Council needs improvement.

According to the council’s requirements, the annual on-site audit review “is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is stored, processed or transmitted.”

The typical audit includes not only a review of security logs, IT procedures and the like, but also a penetration test of systems that handle cardholder data. The entire audit process can take anywhere from a couple of days to many months, depending on how many problems the auditor flags and how long it takes for the business to correct deficiencies.

The difficulty is that there aren’t many auditors certified by the council to conduct these assessments, and the guidelines are nebulous enough to be open to interpretation.

“The real challenge is to find a more standardized way of [determining] how the qualified security assessors work—how this whole ecosystem works,” says Rani Osnat, vice president of marketing at database security firm Sentrigo. “Because the problem right now is that you may have three different PCI-accredited auditors do a PCI audit for you, and you could get three different results.”