Following Standard is Not Standard Practice
ONLY ONE IN FIVE of the top 200 merchants is in compliance with the Payment Card Industry (PCI) data security standard more than a year after the standard went into effect to improve security among merchants and credit card processors.
Created by a group of major credit card companies (including Visa, MasterCard, and American Express), PCI sets out a list of requirements for any company that stores, transmits, or processes credit cards. The objective is to help ensure that data are not lost or compromised, thus keeping consumers safe from theft and companies secure from loss of money or reputation. Noncompliance can bring hefty fines. But progress toward compliance has been excruciatingly slow.
John Coghlan, president and CEO of Visa USA, said in a recent speech that he expects the number of compliant merchants to be much higher by the end of this year, but admitted that there were “roadblocks to compliance” that needed to be removed before more companies adhered to the PCI standard.
One reason for the low number of compliant organizations may be that the standard, which has 12 sections with about 230 criteria covering everything from background checks on employees who handle credit card data to firewall management, is easy to fail. “A lot of companies will do encryption, but they do a very poor job of key management,” which is revealed during an audit and results in failing the audit, says PCI auditor Nigel Tranter, a partner with consulting firm PSC.
“The other problem is there’s no graduation in the different criteria,” he adds, “so every criterion is equal in weight to every other one.” This means that companies can fail an audit even for a trivial matter. “You can fail PCI because you don’t encrypt credit card data and you can also fail PCI because you don’t do a good enough job doing security awareness training, which is not something I would really regard as equivalent, but in the standard it is,” he says.
Another problem is that the standard is complex, and “some merchants have told us that communications around PCI were unclear,” Coghlan noted.
Tranter agrees that PCI is sometimes hard to understand, both for companies and for auditors. He gives the example of the way the standard treats Web application issues such as cross-site scripting, where a poorly designed application can allow an attacker to compromise the software by entering invalid characters.
“The testing criteria don’t actually explain what you are supposed to do,” he says. PCI says that companies must protect against it, but gives no information on testing procedures or remediation.
Kevin Brown, vice president of network storage company Decru, gives kudos to the standard despite its shortcomings. “PCI has pretty specific goals in terms of security, and it’s quite a good standard; it’s a thorough best practices overview of some of the things that you need to look at to protect your end-to-end environment.”
Brown suggests that compliance is low in part because PCI is forcing companies to approach security in a brand-new way. “The way the security model has worked up till now has really been a perimeter security,” he says. “I’ve got a firewall, I’ve got a fence around my system, all the bad guys are on the outside and all the good guys are on the inside.”
That model won’t protect records from determined thieves. The new paradigm recognizes that attackers are not always outside, and they are also not just hackers impressing each other but “bad guys with a business plan that are executing pretty large fraud schemes.”
The major credit card brands are working on revising the standard, but any updates of PCI would likely be clarifications and enhancements of the existing rules to make it easier to comply with the standards rather than the creation of additional new rules, according to one insider. No date had yet been set for the release of the revised standard.