Visa executives are trying to encourage merchants to comply with
the PCI Data Security Standards (PCI DSS), and raise lagging
adoption rates in the program.
 | | | | | We're going to be more consistent
and give a better sense of what we're aiming to
accomplish.
Jennifer Fischer,
director of enterprise risk and complianceVisa
USA |
| | | | | |
| |
|
Speaking to about 50 attendees at a day-long Advanced PCI DSS
Conference in New York, Jennifer Fischer, director of enterprise
risk and compliance at Visa, said executives at the credit card
giant are starting an education campaign to get merchants to comply
with the standards by the end of the year. So far, more than 60% of
merchants fail to meet the current standards, according to data
presented at the conference.
Any merchant who accepts credit cards must meet PCI DSS, a set
of a dozen rules to protect consumer data from hackers. Industry
experts say PCI DSS was set of standards agreed upon by Visa,
MasterCard, Discover, American Express and JCB in an attempt to
police the payment card industry before legislators enact
regulations to address data security issues. Penalties for
noncompliance range from fines of up to $500,000 to increased
auditing requirements or even losing the ability to process credit
card transactions.
Merchants must prove that they protect consumer credit card
information and must be assessed by a PCI DSS certified security
auditor. But merchants and security auditors criticize PCI DSS for
constantly changing its standards and for its ambiguity to unique
technology environments. For example, a security lapse flagged by
one auditor may not be considered an issue by another.
 |
| PCI DSS: | Meet the PCI DSS, avoid being the next TJX:
Seana Pitt, chairperson of the PCI Security Standards Council
and vice president of merchant policy and data quality at
American Express, says companies should look at PCI DSS as a way
to avoid future TJX-sized breaches instead of as a list of rules
to heed to keep the compliance police at bay.
PCI DSS auditors see lessons in TJX data
breach: Following the recent TJX data breach, several PCI
Data Security Standard auditors say the retailer violated basic
requirements of the PCI DSS. But they say there are lessons to
be learned from TJX's mistakes.
Hashing for fun and profit: Demystifying
encryption for PCI DSS: These days there's no excuse for
failing to encrypt sensitive data like credit card information,
but the numerous types of cryptography available today can make
cryptography implementation a mystifying
process. |
|
| |
|
Despite the criticism, most firms accepting credit cards are
familiar with the rules and are starting to go through a security
audit, said John W. Adams, a PCI DSS auditor with the Ellicott
City, Md.-based security consulting firm CTG.
"Clearly there needs to be more consistency between the way
assessors interpret the requirements," Adams said.
Visa launched an executive calling program, making direct phone
calls to the CEOs of major retailers who currently don't comply
with the rules. A letter mailing campaign is also in the works as
well as a series of training programs conducted by card-issuing
banks, Fischer said.
"We recognize that this is not an insignificant task for anyone
who needs to comply," Fischer said. "We're going to be more
consistent and give a better sense of what we're aiming to
accomplish."
Data security breaches are not an outcome of some obscure
vulnerability, she said. Merchants who experience a breach are
found by fraud investigators to be storing prohibited credit card
data. Many firms have a poor patch management program and use
software default settings and passwords. Other merchants are using
poorly coded Web facing payment applications, or have legacy
payment equipment without proper encryption technology.
"In many cases, encryption is the only method to secure stored
consumer data," Fischer said.
Most of the standards are best practices that companies should
ultimately have, said Khalid Kark, a senior analyst with Cambridge,
Mass.-based Forrester Research Inc. The standards are a good
starting point but may be too narrow, since every company has its
own unique technology environment, Kark said.
"A lot of retailers are behind the curve and it's good that
they're being forced to make sure data is secure by putting in the
right controls," Kark said. "But we have to recognize that there
may be environments were some of the prescribed standards may not
work."