For many companies, Payment Card Industry Data Security Standard (PCI DSS) compliance has proven to be a long and expensive process with little apparent business benefit.
Merchants often complain that the standard is constantly changing, that Qualified Security Advisors (QSAs) give conflicting advice, and that they see little return on investment (ROI) for money spent on consultants.
Furthermore, many non-compliant merchants argue that compliance deadlines have come and gone without the credit card companies taking serious action against them -- making them wonder just how important it is to become PCI DSS compliant.
As head of payment security at Barclaycard plc, one of the U.K.'s biggest card acquirers, Neira Jones has heard all these objections, and is quick to dispel what she sees as false impressions.
"Fines are definitely being imposed on companies [that have card breaches] -- I know because I pass them on," she said. "These fines can be very substantial and once a merchant is on the fine schedule, they get repeated fines until they remedy the situation. It is not just a one-off fine."
But rather than fine companies, she would rather help them achieve the main aim of PCI DSS requirements, which is to reduce credit card fraud. To that end, she has just produced a useful guide to PCI DSS (free from Barclaycard), and has plenty of advice on how to make the PCI DSS compliance process a little easier.
The best approach, she said, is to... ...look for ways of reducing the scope of the PCI DSS programme. By limiting where card information can go within an organisation, it is possible to reduce the threat of a breach, and also to cut down the job of PCI compliance.
For that reason, PCI DSS compliance is not simply an IT task, but should involve the whole organisation. For instance, processes may have to change to limit exposure by reducing the number of departments with access to credit card information.
In the past, credit card data has been freely circulated in organisations, for instance in marketing departments or in customer relationship management, which increased the danger of it being lost or disclosed to the wrong people. "Our advice always is to reduce the card holder data environment as much as possible," Jones said. "If a department doesn't need the data, then don't let them have it. We have seen small organisations indexing their paper reports by the card number, or staff putting the merchant receipts on a spike on their desk."
Changing those processes can provide quick results, she said. It reduces the scope of PCI DSS compliance, and drastically reduces the chances of card information going astray.
The advice has already started to make an impact on the merchants. Jones said that huge progress has been made with merchants at Levels 1, 2 and 3, and a reduction in the storage of card data has helped to lessen the number of data breaches. Her statistics show that the storage of sensitive authentication data has dropped dramatically in just the last year. Now only 5% of Level-1 merchants store card data on their systems, compared with 11% a year ago. The drop has been even sharper for Level-2 (from 16% to 2%) and Levels-3 merchants (from 13% to 1%).
This drop in card data storage was driven, she said, by pressure from Visa, which resulted in more merchants outsourcing to specialist payment service providers which are properly compliant with PCI DSS requirements.
Another helpful tool has been the "risk prioritised approach," a set of best practices issued by the PCI Security Standards Council on where to address the most serious PCI DSS compliance risks. As Jones said, the top priority is to handle sensitive authentication data. (The guide is downloadable at https://www.pcisecuritystandards.org/education/prioritized.shtml .)
But the fact remains that for big organisations, -- the Level-1 and some Level-2 merchants -- PCI DSS compliance remains a difficult task because of the complexity of their systems. "The compliance journey is a long one for those companies, and it can take many years. Theirs is a question of risk reduction," Jones said.
It explains why only 20% of Level-1 merchants have achieved compliance, and only one large bricks-and-mortar merchant has so far managed to achieve compliance with PCI DSS.
Branko Lolich, a QSA and senior consultant at Information Risk Management plc who works closely with large retailers, said they still have a lot of work to do. For instance, he says some Level-1 merchants still use credit card numbers as customer references across the whole network, which brings the entire network into the scope of any PCI DSS assessment, and makes compliance virtually impossible.
To reduce the scope, he said, some big Level-1 merchants are now moving their online payment pages to be hosted by compliant payment service providers (PSPs), rather than try to manage the card details themselves.
Marketing departments that need access to card information can use a truncated version of the card number instead – enough to do their marketing analysis, but not enough to be of use to a card thief.
"In this case, they just give the marketing people the first 6 and last 4 digits -- that is more than enough for what they need to do," Lolich said. "Truncated numbers are deemed by the PCI Council to be out of scope and hence are not deemed to be card data as the data is meaningless to fraudsters."
PCI DSS compliance in physical stores
In physical stores, where customers hand over their cards to pay, Lolich said the PCI Council is working on new standards to allow the PIN and card details to be encrypted right at the PIN entry device (PED), where customers insert their cards and key in their PIN numbers. This could make PCI DSS compliance much easier.
If the card data can be captured, processed and encrypted at that point, Lolich said, even before it gets to the till, then the whole of the store network can be taken out of scope for PCI DSS purposes, and that could halve the cost of compliance in some cases.
But it depends on the development of a new version of the Payment Terminal Standard (PTS), which will govern how the encryption will actually take place at the point of sale. That has yet to be completed, and no equipment can be made until the standard is defined.
The new PTS standard version 3.0 is due in April 2010 and is focused on software and hardware security requirements for securing the PIN. "We understand from acquirers that at some stage there will probably be an addendum to PTS 3.0 focused on encryption of the PAN [personal account number] and management of the PAN encryption keys," Lolich said. "It will be some time before PTS version 3.0 PEDs are commercially available. Normally it takes about 12 months before new version PEDs are available due to the lengthy lab testing process."
More immediately, Lolich said equipment that complies with the current version 2.1 of the PTS standard will soon become available and will improve security, but it will be some time before full encryption at the PED can take place.
Despite these setbacks, both Lolich and Jones agree that PCI DSS programmes are beneficial because they help to focus on risk reduction, and therefore reducing fraud.
The key, they say, is to reduce the scope of PCI DSS by a combination of internal process reorganisation, encryption at the payment keypad, and compliant payment service providers.
Jones said that competition among service providers is now driving down costs and making them more affordable. Whereas they used to charge per transaction, many are now offering bulk deals or fixed-price contracts. "That makes it more economical," she said, "so it not only takes away the risk, but also the cost."
Her hope is that in five years' time PCI DSS programmes will be a thing of the past, and that secure practices will be part of the everyday working practices of companies.
"The trick is to make it part of business-as-usual as quickly as possible," Jones said. By making it part of the organisational culture, it means that any change needs to take account of PCI DSS requirements. "If any new application comes about, there needs to be a formal process that asks whether it will increase the cardholder data environment or not. And if it will, there needs to be a process to handle that."