PCI DSS requirements and compliance straining UK retail, finance firms

One theme was apparent at the most recent meeting of the PCI DSS User Group: the difficulty of being compliant with every piece of the standard.

If you are struggling to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirements, you are not alone.

The latest meeting of the PCI DSS User Group, held in London on September 3, gathered representatives from a variety of high-street retailers and financial-services companies, but one theme appeared to unite them all: the difficulty of becoming PCI DSS compliant with every detail of the standard.

PCI DSS compliance requirements are a very prescriptive standard, designed to protect credit card data when it is being collected and processed by banks and merchants. PCI DSS compliance deadlines for the data security standard, originally set for four years ago, have continued to slip, and many of those attending the user group said they were unlikely to achieve compliance within the next two years.

"We are secure, and we take security very seriously, but we are not going to be bulldozed into going through a compliance process that will cost us an arm and a leg before we are ready," said one attendee, who preferred not to be named.

Nigel Dickens, CISO at insurance company Cardif Pinnacle Insurance Management Services plc, gave one example of where the standard could be difficult to implement. "Part of the standard requires you to restrict the number of people who have access to encryption keys, and you have to be able to prove you manage keys safely," he said. "It can be done, but it's quite resource-intensive. In many cases, keys may be completely incompatible -- you may have digital certificates in one area, PGP keys in another, and passphrases being used as an encryption key somewhere else. They are all incompatible. You can start pulling things together, but it may depend on you being able to put in something new and start afresh."

Another tricky problem among the PCI DSS requirements, he said, is the handling of call recordings where customers give the full details of their credit card over the phone. "You are forbidden to store the CV2 number, but how the hell do you get that out of the call recording? Call recording systems are very expensive and last a long time."

Other attendees complained that their systems suppliers and other specialist providers, such as e-commerce website designers, were struggling to provide compliant products. For instance, a high-street retailer explained that his point-of-sale terminals -- supplied and maintained by a subsidiary of BT Group plc, and in common use among many leading retailers -- are non-compliant because they store credit card details in locally stored log files. The log files are essential for maintenance and bug-fixing, but they could theoretically be retrieved by a thief. The supplier is still trying to come up with a solution, he said.

Others raised the issue of ensuring that websites are compliant while maintaining the company brand. "We are concerned about how to control the payment experience of our customers if we outsource the payment process," said one retailer.

Another concern was the associated Payment Application Data Security Standard (PA DSS), which aims to secure payment applications by prohibiting the storage of identifiable information, such as full magnetic stripe, CVV2 or PIN data. Several retailers said the range of compliant off-the-shelf applications was extremely limited, and only available from a couple of very small suppliers so far.

The lack of a firm and consistent deadline for the PCI DSS requirements is also the cause of some confusion. Attendees felt that banks and acquirer organisations are all operating on their own timescales, so that while some are pressing merchants to make progress, others are taking a more relaxed approach.

Some pressure is being applied on smaller merchants, those at Levels 3 and 4, in the form of higher fees for non-compliance, but the impression amongst attendees was that the larger retailers, perhaps those at Levels 1 or 2, could dictate terms with its acquirer.

Jan Fry, head of PCI at ProCheckup Ltd., the security company that hosts the PCI DSS User Group, warned that companies can expect to come under greater pressure to comply. "The card companies focused initially on the U.S., but now they are turning their attention more to Europe," he said.

He added that the minimum companies should do is "show progress" to their acquiring banks. "You need to have a roadmap in place for PCI DSS compliance. It means the acquirers can report back to Visa that progress is being made. The acquirers themselves are now getting pressure from the card companies," he said.

Fry agreed that the current picture is still a bit confusing. "Sometimes we see the acquirers applying pressure to a Level-1 merchant, while another Level-1 player has had no contact from their acquiring bank. At the same time, a small e-commerce guy will be getting regular calls for PCI progress."

The PCI User Group, formed in 2005, allows merchants and retailers to regularly come together and share their PCI-related experiences and issues with fellow professsionals.

* SearchSecurity.co.uk is the official media partner of the PCI DSS User Group. If you have any questions about PCI DSS, please send them to our editor inbox, and we will find an expert to answer them.

Read more on Regulatory compliance and standard requirements