PCI Council hears complaints, suggestions for changes

Security has been a priority for credit processor Zoot Enterprises , which taps up to 15 data sources for its financial customers to render a decision on a mortgage application or credit card.

 Zoot, consumers are scored based on criteria set by a bank or lender; Zoot makes a decision on the type of loan or credit card in as fast as three seconds.

From the first entry point into the system, Zoot uses multifactor authentication and a user logs into an encrypted Web site to conduct business. Data flows strictly through an encrypted tunnel at all times.

"Once you get inside our system we actually have multiple layers of encryption," said Tony Rosanova, chief technology officer at Zoot.

Zoot is not yet compliant with PCI DSS. Like many companies undergoing the rigorous compliance process, Zoot must overcome many hurdles. In its final stages of PCI certification, the company has been trying to juggle its speedy credit decision response time with compliance needs.

"PCI has truly supported the concept that data classification is critically important so that you spend your money and your energy securing areas that need to be secured," Rosanova said. "Having visibility and making sure that you classify all your systems consistent with your data classification policy and the security requirements that exist are real challenges."

Being a small and agile company has been helpful, Rosanova said, as it can be difficult for large companies with legacy systems to quickly make the required changes.

"It is more far reaching than anything that's ever been required and it is requiring application changes and corporate changes to deal with that data," he said. "You have to protect sensitive data all the way to the data field level, which is a substantially different undertaking."

At the Burton Group Catalyst Conference, Steven Adler, program director of Data Governance Solutions for IBM and chairman of the Data Governance Council, will discuss how to implement successful long-term data governance programs and best practices. Adler has been working to understand the issues surrounding data compliance and data protection problems. In a recent interview, Adler said there is no one-solution-fits-all approach.

"Some companies come at it this from a metadata perspective and quickly recognize the poor quality of their data," Adler said. "Companies can no longer leave it to security pros to manage data security. They need a broader group of people to understand the issues and act appropriately to mitigate risk. It helps increase the value of data within an organization and gets more people to protect it."

While Zoot isn't one of the businesses complaining about PCI DSS, it is common to hear from merchants frustrated with the standard. The PCI Security Standards Council, which was set up to oversee the standard, is finalizing its advisory board and is reviewing feedback on various ways to improve the standard and relieve frustrated merchants, said Robert M. Russo, the Council's newly appointed general manager.

Russo, who has deep roots in the credit card industry, is running day-to-day operations of the Council. He recently told SearchSecurity.com that the Council plans to present the results of its feedback at a community meeting on PCI DSS set for September in Toronto.

"When we get further feedback from that meeting we'll decide how to evolve the standard and where it's going to go," Russo said. "The one thing that [merchants] are all in agreement on is that [the standard] is one of the better things out there and they're not trying to dumb it down but make it bette.

Thus far, merchants have voiced concerns about improving the wireless criteria within PCI DSS, Russo said. Also, IT security pros continue to request guidance on application-based security to guard against SQL injection and cross site scripting attacks, he said.

At industry conferences, companies have shared other frustrations with the current standard. Other merchants have been confused by compensating controls—which show that a merchant is meeting a portion of the standard, such as data encryption, with current security protections. But auditors, who must sign off on specific compensating controls, have interpreted the rules differently, some merchants have said. Others have reported that some auditors are also in the business of selling specific products designed, they say, to make the merchant compliant with the standard.

"Auditors have no business selling a fix-all designed to bring a company into compliance," said Diana Kelley, vice president and service director at Midvale, Utah-based Burton Group. "There's no such thing."

Despite these frustrations, Russo called the standard a milestone for the industry. The standard is the best effort by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International to reach a common set of criteria that all companies should strive to achieve to protect sensitive information, he said.

"Until they formed this council last September, they were and still are, five of the toughest competitors that you could imagine," Russo said. "Getting them all in the same room to sit down and agree on anything was a miracle."

Enforcement will be left to each individual credit card brand. Though the standard is strict, Russo said, data security should have always been the sole priority of any company that processes credit cards.

Zoot frequently conducts internal and external audits to determine if they are meeting security procedures. The company collects every keystroke on every system and validates the data to ensure only appropriate employees are accessing the data.

For companies like Zoot, data protection is critical to its business, but meeting the standard has been an uphill battle.

"It is on an order of magnitude more difficult to become PCI compliant than most of the audits that most of us have ever had to experience, because it goes so much deeper," Rosanova said. "The struggle and challenge is to make sure that we mitigate risk without extraordinary expenses and without inhibiting our ability to do our job and be a value to our clients."