Speaking to about 50 attendees at a day-long Advanced PCI DSS Conference in New York, Jennifer Fischer, director of enterprise risk and compliance at Visa, said executives at the credit card giant are starting an education campaign to get merchants to comply with the standards by the end of the year. So far, more than 60% of merchants fail to meet the current standards, according to data presented at the conference.
Any merchant who accepts credit cards must meet PCI DSS, a set of a dozen rules to protect consumer data from hackers. Industry experts say PCI DSS was set of standards agreed upon by Visa, MasterCard, Discover, American Express and JCB in an attempt to police the payment card industry before legislators enact regulations to address data security issues. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.
Merchants must prove that they protect consumer credit card information and must be assessed by a PCI DSS certified security auditor. But merchants and security auditors criticize PCI DSS for constantly changing its standards and for its ambiguity to unique technology environments. For example, a security lapse flagged by one auditor may not be considered an issue by another.
Despite the criticism, most firms accepting credit cards are familiar with the rules and are starting to go through a security audit, said John W. Adams, a PCI DSS auditor with the Ellicott City, Md.-based security consulting firm CTG.
"Clearly there needs to be more consistency between the way assessors interpret the requirements," Adams said.
Visa launched an executive calling program, making direct phone calls to the CEOs of major retailers who currently don't comply with the rules. A letter mailing campaign is also in the works as well as a series of training programs conducted by card-issuing banks, Fischer said.
"We recognize that this is not an insignificant task for anyone who needs to comply," Fischer said. "We're going to be more consistent and give a better sense of what we're aiming to accomplish."
Data security breaches are not an outcome of some obscure vulnerability, she said. Merchants who experience a breach are found by fraud investigators to be storing prohibited credit card data. Many firms have a poor patch management program and use software default settings and passwords. Other merchants are using poorly coded Web facing payment applications, or have legacy payment equipment without proper encryption technology.
"In many cases, encryption is the only method to secure stored consumer data," Fischer said.
Most of the standards are best practices that companies should ultimately have, said Khalid Kark, a senior analyst with Cambridge, Mass.-based Forrester Research Inc. The standards are a good starting point but may be too narrow, since every company has its own unique technology environment, Kark said.
"A lot of retailers are behind the curve and it's good that they're being forced to make sure data is secure by putting in the right controls," Kark said. "But we have to recognize that there may be environments were some of the prescribed standards may not work."