Visa aims to boost PCI DSS adoption

Visa is launching an education campaign to address the more than 60% of merchants that fail to meet the PCI Data Security Standards.

Visa executives are trying to encourage merchants to comply with the PCI Data Security Standards (PCI DSS), and raise lagging adoption rates in the program.
We're going to be more consistent and give a better sense of what we're aiming to accomplish.
Jennifer Fischer,
director of enterprise risk and complianceVisa USA

Speaking to about 50 attendees at a day-long Advanced PCI DSS Conference in New York, Jennifer Fischer, director of enterprise risk and compliance at Visa, said executives at the credit card giant are starting an education campaign to get merchants to comply with the standards by the end of the year. So far, more than 60% of merchants fail to meet the current standards, according to data presented at the conference.

Any merchant who accepts credit cards must meet PCI DSS, a set of a dozen rules to protect consumer data from hackers. Industry experts say PCI DSS was set of standards agreed upon by Visa, MasterCard, Discover, American Express and JCB in an attempt to police the payment card industry before legislators enact regulations to address data security issues. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.

Merchants must prove that they protect consumer credit card information and must be assessed by a PCI DSS certified security auditor. But merchants and security auditors criticize PCI DSS for constantly changing its standards and for its ambiguity to unique technology environments. For example, a security lapse flagged by one auditor may not be considered an issue by another.

Meet the PCI DSS, avoid being the next TJX: Seana Pitt, chairperson of the PCI Security Standards Council and vice president of merchant policy and data quality at American Express, says companies should look at PCI DSS as a way to avoid future TJX-sized breaches instead of as a list of rules to heed to keep the compliance police at bay.

PCI DSS auditors see lessons in TJX data breach: Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But they say there are lessons to be learned from TJX's mistakes.

Hashing for fun and profit: Demystifying encryption for PCI DSS: These days there's no excuse for failing to encrypt sensitive data like credit card information, but the numerous types of cryptography available today can make cryptography implementation a mystifying process.

Despite the criticism, most firms accepting credit cards are familiar with the rules and are starting to go through a security audit, said John W. Adams, a PCI DSS auditor with the Ellicott City, Md.-based security consulting firm CTG.

"Clearly there needs to be more consistency between the way assessors interpret the requirements," Adams said.

Visa launched an executive calling program, making direct phone calls to the CEOs of major retailers who currently don't comply with the rules. A letter mailing campaign is also in the works as well as a series of training programs conducted by card-issuing banks, Fischer said.

"We recognize that this is not an insignificant task for anyone who needs to comply," Fischer said. "We're going to be more consistent and give a better sense of what we're aiming to accomplish."

Data security breaches are not an outcome of some obscure vulnerability, she said. Merchants who experience a breach are found by fraud investigators to be storing prohibited credit card data. Many firms have a poor patch management program and use software default settings and passwords. Other merchants are using poorly coded Web facing payment applications, or have legacy payment equipment without proper encryption technology.

"In many cases, encryption is the only method to secure stored consumer data," Fischer said.

Most of the standards are best practices that companies should ultimately have, said Khalid Kark, a senior analyst with Cambridge, Mass.-based Forrester Research Inc. The standards are a good starting point but may be too narrow, since every company has its own unique technology environment, Kark said.

"A lot of retailers are behind the curve and it's good that they're being forced to make sure data is secure by putting in the right controls," Kark said. "But we have to recognize that there may be environments were some of the prescribed standards may not work."

Read more on PC hardware