Credit card IT security chief calls for PCI DSS changes

Phil Mellinger, CISO of credit card processing giant First Data Corp. is calling for changes to the standards to speed adoption, ease restrictions and eliminate ambiguous language.

It's a constant struggle for credit card processing giant, First Data Corp. to become compliant with the Payment Card Industry Data Security Standards (PCI DSS), says First Data's CISO, Phil Mellinger.

Greenwood Village, Co.-based First Data has spent millions on compliance initiatives to lock down systems from hackers trying to gain access to the constant stream of credit card data that passes through the company's massive systems. Hackers are seeking magnetic strip track data, pin numbers and other identifiable information that could be sold on the black market and used to make fraudulent purchases. Mellinger calls it an uphill battle since attacker methods are growing in sophistication and attacks come in so many forms.

Speaking to a group of merchants at a recent PCI DSS conference, Mellinger, who developed the precursor to the current PCI DSS rules, is calling for an overhaul to eliminate subjectivity and ease restrictions to get more merchants to meet the standard.

"I would rather they set the bar lower and then raise it once more merchants have complied," Mellinger said. "The more people we can get compliant, the better off we are."

Deadlines have been set for merchants to prove compliance by the end of the year. But so far industry estimates show that more than 60% of merchants fail to meet the current standards.

Mellinger is calling for a PCI DSS status directory in which compliant merchants and processors are publicly listed. Opponents say such a directory could be used by hackers to find vulnerable companies to attack. But Mellinger insists that it would reward businesses that are compliant and get others to move faster on compliance projects.

Visa hopes encouragement improves lagging PCI DSS adoption: With deadlines looming, Visa is launching an education campaign to address the more than 60% of merchants that fail to meet the PCI Data Security Standards.

PCI DSS auditors see lessons in TJX data breach: Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But they say there are lessons to be learned from TJX's mistakes.

Meet the PCI DSS, avoid being the next TJX: In this Q&A, Seana Pitt, chairperson of the PCI Security Standards Council explains how PCI DSS can help companies reduce risk, and how the council is updating the standard to deal with new challenges. Pitt is vice president of merchant policy and data quality at American Express.

Visa, MasterCard, Discover, American Express and JCB have come together to push merchants and processors to meet the standards. The goal is to police the payment card industry before legislators enact regulations to address data security issues.

Convincing merchants to move forward with PCI DSS compliance projects means getting banks to accept PCI DSS as a proof of security, Mellinger said. Banks currently don't have much confidence in the PCI standards and continue to insist on doing their own on site examination of security procedures, he said. Card issuers also have different processes, rules and fees that further complicate the compliance process.

"PCI is the best safeguard to protect a company if there is a problem and there will be incidents," Mellinger said. "But when banks come in and do their audits and don't look at the PCI findings, that's a problem."

Mellinger also said he would like a level playing field when firms seek compliance. Currently the same standards apply to First Data's massive data centers as well as a merchant with two servers, he said. Rules are only slightly different, he said. Under the standard, businesses that process more than six million credit card transactions per year are subject to an annual on-site audit and quarterly network scans. Companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and also conduct quarterly network scans. Mellinger said the self-assessment questionnaire is too difficult to understand and accurately answer for some merchants.

"The bad guys aren't really living off the big merchants, they're living off of everybody," Mellinger said. "There's a fallacy out there that they're targeting high volume."

Read more on PC hardware