Greenwood Village, Co.-based First Data has spent millions on compliance initiatives to lock down systems from hackers trying to gain access to the constant stream of credit card data that passes through the company's massive systems. Hackers are seeking magnetic strip track data, pin numbers and other identifiable information that could be sold on the black market and used to make fraudulent purchases. Mellinger calls it an uphill battle since attacker methods are growing in sophistication and attacks come in so many forms.
Speaking to a group of merchants at a recent PCI DSS conference, Mellinger, who developed the precursor to the current PCI DSS rules, is calling for an overhaul to eliminate subjectivity and ease restrictions to get more merchants to meet the standard.
"I would rather they set the bar lower and then raise it once more merchants have complied," Mellinger said. "The more people we can get compliant, the better off we are."
Deadlines have been set for merchants to prove compliance by the end of the year. But so far industry estimates show that more than 60% of merchants fail to meet the current standards.
Mellinger is calling for a PCI DSS status directory in which compliant merchants and processors are publicly listed. Opponents say such a directory could be used by hackers to find vulnerable companies to attack. But Mellinger insists that it would reward businesses that are compliant and get others to move faster on compliance projects.
Visa, MasterCard, Discover, American Express and JCB have come together to push merchants and processors to meet the standards. The goal is to police the payment card industry before legislators enact regulations to address data security issues.
Convincing merchants to move forward with PCI DSS compliance projects means getting banks to accept PCI DSS as a proof of security, Mellinger said. Banks currently don't have much confidence in the PCI standards and continue to insist on doing their own on site examination of security procedures, he said. Card issuers also have different processes, rules and fees that further complicate the compliance process.
"PCI is the best safeguard to protect a company if there is a problem and there will be incidents," Mellinger said. "But when banks come in and do their audits and don't look at the PCI findings, that's a problem."
Mellinger also said he would like a level playing field when firms seek compliance. Currently the same standards apply to First Data's massive data centers as well as a merchant with two servers, he said. Rules are only slightly different, he said. Under the standard, businesses that process more than six million credit card transactions per year are subject to an annual on-site audit and quarterly network scans. Companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and also conduct quarterly network scans. Mellinger said the self-assessment questionnaire is too difficult to understand and accurately answer for some merchants.
"The bad guys aren't really living off the big merchants, they're living off of everybody," Mellinger said. "There's a fallacy out there that they're targeting high volume."