The Green Sheet Online Edition
December 08, 2008 • Issue 08:12:01
Looking beyond PCI
Payment Card Industry (PCI) Data Security Standard (DSS) is the single biggest information security concern facing most ISOs, their acquirers and merchants, but it is short-sighted to think it is the only issue.
Many ISOs and other organizations are taking a simplistic approach to security and compliance. In the process they are setting themselves up for unnecessary cost and effort, while at the same time missing the chance to make some real improvements to their world. Fortunately, the right approach can avoid these problems and help ISOs and merchants be safer and more compliant, all while helping ISOs' bottom lines.
Elephant in the room
The first question ISOs and merchants ask is, Can I avoid this entire issue and not be at risk? This is a perfectly reasonable question, given that these security and documentation requirements seem like such a distraction from normal business, but the answer for ISOs and merchants is no.
We are currently seeing a rash of hardware vendors and service providers telling merchants, Yes, use our product, and you can avoid PCI issues. But most of these people are, to put it delicately, twisting reality until it surrenders.
All merchants who ever accept, transmit, or process cardholders' primary account numbers during a transaction must comply with the PCI DSS. Far too many of these dubious vendors are using dizzying amounts of spin in their marketing literature. But most are careful enough to quietly water down their claims with "weasel" words like "avoid or minimize PCI problems" somewhere in their fine print.
These vendors are doing their customers and partners a disservice, potentially leaving them exposed to the danger of security and compliance failures.
No quick fix
Usually the next question is, If I can't avoid it, what product or service can I get that solves it all for me? The short answer is - there isn't one. Far too many vendors are claiming they are the silver bullet, but the closer you look at their claims, the more they evaporate.
The longer, better answer is that this isn't really the right question. A better question might be, Is PCI the only thing I need to worry about? The answer here, again, is no - for most merchants and all ISOs.
When considering compliance requirements such as the Gramm-Leach-Bliley Act, the Fair and Accurate Credit Transactions Act, and other state-level legal requirements, you should think of PCI as the leader of the pack, not as an isolated issue. And it is clear to most industry experts that compliance requirements are only going to grow in coming years for a range of political and economic reasons.
But compliance isn't even the real story. The most important thing for merchants and ISOs to remember is that the dangers are real; hackers and thieves are out there trying to steal data and commit fraud; those who don't protect themselves by taking the right precautions will be hacked sooner or later.
Treat the disease
PCI problems are symptoms of a deeper concern. Those who concentrate too narrowly on PCI will find themselves back at square one when it's time to worry about the next compliance requirement or problem - and the next attack.
By dealing directly with the underlying concerns, merchants and ISOs can deal with security and compliance once and for all, at lower cost and with less effort. This is why the question, What solution solves PCI? puts the cart before the horse.
What proper security program should ISOs suggest to their portfolio merchants? The following four pieces of advice are deliberately not created in reaction to PCI. The good news is that following these steps also addresses PCI compliance.
It's not surprising that treating the disease decreases the symptoms. ISOs who give this advice to their merchants are helping them to solve PCI and a whole range of other security matters all in one go:
- Recognize that the security threats and compliance issues are real, and they need to be actively addressed. Doing nothing will be more expensive than doing the right thing; the merchant could be attacked or hit with noncompliance penalties and expenses. In either situation, the ISO is put at legal and financial risk.
- Avoid specific problems, where possible, rather than solve them. By far the best and cheapest way to handle a security issue is to avoid it altogether. If merchants don't store sensitive cardholder data on their computers, literally dozens of security issues simply disappear, and dozens of complicated, expensive and time-consuming solutions simply lose all relevance.
In the case of PCI, following this one step dramatically simplifies the merchants PCI burden. And by dramatically, we're not talking about a 10 percent reduction in pain; it's more like 50 percent to 90 percent.
- Follow the known path. A lot of advice handed out to people urges them to be different, to avoid the standard solutions, but in the world of security and compliance that's almost always the wrong advice. A good piece of general security advice, directly relevant to PCI, is to follow the tested path.
If your merchants need POS devices, urge them to choose ones that are known to be compliant with the Payment Application DSS, rather than non-standard solutions.
If one of your merchants needs a network vulnerability scan for PCI, simply point them to an approved scanning vendor via a partnership you have in place or by directing them to the formal list on the PCI Security Standards Council's Web site at www.pcisecuritystandards.org/qsa_asv/find_one.shtml.
The same argument applies to formal PCI audits and choosing a formally certified qualified security assessor.
- Recognize and embrace breadth. As we've already said, security and compliance are broad issues and need a broad range of responses. There is no one, magical solution or strategy that will make it all go away, so ISOs need to be able to provide - either directly or through partnership - an equally broad range of solutions and strategies.
Unfortunately, almost all vendors try to narrow your world down, to make you focus on them, so it pays to carefully look for vendors and partners who explicitly aim at providing the full range of services needed. No one can cover the whole range themselves, so an ISO's best bet is to find a partner willing to act as a portal - a one stop shop for an entire ecosystem of other security and compliance vendors.
Be the tortoise
Merchants and ISOs have a choice: Deal with security and compliance issues with a short-term "what is the minimum I can get away with today?" approach or take a step back and do it once, properly. Following the latter path doesn't mean spending more; it just means spending smarter.
It leads to better security, better and cheaper compliance, and creates the right framework to guide ISOs in their partnership decisions and strategies. It also creates what every organization in the payment processing industry is aiming for: an environment where consumers use payment cards without fear or inhibitions.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.