The Green Sheet Online Edition
January 12, 2009 • Issue 09:01:01
PCI: What to hope for in 2009
The end of the old year and the start of the new is a good time to step back and review where the Payment Card Industry (PCI) Data Security Standard (DSS) compliance program has taken us - to look at what has gone right, what has gone wrong, and what ISOs, merchants, and the rest of the payment card industry can hope for in 2009.
The PCI DSS was expanded and refined in 2008, and this was generally done in a careful, effective way. The year saw a modest revision of the standard, as well as escalating compliance demands on payment applications. And it was the start of the long, demanding process of bringing smaller merchants into compliance.
It also saw steady, although not spectacular, improvement in the compliance and validation success rates for merchants across the board. All of this is real progress and directly serves the ultimate goal of PCI: to protect cardholders, their privacy and their transactions.
However, not everything is ideal with PCI, and it's far from guaranteed that the problems that do exist are just the growing pains of a still-young standard. The more pessimistic analysis, and probably the more realistic, is that the active involvement of the PCI Security Standards Council (SSC) and payment brands will be necessary to make sure the PCI achieves its longterm goals.
PCI compliance will be a big issue for ISOs in 2009. Understanding problems associated with compliance and knowing what to worry about (and what not to worry about) will make the year ahead safer, simpler and more rewarding.
PCI issues can be divided into two basic categories: real challenges and artificial challenges. As we'll see, too many ISOs are being distracted by artificial challenges, most of which are really little more than counter-productive vendor fights.
These are the almost-silent problems faced by individual merchants trying to grapple with PCI. For larger (level 1) merchants, compliance is just a chore: The company is large enough and sophisticated enough to meet the challenge with either in-house expertise or consultants.
But for smaller merchants the administrative, technical and security demands of PCI compliance are always going to be daunting.
After assisting thousands of merchants with their PCI validation and compliance efforts, it is clear to Panoptic Security that many smaller merchants are having several different types of problems with PCI.
Remember that PCI has two types of demands:
- Validation, which is PCI-speak for merchants' ability to show, via standard documents or tests, that they are meeting PCI requirements.
- Compliance, which means meeting all of the requirements laid out in the PCI DSS.
It has been obvious for a long time that compliance places a heavy burden on merchants: The standard is both broad and deep, and many merchants are going to find it a drawn-out, difficult process to make the required hardware, software and procedural changes needed to get into compliance. But above and beyond that, all too many merchants are struggling even with the simpler mechanics of validation.
For example, at Panoptic Security, we were surprised how much attention was needed to walk merchants through the process of identifying which Self-Assessment Questionnaire (SAQ) was applicable.
Our statistics show that when exposed to the standard raw wording of the SAQ, many merchants (one in eight) will incorrectly self-identify as a service provider, dropping them into the longest, most complicated SAQ (version D).
When we followed up with such merchants, many of them said that since they did, in fact, provide services to their customers, they had answered the question that way without seeking further clarification.
It is clear that many of these merchants were incorrectly classifying themselves, because with comprehensive real-time assistance, the number of merchants identified as service providers dropped significantly.
This example emphasizes an ongoing challenge of PCI compliance. Simplification is needed, but simplifying the process by adding clarifications, alternatives, and flexibility can actually make things more complicated and time-intensive. In the latest version of the SAQs released in late 2008, the expanded handling of "not applicable" options has almost doubled the page count of SAQ A - from eight to 15 pages.
Real issues relate to how merchants assess and improve their security to better protect cardholders. Unfortunately, a lot of confusion and wasted effort is coming from vendors trying to influence industry trends in their favor. A critical factor in the PCI's long-term health will be its willingness to limit the extent of this spin. This will help merchants, ISOs and acquirers focus on the real goal of protecting cardholder data.
One example of this spin relates to the first generation of security vendors for PCI, the Qualified Security Assessors (QSAs), who are essentially consultants servicing the large merchants first targeted by PCI.
The QSA business model is fundamentally inappropriate for dealing with the millions of smaller merchants now being targeted for PCI validation and compliance.
But some members of the QSA community are pushing their services with the line "only a QSA can help small merchants with their Self-Assessment Questionnaire." That is obviously incorrect, given the meaning of the word self-assessment, but ISOs must cut through the hype to see what solutions and strategies are best for them and their merchants.
A more dangerous distortion that has been around for a while comes from a few payment application vendors promising that they make PCI "go away" with the purchase of their solution. It's true that the right payment application (properly installed and maintained) can greatly simplify a merchant's PCI burden, but that's a very different thing from avoiding PCI altogether.
Again, ISOs who uncritically accept these types of statements may find that they've made the wrong partnership deal and may still have portfolio risks they thought had gone away.
ISOs, merchants, and everyone else in the payments industry will have an easier 2009 if the PCI SSC and the payment brands:
- Continue their strategy of incremental rollout and expansion of PCI, with all players given adequate warning of deadlines and changes to requirements.
- Keep explicit focus on the ultimate goal of PCI (protecting cardholders) and prevent the formalities and process of PCI from becoming goals in themselves. Becoming "internally focused" like this is a common failing for compliance regimes, and it is now becoming a threat to PCI success.
- Provide even more education and message clarity to ISOs and merchants about the PCI DSS. Doing so will help ISOs make informed decisions about PCI and give them the chance to find the right solutions and partners for their particular circumstances and portfolios.
ISOs that concentrate on the real challenges of PCI compliance and avoid wasting resources on artificial challenges can make 2009 a year in which PCI actively helps them so they can end the year with safer merchants and stronger businesses.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.