The Green Sheet Online Edition
February 09, 2009 • Issue 09:02:01
The long fingers of PCI
The need to maintain secure credit and debit card transaction networks to prevent data breaches, protect personally identifiable information (PII), and thwart identity theft and cyber fraud has been debated exhaustively in recent years. And the payments industry has offered a significant, focused and all-encompassing response.
This is evidenced by the implementation of the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application (PA) DSS, as well as the rapid growth of the PCI Security Standards Council (SSC). However, while a recent Int-ernet search of the term PCI DSS yielded over 1,000,000 hits, many in the industry have not yet come to terms with the fact of life commonly known as PCI. Many merchants, ISOs and even some acquirers still plead ignorance.
The card brands and other industry leaders have gone to great lengths to educate the entire stakeholder chain on the issues pertaining to PCI, and they have had limited success. The question is why?
Mired in erroneous beliefs
The answer lies not in the failure to communicate the message but in the belief by many that PCI is of limited or no consequence and might even be damaging to business operations.
Small merchants who unknowingly store full card data within integrated payment systems are the most vulnerable to direct financial liability, yet they are the least able to pay the cost of noncompliance. And they often do not realize that adhering to the PCI DSS can protect them. Many ISOs believe any additional charge to merchants to help them attain PCI compliance will further compromise a rather tenuous relationship; many acquirers have not determined their course of action.
And the card brands have, at times, been inconsistent in dealing with requirements and have propagated an alphabet soup of rules, regulations and acronyms. But with the formation and strengthening of the PCI SSC, the PCI message, rules and compliance procedures now exhibit a mature consistency of application and approach.
Government at attention
However, the results of our failure as an industry to effectively promulgate the necessity of PCI compliance throughout all levels of stakeholders can best be summed up by Admiral Isoroku Yamamoto's remarks following the attack on Pearl Harbor: "I fear all we have done is to awaken a sleeping giant and fill him with a terrible resolve."
A review of legislative and agency action reveals that the U.S. government has not been asleep. At least 13 existing federal laws impact issues associated with PII. These include the U.S.A. Patriot Act, the Federal Information Security Management Act and others.
Further, at least 13 separate pieces of proposed legislation were introduced in either the Senate or House during the 110th U.S. Congress, and three Senate bills were reported favorably out of committee: SB 239, the Notification of Risk to Personal Data Act; SB 495, the Personal Data Privacy and Security Act; and SB 1178, the Identity Theft and Prevention Act.
From the industry's mouth
Of more important and immediate impact is the Federal Trade Commission's January 2008 consent decree in the case of Life Is Good Inc. As reported in "PCI, an aspect of PII," by Ross Federgreen, Ken Musante and Theodore Svoronos, The Green Sheet, Jan. 12. 2009, issue 09:01:01, "The FTC charged that LIG 'failed to provide reasonable and appropriate security for the sensitive consumer information stored on its network,' even though the company stated on its Web site that such information 'is kept in a secure file.'"
In nine specific orders, the decree covers all aspects of LIG's data protection policies, procedures and ethics, and it is being embraced as a minimum standard for operating entities going forward. The underpinning of this regulatory fiat is found at the core of several underlying, controlling payments industry documents pertaining to the issues of PII and the PCI DSS.
The first is CISP Bulletin 051407, which is better known as the Level 4 Merchant Compliance Program Requirements document written by Visa Inc. It discusses the requirements of the level 4 merchant compliance programs. Acquirers were responsible for responding to Visa with relevant programs in the following five areas by July 31, 2007:
- Timeline of critical events
- Risk profiling strategy
- Merchant education strategy
- Compliance strategy
- Compliance reporting
Of further consequence in linking our industry's initiatives to the FTC's consent decree are the 12 base requirements of the PCI DSS. Although the PCI DSS has evolved and matured over the last four years and now is in version 1.2, the core has remained. Its basic 12 requirements are divided into six goals:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security program.
The FTC's interpretation
The FTC consent decree pertaining to LIG requires entities to institute a "comprehensive information-security program" that incorporates administrative, technical and physical safeguards tailored to the size of the commercial entity, the nature of its activities and the sensitivity of the personal information it collects.
Specifically, the decree mandates an information security program that includes:
- Designation of an employee or employees to coordinate the information security program
- Identification of internal and external risks to the security and confidentiality of personal information and assessment of the safeguards already in place
- Creation and implementation of safeguards to control the risks identified in the risk assessment
- Monitoring the effectiveness of safeguards
- Development of reasonable steps to select and oversee service providers that handle personal information
- Evaluation and adjustment of the program to reflect results of monitoring, material changes to the company's operations or other circumstances that may affect program efficiency
It is clear the fingerprints of the CISP Bulletin 051407 and the PCI DSS are incorporated and preserved within the context of the FTC consent decree. This demonstrates alignment of the various governmental and nongovernmental thought leaders in this area. Analysis of legislative initiatives also demonstrates a commonality of thought.
No time to dither
There is no longer any room left to argue the basic validity or applicability of PCI. The only issue left is how to achieve universal compliance with the specific mandates of the FTC and our own leadership. It is not acceptable or prudent to distract merchants from compliance by offering an ineffective, purportedly simple solution to a highly complex mandate.
The only acceptable solution must provide to merchants meaningful education, traceable task solving and consequential results. Simultaneously, the solution must provide to ISOs and acquirers risk stratification, risk analysis and measurable performance criteria for their merchant populations. The consequences of failure in this area are both real and draconian to stakeholders throughout the merchant services universe.
Rick Allen, a Certified Information Systems Security Professional, is Director of Partner Compliance at Payment Processing Inc. in Newark, Calif. To contact him, please call 510-795-4977.
Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 1, or firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.