GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

No train, no gain


Industry Update

Heartland clamps down on breach

Heartland's call to action

Money launderers game for online merchants

Friendly fraud raises fears

2009 Calendar of events


Strong LINC in the payments chain

One council, one voice

Selling Prepaid

It's a wide, wide world of prepaid

Prepaid in brief

The prepaid landscape for 2009

Lessons learned from European prepaid

The benefits of tax refunds on plastic


Make security a small-merchant priority

Scott Henry

Revisit that elevator speech

Biff Matthews
CardWare International

The long fingers of PCI

Ross Federgreen and Rick Allen


Street SmartsSM:
Remain in service? Be of service

Jason Felts
Advanced Merchant Services Inc.

Stand by your plan

Jeff Fortney
Clearent LLC

Helping merchants help themselves

Christian Murray
Global eTelecom Inc.

Collecting opportunities

Curt Hensley
CSH Consulting

Totally tailored presentations

Daniel Wadleigh
Marketing Consultant

Get the FUD out of PCI

Tim Cranny
Panoptic Security Inc.

Company Profile

ProPay Inc.

ACH Payment Solutions

New Products

When taking debit becomes a snap

Snap-on Mobile Payment Device
Company: Motorola Inc.

A mobile printer for the payments jungle

EM 220
Company: Zebra Technologies Corp.


Ditch the dark side



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 09, 2009  •  Issue 09:02:01

previous next

The long fingers of PCI

By Ross Federgreen and Rick Allen

The need to maintain secure credit and debit card transaction networks to prevent data breaches, protect personally identifiable information (PII), and thwart identity theft and cyber fraud has been debated exhaustively in recent years. And the payments industry has offered a significant, focused and all-encompassing response.

This is evidenced by the implementation of the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application (PA) DSS, as well as the rapid growth of the PCI Security Standards Council (SSC). However, while a recent Int-ernet search of the term PCI DSS yielded over 1,000,000 hits, many in the industry have not yet come to terms with the fact of life commonly known as PCI. Many merchants, ISOs and even some acquirers still plead ignorance.

The card brands and other industry leaders have gone to great lengths to educate the entire stakeholder chain on the issues pertaining to PCI, and they have had limited success. The question is why?

Mired in erroneous beliefs

The answer lies not in the failure to communicate the message but in the belief by many that PCI is of limited or no consequence and might even be damaging to business operations.

Small merchants who unknowingly store full card data within integrated payment systems are the most vulnerable to direct financial liability, yet they are the least able to pay the cost of noncompliance. And they often do not realize that adhering to the PCI DSS can protect them. Many ISOs believe any additional charge to merchants to help them attain PCI compliance will further compromise a rather tenuous relationship; many acquirers have not determined their course of action.

And the card brands have, at times, been inconsistent in dealing with requirements and have propagated an alphabet soup of rules, regulations and acronyms. But with the formation and strengthening of the PCI SSC, the PCI message, rules and compliance procedures now exhibit a mature consistency of application and approach.

Government at attention

However, the results of our failure as an industry to effectively promulgate the necessity of PCI compliance throughout all levels of stakeholders can best be summed up by Admiral Isoroku Yamamoto's remarks following the attack on Pearl Harbor: "I fear all we have done is to awaken a sleeping giant and fill him with a terrible resolve."

A review of legislative and agency action reveals that the U.S. government has not been asleep. At least 13 existing federal laws impact issues associated with PII. These include the U.S.A. Patriot Act, the Federal Information Security Management Act and others.

Further, at least 13 separate pieces of proposed legislation were introduced in either the Senate or House during the 110th U.S. Congress, and three Senate bills were reported favorably out of committee: SB 239, the Notification of Risk to Personal Data Act; SB 495, the Personal Data Privacy and Security Act; and SB 1178, the Identity Theft and Prevention Act.

From the industry's mouth

Of more important and immediate impact is the Federal Trade Commission's January 2008 consent decree in the case of Life Is Good Inc. As reported in "PCI, an aspect of PII," by Ross Federgreen, Ken Musante and Theodore Svoronos, The Green Sheet, Jan. 12. 2009, issue 09:01:01, "The FTC charged that LIG 'failed to provide reasonable and appropriate security for the sensitive consumer information stored on its network,' even though the company stated on its Web site that such information 'is kept in a secure file.'"

In nine specific orders, the decree covers all aspects of LIG's data protection policies, procedures and ethics, and it is being embraced as a minimum standard for operating entities going forward. The underpinning of this regulatory fiat is found at the core of several underlying, controlling payments industry documents pertaining to the issues of PII and the PCI DSS.

The first is CISP Bulletin 051407, which is better known as the Level 4 Merchant Compliance Program Requirements document written by Visa Inc. It discusses the requirements of the level 4 merchant compliance programs. Acquirers were responsible for responding to Visa with relevant programs in the following five areas by July 31, 2007:

  1. Timeline of critical events
  2. Risk profiling strategy
  3. Merchant education strategy
  4. Compliance strategy
  5. Compliance reporting

Of further consequence in linking our industry's initiatives to the FTC's consent decree are the 12 base requirements of the PCI DSS. Although the PCI DSS has evolved and matured over the last four years and now is in version 1.2, the core has remained. Its basic 12 requirements are divided into six goals:

  1. Build and maintain a secure network.
  2. Protect cardholder data.
  3. Maintain a vulnerability management program.
  4. Implement strong access control measures.
  5. Regularly monitor and test networks.
  6. Maintain an information security program.

The FTC's interpretation

The FTC consent decree pertaining to LIG requires entities to institute a "comprehensive information-security program" that incorporates administrative, technical and physical safeguards tailored to the size of the commercial entity, the nature of its activities and the sensitivity of the personal information it collects.

Specifically, the decree mandates an information security program that includes:

It is clear the fingerprints of the CISP Bulletin 051407 and the PCI DSS are incorporated and preserved within the context of the FTC consent decree. This demonstrates alignment of the various governmental and nongovernmental thought leaders in this area. Analysis of legislative initiatives also demonstrates a commonality of thought.

No time to dither

There is no longer any room left to argue the basic validity or applicability of PCI. The only issue left is how to achieve universal compliance with the specific mandates of the FTC and our own leadership. It is not acceptable or prudent to distract merchants from compliance by offering an ineffective, purportedly simple solution to a highly complex mandate.

The only acceptable solution must provide to merchants meaningful education, traceable task solving and consequential results. Simultaneously, the solution must provide to ISOs and acquirers risk stratification, risk analysis and measurable performance criteria for their merchant populations. The consequences of failure in this area are both real and draconian to stakeholders throughout the merchant services universe.

Rick Allen, a Certified Information Systems Security Professional, is Director of Partner Compliance at Payment Processing Inc. in Newark, Calif. To contact him, please call 510-795-4977.

Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 1, or

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios