The Green Sheet Online Edition
July 13, 2009 • Issue 09:07:01
PCI: The merchant experience
The Payment Card Industry (PCI) Data Security Standard (DSS) and related security initiatives demand significant effort and time from ISOs, processors and acquirers, but too many of them are forgetting who is experiencing the real PCI pains: the merchants who form the base of the entire industry pyramid.
Companies that have not fully realized the importance of this are paying the price with inefficient and ineffective PCI programs - and with customer anger and dissatisfaction. Given the current economic environment, this is a dangerous gamble.
It is easy to see why so many ISOs are still struggling with data security issues: PCI is still relatively new and, until recently, was primarily targeted at larger, more sophisticated merchants.
These merchants could look after themselves (either with their in-house security staff or by using consultants), but with attention moving to the millions of smaller (level 4) merchants, benign neglect is no longer a working strategy.
Such smaller merchants simply do not have security or information technology staff, and they cannot afford consultants. They are vulnerable to PCI's challenges in a way that larger companies are not, and it is not surprising they have new and different problems.
A new landscape
Consequently, the industry needs new and different solutions, not just the same services and solutions that worked a few years ago for a very different audience.
There is a need among all merchants for the standard security solutions like data encryption, firewalls, anti-virus capability, network scans, and so on, but these "point solutions" are absolutely not enough by themselves, and focusing too much attention on them early in the process will make things worse.
The reason for this is that the real problem - the first problem - merchants face with PCI compliance is the "expertise gap." Most merchants simply don't know much about security, or even technology, so they don't know if they have a particular security problem.
They don't know which solutions apply to which problems, so they can't determine what a given solution might do for them, whether they need it, where to get it if they do and how to use it once they've procured it.
For merchants in this situation, talking to them about yet another great new security solution is adding to their confusion and pain, not diminishing it. The right approach is to focus first on the challenges and pains of the merchants rather than on available products.
The SAQ challenge
The first concrete challenge for merchants is to identify which of the Self-Assessment Questionnaires (SAQs) they need to complete.
The idea behind the multiple versions of the SAQ is that merchants with a simple card-processing environment and few dangers only need to complete a simple SAQ, while merchants with a complicated or dangerous setup need a more demanding SAQ.
There are good reasons for this differentiation, and it was an improvement when the PCI Security Standards Council moved from a one-size-fits-nobody SAQ to the current scheme with four different SAQ versions. But the move added another procedural step to the whole process.
After assisting many thousands of merchants through this process, it is clear to me that a surprisingly large number of merchants have problems even with this preliminary step and need active assistance at this juncture.
A matter of meaning
Once they have the right SAQ in front of them, the next challenge for merchants is to understand what each security question in the SAQ is talking about.
This is often a big problem because many merchants simply do not have the technical understanding to answer a question like, "[Do established firewall and router configuration standards include] requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?"
Anyone who knows about network security understands this is a perfectly valid question merchants need to address, but that doesn't change the fact that many - or most - merchants simply will not understand what the words mean. This is not some impassable obstacle - they can figure out the meaning of each question in 10 or 15 minutes, but it does have two consequences:
- Many merchants are going to ring up their ISOs to get "expert help," so ISOs who have failed to tackle this problem in advance will find they are paying for it tenfold in terms of portfolio support costs.
- The whole process is suddenly as painful and time-consuming for merchants as dealing with the Internal Revenue Service each year. This will lead to massive portfolio dissatisfaction if they feel that they have been abandoned by their service providers.
For these reasons, it is critical that ISOs and other responsible parties in the processing chain put together preemptive programs to help their merchants. Doing so saves them and their merchants time and money while also protecting their portfolios.
The remediation plan
After merchants work through the "security questions" part of their particular SAQs, they need to put together a remediation plan to deal with their failures (and the real-world evidence makes it clear the majority of merchants will have multiple failures).
Having a remediation plan with timelines is a required part of the new SAQ program and is a sound idea for security and compliance. However, putting together a proper remediation plan demands even more security knowledge than answering the initial questions does. It has been my experience that all merchants need help in completing this step in the process.
A time to act
The next step is to move beyond the paperwork and take some real-world security measures. For many merchants the first step at this stage is to get an external network scan from an Approved Scanning Vendor (which is required as part of submitting the SAQ).
Even though this seems simple to technically minded people, to many merchants it is a surprisingly complicated and time-consuming task.
Modern networking solutions have matured to the point where most people are protected from directly dealing with things like the Internet Protocol Suite (TCP/IP). When you start talking to merchants about public versus private IP addresses (not to mention some of the finer points of networking architecture), you are guaranteed to generate many questions and requests for assistance.
The fitting solutions
After all of this, merchants still need to identify which specific products will fix which of their remaining problems and figure out how, where and when to implement them. As with all the issues I mentioned previously, they will need assistance.
The single guiding principle in all of this is that PCI compliance creates many real challenges for smaller merchants, and ISOs and acquirers do not have a choice about whether to deal with this: The real choice is between handling it properly and efficiently or dealing with it ad hoc, which is painful and expensive in the long run.
ISOs need to put together a comprehensive program with in-house security experts and support capable of dealing with vast numbers of small merchants, or they should partner with a security specialist who can do that for them.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.