By Tim Cranny
Panoptic Security Inc.
Payment Card Industry (PCI) Data Security Standard (DSS) compliance has been relatively slow-moving in some ways. In the last seven years we've seen the economy ride a roller coaster, multiple technical innovations (tokenization, mobile payments and so on), and a few revisions of the standard, but as an industry force, it's been more of a threatening cloud than something completely real on the ground.
Some may argue with that opinion, or call it vague, but even today there are ISOs who have dealt with PCI compliance thus far by simply ignoring it. Also, confusion and misinformation still proliferate regarding the scope of PCI or what a PCI program really has to achieve.
That isn't what you'd expect with a program that has been successfully driven from theory to widespread practice. There are signs that all this is changing, though.
One looming change is that we are now seeing real signs from multiple sources that the payment brands are planning to ramp up noncompliance penalties imposed on merchants (as opposed to penalties only in the case of actual breaches).
This will fundamentally change the economics of PCI for ISOs, processors and banks, as well as bring to light in visible and painful ways the shortcomings of some PCI programs.
ISOs and other portfolio owners need to be aware that solutions that worked yesterday may not work tomorrow. Some PCI solutions were viable in the past because until now, almost any PCI program, even one that achieved almost nothing, counted as good enough and did not attract meaningful penalties or risks.
However, if portfolio owners are fined for poor compliance rates, the low-cost, low-results balance will break down, and the savings from low-cost programs will be swamped by the new downside of inadequate results.
In this case, I expect a shift will occur in the industry away from minimalist programs and toward those that are more feature-rich and more able to deliver results by driving compliance rates upward.
The five areas where minimalist PCI compliance programs perform poorly include:
Despite the efforts of the standard-writers, the PCI self-assessment questionnaires (SAQs) include a number of questions that, for the average merchant, may as well be written in Swahili.
Putting questions about network topology or post-authentication encryption on a web page does nothing to make the actual content of the questions easier to understand, and merchants will continue to stall and fail unless they get some sort of active assistance.
A number of ISOs figure they already have a direct relationship with their merchants and don't need to add an additional support system just for PCI. The problem with that idea is that PCI is not more of the same from a support perspective; it needs support based on expert knowledge of the PCI DSS.
Furthermore, the support system for PCI needs to be tightly integrated with the merchant experience of working through the SAQ; the program should not be stand-alone or separate.
These first two notions can reinforce each other in ugly ways: a program that doesn't help merchants avoid problems and doesn't provide proper support is a guaranteed way to create angry merchants looking for someone to blame.
Low-cost programs need to push merchants through the process and out the door as quickly as possible, but that doesn't work properly for the security issues integral to PCI. A number of low-cost programs being pedaled today do not endeavor to fully and accurately assess the merchant's compliance state; they concentrate instead on minimizing the effort that goes into the program.
This exposes the portfolio owner to a significant, systemic risk because when the inevitable merchant breach happens, the audit that ensues will reveal that the compliance rates being reported are largely fictional. And as PCI is taken more seriously, there is a greatly increased likelihood that this will trigger fines and penalties to the portfolio owner in addition to painful and expensive ongoing oversight.
PCI isn't just about putting merchants through an assessment; it's about fixing the problems discovered (what security professionals call "remediation"). However, the passive assessment phase is the easiest part of the process, and far too many vendors are doing only that part.
They are doing the equivalent of taking their partners and customers a half-mile down the road and then abandoning them.
As PCI becomes more systematically enforced and more results-oriented, it will be all the more important to make sure your PCI program can effectively provide merchants the solutions they need to fix their problems. A critical part of that type of initiative is the ability to efficiently reach out to exactly the right subgroups of merchants, at exactly the right time, and communicate directly to them.
A key part of creating an active PCI program is realizing that before you can take action, you need the right information to tell you what needs to be done. Portfolio owners must have detailed, real-time insight regarding what is going on - from an aggregate level all the way down to the individual merchant level.
As PCI compliance programs come to be held to an increasingly higher standard, they are going to need to avoid all of the pitfalls just mentioned. Some of the low-end solutions in the market may mature to meet more stringent expectations, but it is likely many will stall under the weight of their technical limitations.
This will lead some to become magnets for noncompliance fees, which will contribute to a further maturing and clearing out of the PCI vendor space. This instability is another reason ISOs should be increasingly suspicious of the low end of the market and embrace the reality that PCI is being taken more seriously and deserves an equally earnest response on the part of all those involved in compliance efforts.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next