By Chris Bucolo
At the conclusion of a recent court case involving an Internet retailer's cardholder data breach, the financial losses - including legal and forensic fees, card brand fines, and cardholder losses - totaled more than $500,000. Surprisingly, an ISO and a third-party information technology (IT) company, not the merchant, were found liable in the settlement. The ruling: negligence and breach of contract.
This case concerned "checkbox compliance" in completing the Payment Card Industry (PCI) Self-Assessment Questionnaire (SAQ). The merchant presented evidence that the ISO it engaged served as the merchant's adviser for the SAQ process and that the ISO had incorrectly pre-populated SAQ items.
Furthermore, the third-party IT company had also supplied erroneous responses for other segments of the SAQ. The flawed SAQ, which stated that controls were in place when they were not, led to a breach of data from nearly 25,000 payment cards.
Unfortunately, such court cases and outcomes are fairly common. Pressure to quickly complete (and pass) the SAQ process can lead ISOs, acquirers and other merchant service providers (MSPs) - and their merchant customers - to take shortcuts that expose everyone involved to the risk of undiscovered, unmitigated security flaws that data thieves are adept at exploiting.
It's easy to see why merchants dread the PCI SAQ. With pages of questions on a complex and unfamiliar topic, it is very tempting to simply "check the box" and move on. ControlScan's annual study of small merchants' payment security awareness shows that businesses have a history of relying upon their service providers for help in attaining PCI Data Security Standard (DSS) compliance.
And MSPs want to assist by guiding their merchant customers through the arduous SAQ process. A speedy PCI compliance validation process builds relationship value between the MSP and merchant, because related hassles and fees are reduced.
Checkbox compliance, however, is a short-term solution that can create serious long-term problems. With each consecutive instance of checkbox compliance, merchants move further from the baseline security practices outlined in the PCI DSS. Hackers and data thieves utilize automated tools to seek and exploit the security holes these businesses typically leave behind.
The situations leading to checkbox compliance are numerous. In some cases, it results when confusion exists regarding which SAQ form to choose, or when merchants default to answering "yes" because they don't understand the intent or direction of the questions being asked. When an outside party completes all or part of the SAQ for a merchant, but has insufficient knowledge of the merchant's payment infrastructure to provide accurate responses, checkbox compliance is also said to have occurred. In its 2012 Data Breach Investigations Report, Verizon Wireless noted that 96 percent of breach victims it studied were not PCI compliant and that noncompliance served as a "major factor" in compromise events. In addition, Verizon reported that "most breaches were avoidable … without difficult or expensive countermeasures." Knowing this, it's easy to see why checkbox compliance does nothing but disable merchants' defenses and enable data thieves' entry.
When MSPs ensure that merchants within their portfolios dedicate the appropriate time and resources to properly completing the SAQ, the instances of PCI noncompliance decrease; consequently, so does the risk of data breaches.
Populating the SAQ with accurate information also provides documentary evidence of the merchant's commitment to the PCI process. Conversely, if merchants choose to rush completion, or half-heartedly address the SAQ, that, too, will document the nature of their involvement, which may prove important in the event of a breach and subsequent legal proceedings.
Regardless of who is involved in SAQ compilation, merchants and their MSPs are jointly responsible for ensuring that questionnaires are completed accurately and that system and process updates are performed as dictated. If merchants fail to live up to their end of the bargain, fair or not, their MSPs may be held fully responsible for any breach-related losses.
In another case, a Level 4 restaurant merchant sued its payment processor and POS systems integrator for negligence, claiming the restaurant was an unwitting victim of checkbox compliance that led to a breach of just under 35,000 credit card numbers. The business completed an SAQ D in both 2007 and 2008 as "compliant," yet it had numerous undetected PCI violations, including unsecured remote access, default passwords and an unprotected legacy system left in operation during, as well as following, the implementation of a new POS system.
What went wrong? First, the systems integrator that had recently installed the restaurant's new POS system provided the business with generalized SAQ responses that didn't match the merchant's IT environment. In addition, the merchant's payment processor pre-populated portions of the SAQ, and those answers no longer aligned with the new POS system the restaurant had implemented.
Since the processor and integrator played a critical role in assessing flawed PCI compliance as faultless, the court ruled in favor of the merchant and "shifted" liability to the processor and integrator. The case settled out of court for approximately $750,000.
The SAQ is far more than a one-time test; it's an invaluable tool, designed to help merchants better understand the PCI DSS, pointing them in the right direction so they can regularly and critically evaluate their security controls and identify areas for incremental improvement.
For small merchants, the PCI DSS may be the only information security-related discipline they encounter. By not taking the time to understand their own environments so as to complete SAQs accurately, or by not reviewing and discussing the SAQ-related information provided by others, merchants miss out on the benefits that result from proactively assessing their own state of PCI compliance.
Ensuring that the appropriate defenses exist and attaining PCI compliance requires education and awareness of threats. Ignorance will provide neither MSPs nor merchants with immunity.
When a forensic investigation is performed following a breach event and the systems and controls in place are not consistent with the merchant's most recent SAQ responses, every business entity that touched that SAQ comes into question.
As trusted merchant advisers, MSPs must move away from a one-size-fits-all approach to their merchants' SAQ process so that the risks of unidentified and unaddressed security gaps are mitigated. Assisting merchants with their SAQs or even pre-populating certain items is not bad in itself; however, MSPs should conduct due diligence to verify that the responses they are providing align with merchants' current environments.
MSPs can further minimize their liability by clearly outlining security-related expectations and responsibilities in their merchant agreements, as well as facilitating regular, multichannel merchant communications and targeted security awareness training.
Despite what may initially appear to be an uphill battle, it is possible for MSPs to effectively educate and equip merchants with the information and resources they need to achieve true PCI compliance and complete their SAQs to reflect that achievement. In doing so, MSPs empower merchants to control their own security processes and grow in their awareness and understanding of PCI controls. What's more, MSPs avoid the costly mistake of enabling false-positive answers that could come back to haunt them in court.
Chris Bucolo is Senior Manager, Security Consulting at ControlScan, which delivers secure payment solutions to a global network of merchant service providers and the small businesses they serve. He can be reached at email@example.com .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next