The Green Sheet Online Edition
April 28, 2008 • Issue 08:04:02
PCI: Is it working?
The Payment Card Industry (PCI) Data Security Standard (DSS) is complex. It includes 12 requirements and more than 200 subrequirements covering topics from technology to general security practices. And it has spawned a compliance consulting market to assist merchants who are having difficulty making heads or tails of the requirements.
The ultimate goal of the PCI DSS is to ensure cardholder data security. But after two years, one question remains: Is the job getting done? Experts disagree on the answer.
False sense of security
On Feb. 27, 2008, East Coast supermarket chain Hannaford Brothers Co., reportedly a PCI compliant business, was notified that an estimated 4.2 million credit and debit card numbers were compromised in a security breach dating back to December 2007, resulting in at least 1,800 cases of fraud. On March 17, 2008, the company posted notification on its Web site.
Carol Eleazer, Vice President of Marketing at Hannaford, said the company believed, by virtue of its PCI certification, that it had the highest standards of security in the retail industry. Until this breach, few doubted that their data would be unsafe once PCI compliance was achieved. The Hannaford case sent ripples of uncertainty throughout the industry.
Michael La Barge, President and Chief Executive Officer of Datassurant Inc., had to personally replace two credit cards as a result of the Hannaford breach. He suspected that although Hannaford believed it was PCI compliant, it probably wasn't.
La Barge said assisting merchants in becoming PCI compliant has reached a state of competitiveness that drives the cost of an audit down and compromises thoroughness. "Some people are buying the paper that says they're compliant, but actually ensuring compliance takes time, and it's not usually a cut-rate deal," he said.
"It's worth spending a little more time and money upfront to be sure that your certification is actually backed by your security systems."
Avivah Litan, Vice President at Gartner Inc., an information technology research company, agreed. "Focusing only on PCI compliance may limit the possibility of fines from acquiring banks, but will do nothing to prevent the much larger costs of a data breach," she said.
So, was Hannaford truly compliant? "Until the forensics are released, it is hard to say if Hannaford was actually compliant or not," said Bob Russo, General Manager of the PCI Security Standards Council (SSC).
"If it turns out they were, then of course, we would act immediately to change the standard to plug that hole," Russo said. "But I don't know of any breach in the last four or five years where the entity was totally compliant. We believe that this is the best standard in the business."
Cost of compliance
Russo compared PCI compliance to stages of grief. At first, merchants are in denial; they don't believe security breaches will happen to them. Then they get frustrated with the cost of becoming compliant, bargaining to use a less expensive - and less effective - tool such as a firewall. Later, after depression (stemming from the cost of new terminals and completed forms) sets in, merchants finally accept they cannot get around PCI requirements.
"Merchants starting a business didn't used to have to think about data security much, but those days have changed," Russo said. "Security has become an integral part of business. And, ultimately, a lot of people are becoming compliant, and they are protecting their business."
The process of formatting an already functioning business to be PCI compliant can come with a hefty price tag. "It is much easier to build a system that is PCI compliant than it is to retrofit a legacy system to be compliant," Russo said.
According to La Barge, small organizations may feel that reaching compliance costs more than it does for large organizations. "But in the end, the cost of not being secure can be far higher," he said.
Litan said the average cost of compliance varies depending on the size and complexity of the businesses, and type of technological system already in place. The average spent on assessment is $175,000; all other related expenses can add up to $1.7 million.
Some recent changes to regulations are designed to make compliance easier for smaller merchants. For example, the Self Assessment Questionnaire (SAQ) version 1.1 replaced a one-size-fits-all form that forced small businesses - such as dry cleaners using dial-up or imprint machines - to address security requirements for levels 2, 3 and 4. The updated SAQ has questions specifically applicable to smaller businesses.
Card-accepting businesses that have not yet begun to demonstrate compliance can use the new SAQs, but those that have started the process must submit SAQ version 1.0 by April 30, 2008.
"PCI was designed with a particular type of large organization in mind, and it's not very flexible," Litan said. "The new SAQs, for example, were a long time coming, but what about all the nonretailer organizations?"
The cost of compliance doesn't fall just on merchants' shoulders. "We [ISOs and MLSs] hold a great responsibility, and it's absolutely essential we protect the data we have been trusted with," said Jared Isaacman, CEO of United Bank Card Inc. "At the same time, I do think Visa and MasterCard have to be conscientious of the various economies that take place within our industry."
Processors and banks that purchase terminals in bulk are often left with machines they can no longer use. Some terminals released only a few years ago are no longer considered PCI compliant.
"There are ISOs, processors, banks and even merchants who have not even had a chance to realize a return on these terminal purchases before the card Associations have presently made them obsolete," Isaacman said. "I believe there should be reasonable notice before terminal compliance mandates are enforced to protect the investments of all parties in this industry."
Cost of noncompliance
Under PCI, if a merchant is noncompliant at the time of a breach, the merchant's acquirer might face fines from the card companies. Further liability might include reimbursements of breach-related costs sustained by issuing banks and credit unions, which could be any fraud losses resulting from the use of compromised card data, breach notification and reissuing cards.
"Under Visa rules, if a merchant is identified as the source of the data breach, direct fraud costs initially borne by the bank can be charged back to the retailer," Litan said. "Visa used to have a safe harbor statement on their Web site, but they've removed it.
"But technically, if a merchant was determined to be compliant, they shouldn't be fined. It would be the responsibility of the bank or acquirer that signed off on the assessment. But, of course, the fine is only one factor in the costs of a security breach."
Gartner estimated that the average cost of a response to a major security breach ranges from $80 to $312 per customer or account.
"In addition to the banks pushing the costs back down to the merchants, the card brands can levy fines, increase the merchant's processing rates, impose additional auditing requirements, and - if the merchant is not already a level 1 as Hannaford was - escalate their ranking to a level that imposes greater requirements," La Barge said.
La Barge added that merchants face gaining a bad reputation in the industry in the aftermath of a breach. "It can be extremely costly," he said.
"I have a handful of clients who are merchants that have run afoul of PCI standards and had security breaches and faced Visa and MasterCard fines in consequence," said Adam Atlas, Attorney and President of the Canadian Acquirers Association.
"The fines are surprisingly large," Atlas said. "As far as I am aware, neither Visa nor MasterCard inform merchants in advance of the precise manner in which fines are calculated so that a merchant could objectively determine the amount they might be fined for any given breach."
According to Atlas, his clients who have been fined were under the impression that the fines were more or less discretionary fees levied by the card Associations. "Apart from being perceived as irrational and unfair, these fines create an opportunity for the Associations to seize upon a merchant with a security breach as a revenue opportunity at precisely the moment when they can least afford it," he said.
This creates "a lack of procedural justice in the fine levying process," Atlas said. Now that both Visa Inc. and MasterCard Worldwide are being publicly traded, for-profit enterprises, he believes the card Associations are interested in making fines for security breaches as high as possible, with no direct correlation to the financial damage caused by the breach.
"I feel bad for any merchant that is landed with an Association security breach fine," Atlas said. "The fines are large and often crippling and without obvious and accessible right of appeal."
Importance of validation
The PCI standards are extremely detailed and can be difficult for MLSs and merchants to decipher. According to Russo, the complexity is both the beauty and the beast of it. "Some other standards like SOX [Sarbanes-Oxley Act of 2002] are so vague that it is hard to know exactly what to do," he said. "When you first look at the PCI standard, it seems like quite a lot. But it is very clear what is expected of you."
When the PCI SSC was established in 2006, it anticipated approximately 50 organizations would join. There are now nearly 500 members, which Russo said helps make the standards some of the best in the industry. "These 500 organizations have a lot of data, and hackers are constantly scratching at their windows to try to get that data," he said.
According to Visa's Cardholder Information Security Program records, 77 percent of the largest U.S. merchants and 62 percent of medium-sized merchants validated their PCI compliance in 2007. Merchants in these two categories account for approximately two-thirds of Visa's U.S. transaction volume.
The number of merchants validating their businesses comes as no surprise, since merchants identified as level 1 between 2004 and 2006 were required to validate by Sept. 30, 2007; those identifying at this level since 2007 have until Sept. 30, 2008. Merchants identified as level 2 between 2004 and 2006 were required to certify by Dec. 31, 2007; those identified in 2007 as level 2 have until Dec. 31, 2008.
Visa began levying monthly fines of $25,000 to U.S. merchant banks and acquirers for their respective large merchants who did not reach the deadline. As of January 2008, Visa is fining U.S. acquirers $5,000 for noncompliant mid-sized merchants.
"Visa will continue to encourage merchants to meet data security compliance requirements and to provide supporting tools and resources," Michael E. Smith, Visa's Senior Vice President of Enterprise Risk and Compliance, said in a statement.
"PCI DSS compliance is designed to enhance data security, which is in the best interest of merchants, consumers and the financial services industry alike."
According to Visa, storing cardholder data is one of the riskiest practices, and more than 99 percent of large and mid-sized merchants have affirmed they do not retain prohibited account data.
However, the Hannaford breach is believed to have occurred while cardholder data was in transmission - not in storage. Still, Litan said while PCI is "an OK standard," it is not enough. "Retailers have to have end-to-end security and need to stay informed on security practices," she said. "But it's not the only answer. From a security standpoint, the banks need to do their own part and not simply put it all on the retailer."
PCI will work if it is implemented correctly, according to Ross Federgreen, founder of CSRSI, The Payment Advisors. But there's an obstacle to overcome: The majority of merchants who complete SAQs have little or no true assistance when dealing with the various issues involved, and they sometimes make mistakes that can turn out to be costly.
"Many of the merchants who have attempted to answer the PCI Self Assessment Questionnaire have fabricated answers simply because they understand that they must answer 'yes' but, again, do not understand what they are being asked," Federgreen said. "What is clearly needed is a system to help merchants through the process in a correct and educational manner."
Russo agreed that educating merchants can be difficult. "All of the acquirers are sending information out to their merchants, but you can send information until you're blue in the face and you still can't make them read it," he said.
Some industry experts say that while the PCI standards are very detailed, understanding the PCI DSS does not mean solid security practices are comprehended.
"Education and ongoing practice of security is paramount," La Barge said. "Compliance is just a snapshot in time. Without actively and continually practicing security, it's all for nothing. PCI is working for those who work diligently at being truly secure and compliant, not just compliant."
According to Litan, the Hannaford breach shows that the focus on end-to-end protection of customer data is "critical for merchants and other card-industry stakeholders."
Although PCI is complex, and adhering to regulations can be costly, most payments professionals don't see an alternative. "It may be an unfair system, but I think we're pretty much stuck with it," Litan said. "Visa doesn't want to risk their brand with their cardholders, and breaches do alarm cardholders. PCI will continue as long as there are security breaches. And there will always be security breaches."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.