The Green Sheet Online Edition
September 08, 2008 • Issue 08:09:01
PCI vendors: Welcome to the jungle
With the Payment Card Industry (PCI) Data Security Standard (DSS) and the Fair and Accurate Credit Transactions Act of 2003 becoming increasingly critical, data security solutions are morphing in status from easy to ignore to business and legal necessity.
For many ISOs and merchant level salespeople (MLSs), this means being exposed to a strange new world of technical gibberish and a crowd of security vendors fighting for attention. But which solutions do you need? Which vendors are right for you? What's the right strategy for tying together all these different products?
Fortunately, grasping a few key ideas can help you adjust to this new world and avoid wasting money on solutions that do not meet your needs. This article focuses on the PCI DSS because it is now the dominant compliance issue for most ISOs and MLSs.
The first step for anyone exposed to PCI requirements is to understand at a high level what types of solutions are available. This is relatively easy because there are only a few main types of PCI compliance vendors, and knowing their strengths and weaknesses is critical to understanding what they can - and cannot - do for you.
The solutions available today are a direct response to the requirements put in place in the first days of the PCI DSS. The card Associations decided to start enforcement with the easiest targets: the large merchants that either had in-house experts or could afford consultants.
These large merchants were required to get annual on-site audits from consulting companies that had been trained and certified as Qualified Security Assessors (QSAs). Because of this enforced demand, an entire industry of QSAs quickly emerged and still thrives today.
The other type of solution that grew out of initial PCI enforcement has been the Approved Scanning Vendors (ASVs). These companies are certified to conduct network scans of merchant Web sites and applications to identify software or network problems that might expose cardholder data.
While the quarterly scan requirement is critical, passing such a scan does not mean a merchant is PCI-compliant: It just means one of many requirements has been met.
This world of QSAs and ASVs was never perfect, but it was well-suited to the early days of PCI with its focus on larger merchants. Unfortunately, as the emphasis has moved to smaller merchants, earlier solutions have lost much of their effectiveness because small merchants have very different needs and problems.
Small merchants' issues with QSAs revolve around cost: The average engagement cost for a QSA is around $20,000 - far more than small merchants can afford. (The PCI Security Standards Council, established in 2006, recognized this, and smaller merchants are not required to use QSAs. The QSA's role is essentially replaced with the annual completion of a Self-Assessment Questionnaire.)
Additionally, a QSA's core business is typically based on big-company customers (either large merchants or entities such as acquiring banks), and it is almost impossible for these companies to simultaneously pay proper attention to a modest-sized ISO or small merchants.
The primary issue with ASVs is the same as always: their services are necessary for many merchants, but they only address a small part of the overall PCI-compliance burden and leave many other requirements completely untouched.
Because of these issues, neither QSAs nor ASVs are practical solutions for a key problem facing ISOs and the small merchants they serve: lack of expertise on security matters, which impedes their ability to understand and fulfill all applicable PCI obligations.
Of course, there is an enormous security industry beyond PCI, and thousands of security vendors exist. Most offer point solutions: products that address a specific, narrow security requirement (such as firewalls, antivirus applications, encryption and so on), and many such vendors use PCI as a way to market their products.
This means ISOs rarely need to worry about a lack of solutions. In fact, the opposite is true. The main danger is confusion and crowding. An ISO's first priority should be to find an impartial security partner to help navigate through the maze of acronyms and technical details, since it is dangerous and inefficient to get caught up in premature conversations about specific solutions without the right supporting framework.
Additionally, all too often, point solution vendors give the false impression that they "solve" PCI. This might be good short-term marketing but is completely inaccurate. The PCI requirements are so broad and cover so many different issues that they cannot be solved with a purely technical product (particularly since PCI covers many "soft" issues around policies, procedures, training, physical security and so forth).
Here are five things to remember when talking to security vendors:
- If your merchant portfolio contains significant numbers of small merchants, most QSAs will be unsuitable because of high, fixed costs and the types of customers they focus on. Some QSAs will make an effort to seem suitable, but you need to check to make sure their services would be more than just cosmetic.
- Small merchants in particular need low-cost solutions. Look for solutions that use technology to achieve high scalability and efficiency. For example, solutions using software-as-a-service tend to be much lower-cost than consulting-based solutions.
- Don't be fooled by someone with a narrow technical solution offering a "silver bullet" designed to solve all your PCI problems. The PCI DSS is too broad for that to be possible, and this sort of marketing is indicative of snake-oil salesmen. Good questions to ask are, What about the policy and procedure requirements of PCI? and How will my merchants even understand the questions they're being asked by the SAQ?
- Many vendors offer point solutions to specific security problems, but there is a bewildering crowd of competing vendors and solutions. First, form a relationship with a trusted security adviser before getting into conversations around technical specifics.
- For most merchants, and even most ISOs, the fundamental problem is a lack of expertise regarding security and compliance. If you find a security partner who can provide you and your merchants with the needed assistance and expertise, the technical details will fall into place fairly easily.
While old-style compliance companies are struggling to address these issues, a new generation of security companies is emerging.
These companies concentrate on providing compliance expertise and solutions to ISOs and their merchants, but they avoid the costs of QSAs by leveraging technology such as expert systems and the Web.
Their offerings typically do not compete directly with either QSAs or ASVs; they provide a broad range of services and solutions specifically targeted at ISOs and smaller merchants.
By partnering with such a company, and by keeping the above points in mind when working with other compliance vendors, ISOs and MLSs can greatly diminish the burden and expense of PCI, leaving them free to concentrate on their core business.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.