Any retailers still unsure whether their data security standards can pass muster now have a new way to see how safe (or not) customer data really is.
The Payment Card Industry Council has published a detailed set of “self-assessment questionnaires” for small and medium-sized retailers, who typically aren’t required to have their data security reviewed by outside auditors. The guidance addresses hundreds of scenarios; according to the PCI Council, it will go a long way to simplifying the self-assessment process for merchants and security consultants worried about PCI compliance.
The self-assessment questionnaires (known as SAQs) first divide merchants into broad categories. SAQ A, for example, is for retailers that keep payment data off-site; SAQ B is for those that use dial-up terminals to a computer network, and SAQ C applies to those who operate Web-based sales systems. As a merchant selects his or her answers, new questions arise that are more focused on those particular circumstances.
Still, the new PCI guidance doesn’t answer a question that has long vexed compliance executives: How useful can security standards from an industry trade group really be, when Sarbanes-Oxley and many other laws spell out their own expectations on the topic?
Since late 2005, Visa, MasterCard, and other credit card giants have been the sole arbiters of standards with the nonprofit PCI Council offering the guidance. But given the data storage considerations, convoluted processing routes, and multiple entities viewing and manipulating data through the life of a given transaction, consultants and merchants find PCI compliance daunting. One telling statistic from the National Retail Federation: Overall compliance readiness for most small and mid-sized retailers was only at 43 percent as of Sept. 30, 2007.
Christian Phillips, chief security officer at Regulus, a transaction processing and remittance service provider, contends that the problem with current PCI standards, still less than two years old, is the lack of uniformity. HIPAA and SOX security reviews, he adds, have guidelines already vetted by government entities and an easier compliance roadmap to follow.
The controls structure under PCI “is like a large pile of Jell-O,” Phillips says. “You’ve got certain controls that—based on our level of transactions—have to be assessed by a third party. There’s not necessarily clarity, and as someone in charge of overseeing benchmarking of several sets of controls, I can’t predict what Visa or MasterCard will ask us to change or what appliances and software will be in compliance one moment and out the next.”
He adds that the risks faced by merchants, acquiring banks, and consultants alike are not in line with the punishments—which include fines of up to $50,000 for banks and in the case of merchants, the inability to accept cards.
Glenn Boyet, spokesman for the PCI Security Standards Council, is quick to stress that his organization is not a government agency, and he defers questions about PCI regulation to the credit card companies. He says the initial goal is to align the new SAQs with Version 1.1 of the data security standards first released by the PCI Council in 2005.
“The merchant’s greatest asset, his market reputation, is at stake. As it stands, merchants must recognize that there is no greater duty than to protect customer data.”
— Steve Sahl,
“We do have different levels of merchants, and what we’ve done is that we tried to align these standards for merchants of different sizes and shapes,” he says. “If you’re a merchant that only does basic rudimentary processing, you don’t need to answer 207 questions.”
The new questionnaires apply to what the PCI Council has designated as Level-2, -3, and -4 merchants. Most merchants are Level 2, with 1 million to 6 million annual credit card transactions. The new measure appears to be comprehensive enough for clarity, but observers say its emphasis on addressing the needs of a wide swath of industries is both a blessing and curse, because credit card companies still have the last word.
Michael Weider, director of security products at IBM Rational—a qualified security auditor for merchants and third-party payment processors—concedes that security environments would be a lot more sound with an objective third-party setting the rules, such as a regulatory body not motivated by profit or the whims of the market.
“What [the Council] is trying to do is balance the goal of security with the annoyance of cost,” Weider says. “It’s a situation where if standards are too onerous, no one’s happy, but if it’s not stringent enough, there’s no viable infrastructure.”
Weider, like many others such as the National Retail Federation, is quick to note that readiness varies by industry.
“In financial services it’s a very tight ship, with all types of controls over all aspects of processing,” he says. “In retail, which has been notoriously bad, there are entirely different sets of issues. I think that diversity presents the biggest challenge.”
One stark example of the security breach malaise plaguing retailers is TJX, the parent company of discount clothing store TJ Maxx. TJX hackers stole 45.7 million customer records from TJX in 2006, the largest such data theft in history. TJX has now become synonymous with how not to handle data privacy and thrust the problem into the national spotlight.
In November 2007, court records filed in federal lawsuits over the TJX data breach revealed that Visa knew as far back as late 2005 of the extensive security problems there, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008. That, critics say, was likely due to the high volume of credit card processing that Visa stood to gain from.
TJX is not an aberration. For most of 2007, roughly one third of Level-1 merchants (large vendors who deal with more than 6 million transactions annually) failed to comply with PCI security standards nearly a month after set deadlines passed.
“In the case of TJX it might have been good for a government entity to step in but the [card] companies otherwise appear to be doing a decent job policing the industry,” says Michael Gavin, a security strategist at Security Innovation, a consulting firm that conducts annual and quarterly security audits for its PCI clients. “Companies are in a difficult position because right now it’s either you comply or don’t accept credit cards. I think the key here is to eliminate the low-hanging fruit, meaning the points of entry or vectors for fraud that are just obvious.”
Is Self-Assessment Enough?
While Sarbanes-Oxley moves back toward the self-assessment model in its audit and security reviews, the self-policing nature of PCI compliance—especially the storage of data—still presents a vexing proposition for retailers in particular.
In a letter submitted to the PCI Council late last year, National Retail Federation CIO David Hogan noted that credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card company retrieval requests. He argued retailers should have a choice as to whether or not they want to store credit card numbers at all.
“Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place,” he wrote.
Visa even admits the problem exists, although it has no clear solution right now. Eduardo Perez, vice president of payment systems risk at Visa USA, told Compliance Week in a recent interview that the best solution as a merchant is “not to store data.”
Meanwhile, as all parties await more guidance and clearer oversight provisions, Steve Sahl of the security-consulting firm the Barrier Group, says merchants must, well, play the cards they have.
“Self-assessment may not be enough, but self-preservation is,” Sahl says. “The merchant’s greatest asset, his market reputation, is at stake. As it stands, merchants must recognize that there is no greater duty than to protect customer data. His business is truly dependant upon it.”
Chris Schwartzbauer, vice president of field operations for IT security firm Shavlik Technologies in St. Paul, Minn., also doesn’t believe self-assessments are sufficient. He says greater checks and balances are needed.
“Self-assessment could be enough to demonstrate compliance with PCI on paper, but most organizations do not have enough expertise to stay on top of [regulations] and measure scenarios to settings of best practices and proof of due care,” he says. “What we have to remember is that the PCI Security Standards Council is still in its infancy. But we are still finding that PCI is one of the greatest drivers for increased security. It has been a larger driver than even Sarbanes-Oxley, so serious commitments to secure environments must continue.”