Another flurry of IT security rules to protect consumers’ credit card data went into effect this month—not that they will be much help to bewildered and frustrated retailers across the country.
As of July 1, PCI Industry Data Standard 6.6 gave merchants a framework to ensure that point-of-sale information uploaded into Web-based applications is protected “from top to bottom,” according to a statement from the Payment Card Industry Security Standards Council. At the same time, the council expanded the list of devices expected to meet its standards to encompass “unattended payment terminals” such as self-serve gas pumps, and certain new types of automated teller machines.
But as deadlines for new standards and announcements of new testing and scope initiatives come and go, retailers and their merchant banks are as confused as ever about what constitutes PCI compliance. Numerous retail businesses contacted by Compliance Week were loath to speak about their compliance challenges, or even about the general state of PCI security standards.
But David Hogan, chief information officer of the National Retail Federation and an outspoken critic of PCI compliance, calls the whole PCI compliance regime “the classic Texas two-step.”
The PCI Standards Council “keeps issuing standard after standard, and merchants are still frustrated,” he says. “You call Visa or MasterCard for clarification of the rules, and they say go to the Council. You go to the Council, and they say, ‘We don’t enforce these rules, that’s up to the credit card companies.’”
Hogan’s core complaint is what he calls the “continued nuisance” of both storing consumer credit card data and periodically testing that the data is secure to satisfy what he and other critics say are unclear standards belonging to a vague framework.
“Trust me when I say retailers spend billions on meeting compliance objectives, and revising and reissuing guidelines isn’t going to stop criminals,” Hogan says. He gives the example of Hannaford Brothers, the supermarket chain that suffered a massive data theft earlier this year; Hannaford was fully PCI compliant and still got hacked. “The bottom line is if retailers don’t have to store [data], hackers won’t go after it,” he says.
“Trust me when I say retailers spend billions on meeting compliance objectives, and revising and reissuing guidelines isn’t going to stop criminals.”
— David Hogan,
Chief Information Officer,
National Retail Federation
In Search of Greater Clarity
Experts say the PCI data security standards take a granular approach to securing data, focusing on the step-by-step flow of cardholder data as it is received and processed in a transaction. A better method, they say, would be a more risk-based approach tailored to individual companies—so that once a company reaches some acceptable level of PCI compliance, it can integrate those efforts with other compliance obligations it might face, such as the Sarbanes-Oxley Act or HIPAA rules to shield health information.
“The most common challenge in meeting PCI compliance objectives is understanding the scope,” says Sumedh Thakar, a PCI specialist at the security consulting firm Qualys. “Most merchants have a hard time defining what is in scope for PCI: which servers, which routers, which locations to cover. Wireless makes it even harder. Isolating data covered by PCI standards is also hard. For example, PCI does not cover other personal information like the Social Security numbers, so as PCI gets even more defined in the future, enforcement will increase but so will effectiveness.”
Still, despite the compliance costs, retailers fear the consequences of a data theft, or even of simply appearing to be unsafe, even more. Furious customers might desert the company after a data breach. Equally painful: credit card businesses like Visa or MasterCard might refuse to do business with the retailer or impose steep fines unless the retailer falls into line.
A Cloudy Compliance Picture
Even independent security experts who stand to benefit from PCI compliance consulting admit the need for greater clarity. Kris Lovejoy, director of corporate governance, risk, compliance and security strategies at IBM, compared the problem to consumers’ health information; there, federal HIPAA rules dictate what all hospitals, insurers, and healthcare companies must do to protect personal health data. “I think it’s time a similar uniform code for personally identifiable information was put in place,” Lovejoy says.
The big question, Lovejoy says, is what to protect. “Many organizations I talk to don’t know where to start, or what to do about issues like this, and are stymied by the increasing complexities of compliance,” she says.
Heather Mark of the consulting firm Aegenis Group says the PCI Council’s latest standards are a good start, but agrees that the overall PCI compliance framework may need more uniformity to assure companies don’t create more paper trails than necessary.
Specifically, Mark says, the mishmash of state and federal rules for industry-specific regulation (in this case, the retail industry) can create more confusion than it solves. For example, she says, Minnesota’s Plastic Card Security Act leaves retailers on the hook for any fraudulent transactions. Traditionally, credit card companies have had to swallow the cost of bogus transactions.
Mark added that while Minnesota was early to the game in codifying some components of the PCI standards, Texas, Michigan, Indiana, Florida, Washington, and a few other states are all considering new data security legislation that would mandate portions of the PCI data security standards.
IBM’s Lovejoy seconds that notion, saying that a hybrid solution that combines existing PCI Council guidelines and government statutes would give merchants a better understanding of how they can fit their needs into a workable compliance program.
“What the government could do is work with [the] industry to develop best practices and standards that can create a reasonable assurance of security,” she says. “If they want to work with the PCI Council, then that’s fine, but they need to do something.”
Meanwhile, Hogan at the National Retail Federation is quick to argue that the market should be able to police itself, with issuing banks, credit card companies, and retailers somehow all sharing the risk.
Hogan says he likes the PCI Council’s current system of different levels of compliance for small, mid-sized, and large businesses, “but I think issuing banks can figure out their role in this on their own, and all three parties can share the risks around data integrity without a big overreaching program.”