PCI Update: Cost, Complexity Still Barriers to ComplianceInterview with Chris Farrow of the PCI Security Vendor Alliance
Q: We are now past the 2007 PCI-DSS deadlines for Tier 1 and 2 banks and merchants. Are we seeing PCI-DSS have an effect?
Farrow: Yes, there has been much more in a positive awareness both by banks and merchants. There's been much more media coverage on this issue, and all of it adds up to PCI-DSS being a higher priority focus for these institutions and merchants. That in turn is helping to improve the state of information security across the board. However, there's still a lot of ambiguity and inconsistency is enforced in the industry, for example the recent settlement with TJX with banks suing the retailer, and basically the card company industry rolled over on that one. They gave a very small fine in magnitude to the loss, and in terms of trying to make them pay a penalty or discourage the retailer from making that kind of mistake again -- instead they made them pay almost an inconsequential fine.
This is where the questions about objectivity on PCI-DSS come in, because we're talking about a self-created guideline, self-appointed auditors, and self-appointed enforcement and penalties. So, as long as the card payment brands and the merchant banks continue to have the final authority and say on PCI-DSS and still maintain their business interests, there will be questions of objectivity, and are things being handed out fairly. Questions include 'Are all merchants being treated the same. and are all banks being treated the same?'
This is one of the reasons why some states have accepted parts of PCI-DSS into law, and the federal governments of US and Canada are considering it. Even the FDIC in their updated IT exam put in a section on credit card security in the bank exam itself. Adoption of PCI-DSS into legislation is something we're seeing as a trend going into 2008 and through 2009, until we get those questions answered on the objectivity of PCI-DSS.
Q: What can be done or is being done to improve the effectiveness of PCI-DSS?
Farrow: In the last two years, there have been significant changes made, and they are continuing to be made. First was the creation of the PCI Standards Council. This is where the merchant banks and the credit card companies actually came together and formed a separate body to oversee the PCI-DSS and try to make it more objective. This has been a great organization for driving awareness, improving the whole process and relations and training even better for the qualified security assessors, and for their appointed auditors for PCI. Second was the creation and growth of the PCI Security Vendor Alliance. I am on the board of director of PCI-SVA; we talk to organizations across the industry, and we're hearing from all merchants and banks out there that they need help in getting unbiased information about the technology they need for compliance. When you search the Internet for PCI technology, you'll get thousands of vendors claiming they have a solution. The Security Vendor Alliance was formed to help weed out those snake oil salesmen and to provide good, trusted vendors and a product certification program. PCI doesn't have a "Good Housekeeping Seal of Approval" for products yet, but the SVA is working to get a certification program for vendors to be certified, so the merchants and buyers of these products will know that they've passed certain levels of certification, and their claims are verified and not just marketing talk. We're at least hoping to weed out the hokey vendors from the legitimate ones, but not looking to provide PCI silver bullets.
Q: There seems to be some confusion about PA-DSS - or the Payment Application Digital Security Standard - and its relationship to PCI-DSS. Can you help clear that up for us?
Farrow: The PA-DSS is something that was just accepted and adopted into a formal standard by the PCI Security Standards Council. Previously they were using the Visa payments application best practices, and what the council is doing is taking the best practices from each payment brand and consolidating them into one set of best practices, now found in the PA-DSS. This is the new standard for payment application. The actual processing of payment data, in many of the data breaches revealed in the past, at least one of the applications that were compromised in them involved payment application vendors. PA and PCI are not the same. While both are used to improve credit card data security, they are not directly tied to each other, so passing one doesn't mean you will pass the other. Organizations do have to worry about both.
Q: Can you tell us some the organizations that are compliant and some who aren't?
Farrow: Unfortunately I can't, and that's a real sticking point in the industry. PCI is different than HIPAA or SOX that are regulatory matters where there are audits, and information about the findings can be found through the regulatory bodies overseeing those audits. PCI-DSS is quite different. The standard council considers that part of a confidential contract matter between themselves and the merchant organization. So, the only time you hear about someone [is when they have] done well or more often who have failed and had a breach. Even then, only when a breach is found by an outside party and the merchant is forced to make an announcement or notify customers is it in the public eye. The Privacy Watch Clearing House keeps the public apprised of these breaches. But right now on the PCI compliance side, the only list that gets published publicly is the approved service providers list for merchants to use. Otherwise, we only hear about when something like TJX happens. This again goes back to the whole question of objectivity, because there are people who have worked with specific customers and they know there have been breaches, but you'll never see that in the press. It's not an even playing field in terms of disclosures out there. I think we should, for good or bad, publish the names of the companies who pass, and they can use that as a positive. 'See, we passed the PCI-DSS audit. We're safe, we're compliant, spend money with us.' Maybe for those companies who don't pass their audit, this will give them a swift kick to get compliant. Because it is a contractual matter. Right now as it exists, there is nothing compelling for the card payment companies, merchants, banks or the standards council to make any kind of disclosure when bad things happen.
Q: It sounds like you see the FDIC adding credit card security as part of its ITRMP questionnaire as a good thing?
Farrow: It actually is a very good step. At least we'll get some visibility on the banking side of things, and so if banks are failing their exams and it is part of their material findings, we'll be able to find out if they're doing reasonable steps for credit card security and the ACH clearing items. This is an extension of changes made when GLBA was passed. They added additional items, like last year they added two-factor authentication. The addition of credit card security is a logical step, and I actually think we'll see more government agencies stepping in on this as well, I've talked with several people from the FTC, and they are carefully taking a look at this, because they are chartered to protect consumers. As long as big breaches happen, and there are questions about objectivity, I think you'll see more politicians get involved there, which has positives and negatives as well, because then we'll be mired in unbelievable levels of bureaucracy. One of the nice things about PCI-DSS is its ability to update and evolve as the industry and technology changes. If it is totally absorbed by the feds, look how much clarification was needed on Sarbanes-Oxley, with only 100 pages of legislation, they had to create the PCAOB, and thousands upon thousands of pages of guidance just to understand what they really meant in the first place. I am hesitant to see government get involved because it will slow things down a bit, but it would provide objectivity, and if it became a law, then people would take it more seriously.
Q: People continue to struggle with PCI-DSS compliance. In your opinion, why is that?
Farrow: There are many reasons, but there are three main reasons that come up when we're talking to organizations. First, the complexity of IT environments today is growing rapidly, and the management of IT hasn't kept up with that complexity. Before, a company had a few servers and people had a few computers on their desks, and then networks expanded, the prices of computers dropped and everyone from the boardroom to the mailroom was given a computer to use. Now with the addition of laptops, PDAs and wireless, I can work out of the Starbucks across town or even across the country if needed. Trying to keep on top of that, and combine with the double-edged sword and prescriptive nature of the PCI-DSS with its clear guidelines, you're facing a problem. It's very unlike the vague edicts of SOX or HIPPAA that say thou shalt have audit controls, and everyone stands around and says, 'What does this mean I should do?' and 'What are the metrics we will be measured by?' PCI-DSS addresses those questions and gives the laundry list of technologies that you will be audited against, and many times organizations will just throw their hands up and give up. They say 'We've got data centers and credit card transactions flying all over the planet, and now you want us to audit and check all of our technology against that list?' Their heads are spinning. And then there's the final element of cost. Cost becomes a major overriding factor in implementing PCI-DSS. For small and medium sized businesses, this affects them especially because they have no chance in complying with PCI-DSS without spending money. I don't know about other businesses, but I've never met the IT technician at my dentist's office, and my kids' local pediatrician doesn't have an IT staff, but he certainly holds all the medical records and I give him a credit card every time for our co-pay.
Q: So, can consumers be confident their credit card data is more secure than it was a year ago?
Farrow: While we've seen so much press over TJX, we are making progress out there. First, the public is much more aware of the subject. They're tracking their bank statements and checking their balances more often and checking their credit rating. They're paying more attention now, they know what to do if their credit card is stolen and they know what they're responsible for if it is. They know when to use a debit card and when not to use one, so they're becoming much better educated.
Additionally merchants and the banks are more focused on protecting data than ever before, and the myriad of vendors out there are trying to help banks and merchants better protect the data with better security solutions. There's been a lot of work done so far, but there's a long way to go.
Q: You spoke of cost prohibitions of PCI-DSS earlier. If a company can't budget for PCI-DSS, is the approach of "some" better than nothing when it comes to compliance?
Farrow: I hear from many companies out there almost a defeatist attitude on meeting PCI compliance, but some action is definitely better than nothing. No matter if you're a large organization that goes through a formal audit, or a small one that fills out the self-assessment questionnaire, you have to show some level of due diligence and show that you're making a conscientious effort and know where you're not making progress and document that fact. Playing ignorant to the fact and showing no level of effort is negligence. If you're looking at it from a legal standpoint, turning a blind eye and doing nothing will not stand up in a court of law, someone will file a civil lawsuit and you'll lose a judgment against them.