SCOTTSDALE, Ariz.–Merchants generally welcome the new industry guidance and requirements for security payment card data through advanced data encryption, but many questions surround specifics about prospective products and their implementation, say attendees at the PCI Security Standards Council's annual meeting that concludes here today.
Card networks and technology suppliers generally are pleased with the speed with which the PCI council is addressing the most urgent questions surrounding advanced data security, Liberato De Veyra, vice president of emerging technologies at payment network JCB, tells PaymentsSource. The council announced its advanced data requirements earlier this month (
"We're in a transitional stage on (advanced data encryption)," De Veyra says. "The requirements may be most challenging right now to Level 4 merchants (those that process fewer than 1 million Visa transactions and 20,000 transactions online annually) that are looking for ways to reduce their PCI compliance costs. The problem is that they don't know exactly how to adapt their existing systems to approved products (for advanced data encryption)."
The PCI council this month is beginning the process of creating testing procedures to validate various advanced data encryption products, Bob Russo, council general manager, said in an interview.
The council subsequently will help ensure that qualified security assessors are trained in validating them and eventually will list approved advanced data encryption products on its site, Russo says. "It's still early in the process, but the council is actually moving rather quickly from last year when point to point encryption was just a concept to where we are now," he says.
Defining specifications around data tokenization is another near-term challenge, Russo said. "There are probably 20 or 25 different ways of handling tokenization, and there are no standards for it at the moment. There will be a to-do list based on questions arising at this meeting," he said.
The PCI council's decision this year to create a new category of meeting attendee, the Internal Security Assessor, has been "really exciting," Russo noted. "The rise of these people inside organizations that act as liaisons with vendors and others for PCI compliance is turning out to be one of the most interesting new developments within our organization. Its members have asked us to create a portal for them, enabling them to continue sharing information year-round."
Various other PCI-compliance challenges persist for other vendors of payment-security products and services and for merchants, attendees say.
The process of validating data for certain merchant clients is becoming increasingly complex because of changing policies within the companies that store, or host, merchants' card data, according to Donald Creary, senior security networking consultant with Digital Resources Group, a qualified security assessor whose Redwood City, Calif.-based company provides broad consulting services to the payments industry.
"Data-center hosting companies increasingly are introducing their own risk policies and new services that are making it harder (for us) to execute PCI requirements involving physical access to the locations where data is stored," Creary said. "Barriers include restrictions on when we can get inside these locations, who accompanies us, and how much time we can spend there, which raises barriers to doing our job and ultimately will cost the client (merchants) more."
The need for PCI compliance has never been more acute, but the barriers to entry for those providing related software and new technology are rising, Rick Evans, PCI compliance director at Newark, Calif.-based Payment Processing Inc., which services a diverse range of merchants, told PaymentsSource. "It is increasingly complex to develop products that help merchants comply with PCI, and even in light of emerging new standards, it actually seems at times as if there is more ambiguity than ever about what exactly is the best and most efficient path (for merchants) to pursue in order to become PCI-compliant," he said.
And smaller merchants continue to be among the most likely to face difficulties in adopting PCI compliance, Eduardo Perez, global head of payment system risk at Visa Inc., told PaymentsSource in a Sept. 21 interview at the conference. Perez is also chairperson of the PCI council's executive committee.
"A very small proportion of small merchants are victims of data-compromise, but the vast majority of compromises are concentrated among those (Level 4) merchants," Perez said.
Data-breaches "are often occurring in the hospitality industry," particularly among hotel or restaurant chains with just a handful of locations, Perez said. The reason is that when criminals detect an opportunity to compromise a small merchant's data, "it is relatively easy then to exploit that same vulnerability at the merchant's other locations."
Such smaller merchants, whose resources often are stretched thin, often outsource PCI compliance to a third party that fails to properly implement data-protection technology, Perez suggested.
"In many cases the installer or reseller of the data-security solution didn't install it properly in the first place," Perez said, noting that in a surprisingly high number of cases, installers left an easily discovered default password in place when installing the application. "It's fairly easy for hackers to learn a default password, and yet in many cases, that's exactly what merchants have in their systems."
The PCI council's best-practices documents provide detailed examples for merchants and vendors to avoid falling prey to some of the most common mistakes that make merchants' card-data vulnerable, Perez noted.
What do you think about this? Send us your feedback. Click
