IMGCAP(1)]
The lack of any major changes to the newest version of the Payment Card Industry Data Security Standard, released Oct. 1, was good news for an industry that has worked hard to develop security standards everyone can live with–if contentiously at times.
But that does not mean merchants, banks, processors, payment-product vendors or anyone else along the card-transaction chain should relax on their PCI-validated laurels. Much work remains to defeat wily and adaptable data thieves, experts say.
Moreover, despite the vast improvement in PCI compliance among card-accepting merchants around the world, a small number of merchants may be withholding information about possible network insecurities from the organizations they hire to improve their PCI compliance. That is according to an industry expert conducting anonymous interviews about PCI security with merchants and qualified security assessors.
First the good news: As of Sept. 30, 87% of Level 1 merchants–those that accept more than 6 million Visa transactions per year–had been validated PCI compliant in their acquirer's most-recent assessment, according to Visa Inc., which tracks PCI compliance of merchants that accept its cards under its Cardholder Information Security Program.
Among Level 2 merchants on Visa's radar–those that accept 1 million to 6 million Visa transactions per year–86% were validated PCI compliant.
And among Level 3 merchants–those that accept 20,000 to 1 million e-commerce transactions per year–57% had validated compliance.
But PCI validation is not a guarantee a merchant is following all PCI rules, says David Taylor, a consultant and founder of the Web site PCI Knowledge Base, a clearinghouse of PCI-related research and commentary.
This fall, PCI Knowledgebase researchers conducted some 300 hours of interviews with more than 300 merchants, payment-services vendors, merchant acquirers, processors and qualified security assessors. PCI Knowledge Base promised anonymity to participants.
Some 5% to 10% of interview subjects said they had withheld some information from their PCI security assessors that might have hurt their PCI-compliance validation, Taylor estimates. Or they had discovered new information after the assessments were completed that they did not report.
Levels Of Trust
"It's not easy to get people to talk about this. We're asking people to tell us things that they're not telling their assessor," Taylor says.
U.S.-based Trustwave Holdings Inc., one of the largest providers of PCI-related services, including qualified security assessors, declined to comment for this article.
So did Verizon Business Security Solutions, which acquired PCI security assessor and breach investigation firm CyberTrust in May 2007.
The level of trust varies between merchants and third-party PCI assessors, Taylor says. "Some merchants and service providers regard assessors as their buddies: They're here to help. Some merchants and service providers regard assessors as auditors: They don't work for your company, so questions not asked don't get answered," Taylor says.
Or questions and suggestions by third-party assessors receive an inappropriate level of pushback from merchants, according to the interview response from one internal security auditor employed by a level 1 merchant.
"One of the problems that I've seen at both my current and former organizations is that some PCI auditors can be pushed around, even manipulated, by their customers," the internal auditor told PCI Knowledgebase. "While I sometimes argued with our current auditor, Computer Task Group, I saw management really manipulating Trustwave to limit the scope of the assessment. As an internal auditor, this really concerns me."
'Sin of Omission'
But many of the qualified security assessors Taylor and his colleagues interviewed anonymously said they often sense when a merchant or other entity is not being completely forthcoming.
"We know that some companies are just producing the log reviews for our audit," one PCI assessor disclosed. "We don't tell them that we think they are lying to us because, in the end, they are the companies who are taking the risk with their data."
Bob Russo, general manager of the PCI Security Standards Council, is amazed anyone would admit, even anonymously, to withholding any information provided to qualified security assessors as part of their PCI-validation assessments.
"I find it incredible that anybody would lie to an assessor about this," Russo says.
"Lie" might be a bit too strong a word in most cases, according to Taylor. "It's more a sin of omission," he says.
Some merchants told Taylor they discovered PCI violations, such as unprotected spreadsheets or files with prohibited information, after PCI assessments or audits. "People have told me they found them later but didn't go volunteering that information," he says.
Others treat PCI assessments like any other audit, providing only the information an assessor requests and no more, Taylor says.
"They don't want to unnecessarily burden their team with answering questions about something that their assessor hasn't figured out to ask, and some assessors are more thorough than others," he says.
Some companies that provide qualified security-assessment services also sell merchant-security products, Taylor adds. So some merchants may be coy simply to avoid a sales pitch, not because they are trying to hide some problem that might make them noncompliant with PCI rules, he says.
Assessor Help
For whatever reason, lying to a PCI security assessor, whether by fabrication or omission of information, is not in a merchant's best interest. That is because assessors can help merchants find appropriate solutions to PCI-compliance problems, but only if they know about them, Russo says.
"If you're having trouble complying because you're doing something in a different way, you should talk to your assessor," Russo says.
Taylor agrees. He understands the difficulty merchant information-technology professionals face in trying to procure funding for security upgrades from upper-level managers who often do not understand the need to budget time and money for continual payment-system security monitoring and upgrades.
But, Taylor adds, noncompliance with PCI is a serious matter.
The updated Version 1.2 of the PCI standard includes a few moderately significant changes. Anyone handling card data must replace existing wired equivalent protocol, or WEP, wireless Internet connections with more-secure wireless connections by 2010, for example. But most of the PCI update this time around involves tweaked language, not a major edit.
The lack of major changes to the latest version of the PCI standard has wrongly led to "a tone of relaxation" among some merchants, processors and acquirers, according to Taylor. But instead of relaxing, merchants should "take advantage of the fact that it's not a major release to go back and fix the stuff you didn't do right the first time," he says.
Despite some private confessions of security imperfections, beyond disagreement is the need for every entity that touches payment card data to keep it safe. CP
