A recent study that focuses on Payment Card Industry Data Security Standard compliance among large merchants also is helpful for educating ISOs and the smaller merchants with which they typically work, observers note. ISOs should educate themselves not only about their specific markets but also about all aspects of data security and compliance in the payments industry to better serve their clients and ensure all merchants protect card data, they say.
The study found only 2% of large, Tier 1 businesses fail compliance audits and 98% pass. However, 41% rely on compensating controls to meet PCI requirements, according to “PCI DSS Trends 2010–QSA Insights.” A compensating control is an alternative measure a merchant may take to achieve compliance with the standard if it is unable to comply with the requirements as written. Qualified security assessors must approve the control.
The Ponemon Institute, a Traverse City, Mich.-based research group, surveyed 155 qualified security assessors for the report on behalf of the Thales Group.
A Tier 1 merchant processes more than 6 million Visa transactions annually, and Visa requires qualified security assessors to complete annual reports on compliance for such retailers.
Tier 4 merchants process up to 1 million Visa transactions annually and must adhere to PCI validation requirements set by their acquirers.
While ISOs typically work with smaller merchants, the results of the report can “serve as a body of knowledge they can use to better protect cardholder data” for their organizations and clients, says Kevin Bocek, director of product marketing at France-based Thales. “Merchants of all sizes need to focus on restricting access to cardholder data, whether stored electronically or written on paper,” he says.
Indeed, knowing the state of PCI compliance among many large merchants can enable ISOs “to ask the right questions in contract negotiations and ensure they are partnering with a company that takes compliance seriously,” says Larry Ponemon, Ponemon Institute chairman and founder.
Alternative Compliance Measures
If the assessors were unable to approve alternative measures and had to adhere strictly to guidelines, “there would be a lot more failures reported,” says Ponemon. “The fact that compensating controls are being made to get to compliance means organizations have a lot of gaps that need to be filled,” he says, noting the percentage of merchants using compensating controls was higher than he expected.
Ponemon compares the workaround solutions and PCI compliance to a student receiving a failing grade on an exam, but then the professor allows the student take the test home and change the answers to achieve a passing grade.
A classic example of a merchant needing to use alternative measures is when it has older systems unable to meet modern security requirements, says Bocek.
A merchant that has been accepting card payments for 40 to 50 years likely has systems that are unable to use encryption, “so the compensating control there could be other security systems in place that would need to live up and be above and beyond what the PCI DSS might have intended,” he says.
For example, such a merchant may have to place heavy restrictions on who has access to card data as a resolution, says Bocek.
Qualified security assessors are among the most-important aspects of the PCI-compliance progress because “when it comes to compensating controls they are the ones that must agree they live up to the specs the PCI standard intended,” says Bocek.
Compliance Costly
More than half of surveyed qualified security assessors’ merchant clients, 54%, find compliance with the standard too costly, while 20% are satisfied with compliance costs, according to the report.
The average cost of an assessment for Tier 1 merchants, excluding technology, operating and staff costs, is $225,000 per year. Ten percent of Tier 1 merchants pay $500,000 or more annually for PCI audits, according to the report.
The report uses information qualified security assessors have learned from their merchant clients to arrive at the percentages.
More than half of large merchants, 52%, are not managing data privacy and security in their organization, according to the report.
Many merchants operate in “reaction mode” and “spend most of their time fighting fires and fixing problems,” which means they are not thinking proactively about how to implement good data-security practices,” Ponemon notes.
The goal is to get merchants thinking about how to protect card data and not just about gaining compliance with industry security standards, says Bocek.
