PCI DSS and Regulatory Compliance Blog

Stagpliance? Yes, we do need PCI Education

March 3rd, 2008 Posted in Banking, Card Associations, Compliance, Merchant, PCI DSS

einstein.jpgOne of the terms economists have been throwing around is that of ‘stagflation‘.  This term describes an uncommon situation where both inflation is high and there is a stagnation in terms of production and employment.  You see, inflation typically implies higher production, which implies higher employment.  Currently, unemployment is high and combined with increasing inflation.

‘Stagpliance’ is how I describe the current compliance environment.  We have high compliance numbers (pdf) that should reflect a decrease in data compromises.  The problem is that data compromise numbers are still high. So the question is, why is this seemingly atypical situation happening?

Well, one explanation is that not everyone is compliant, meaning hackers are moving from the low hanging fruit to the next branch up the tree.  This is certainly the case in some large merchants and many small merchants.  Anyone who has investigated cardholder data breaches over the last five years can tell you that attacks are becoming more complex and hackers are moving to smaller merchants. But this is not the only explanation.

What has this experience shown us?  I believe the reason for our current stagpliance is due to the continued need for proper education.  Experience has shown us that (1) technology alone is not enough and that (2) data compromise is not the the result of failing technology but the lack of education.  Data loss is not the result of poor technology, but poorly configured technology.  As more and more people pay attention to compliance, data loss is moving to the edge, where merchants do not know data exists.  It is also continuing to happen in places where merchants do not properly understand their risks - based on active attack patterns.

Last year Visa published a Visa Business Review (VBR) that specifically called for acquirers to address compliance with their Level 4 merchant population using a risk based approach.  This VBR outlined several points, some of which are here blow:

  • “Define a process that prioritizes Level 4 merchants into appropriate risk categories or subgroups”
  • “Describe plans to educate Level 4 merchants about cardholder data security, storage of prohibited cardholder data and PCI DSS compliance. Include the planned communication channels and approximate frequency.”

The concept here is that acquirers empower their merchants through education to understand the risks facing them, and both address compliance and mitigate those risks appropriately.  This type of grass-roots effort is a great way to give merchants the knowledge to make risk based decisions on their own.

How many merchants that are hacked understand the Top 10 risks (and associated attack vectors) they face?  Large merchants don’t even always understand their risks because they are not aware of the current ongoing attacks.  I’ve always stated that security is not created in a vacuum.   In order to implement proper security you must first understand the current attack landscape.  Many small merchants have no idea of the top attacks they need to protect against.  An equal number don’t even know they are storing something that attackers want.

What has education shown us?   Compliance without education does not equal security.  In 2007, Visa trained thousands of merchants on the intent behind compliance requirements, the top methods of data compromise, definitions of cardholder data and cardholder data environment.  In each of these classes merchants felt empowered to take a risk based approach towards achieving compliance.  They felt empowered to make the right decision instead of the checkbox decision.  This is the kind of empowerment we need to properly address the security of cardholder data.

The problem is that there are many more merchants, millions in the US, and even more globally.  We need to educate those merchants, not just about compliance, but about risk!  I’ve long said that all the information about PCI is freely available to the world today.  It exists on blogs like this, on online forums and other places.  The problem is digesting that information into something useful.  What we need is true experts to assemble risk based, guided education for the large number of merchants globally.

In person training provides the greatest value but is also the most costly form of education.  The Aegenis Group teaches classes for large and medium sized merchants, but there is also training you can obtain from other sources such as Visa’s merchant education program, and industry specific venues like the Treasury Institute.

Stay tuned for more educational assistance from The Aegenis Group.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 14 Responses to “Stagpliance? Yes, we do need PCI Education”

  2. By E.K. on Mar 3, 2008

    I’m glad to see this post. I’ve been trying to convince my employer to offer some merchant education sessions as a service.

    As it stands right now I encourage clients to take a 1/2 seminar on PCI compliance at the start of their assessment. I’ve had some success with this approach but I would love to see even more.

  3. By wconway on Mar 3, 2008

    Another thoughtful post, Mike. I’d be happy to make the full agenda or our PCI Workshop available. Which leads me to an observation and question: Why are there not more vertical-focused (or industry-specific if you prefer) blogs and training sessions for PCI compliance? The Higher Education website and blog (www.treasuryinstitute.org/blog) is the only one I can find. I have to wonder where are the retail, mail order, airline, oil company, government, etc. PCI blogs?

  4. By Michael Dahn on Mar 4, 2008

    @E.K. I’m glad you are teaching your company about PCI before sending them out into the woods. Equip and then deploy - like an army.

  5. By Michael Dahn on Mar 4, 2008

    Walt, there are vertical-focused events but they see PCI as a part of the whole. For example, I presented at the American Petroleum Institute (API) last year on PCI. I’ve also presented at numerous retail association events in the last year. I think you are the only one who flips compliance as the central part of their vertical.

  6. By Alex on Mar 4, 2008

    Stagpliance. Brilliant!

  7. By Patrick Farrell on Mar 4, 2008

    Well done on the new coined term! More education can never be a bad thing but I have two quick points to make.

    First, the logical assumption from your argument is that no merchant who is educated about compliance will be the victim of fraud. Can we say that compliance is a bullet-proof solution? I’m very curious to know if some of the major fraud events that have occurred over the past few years happened to companies that had gone through some PCI DSS auditing. Any facts that the readers could provide on this would be greatly appreciated.

    Second, I would submit that technology can be a solution to the issue. The bar just hasn’t been raised high enough in the technology realm to deal with it. And the issue as I see it is that merchants have sensitive cardholder data in the first place. So why not design a tamper proof solution that would prevent a merchant’s POS system or back office systems from gathering real card data? Take the data away and there is nothing to be stolen. The National Retail Federation has actually come out in favor of this approach - it is just begging for the right solution.

  8. By Fabrice Faden on Mar 4, 2008

    Patrick… interesting idea but if you take the data away how will the merchant be able process a credit card for payment?

  9. By Michael Dahn on Mar 5, 2008

    Patrick, there is no one solution, but I argue that it is not enough that technology exists - merchants need to be educated about how to use it to protect themselves based on the current attack vectors used to compromise that data.

    Technology is only a tool. Merchants need to understand their risks and how to use the tools properly, otherwise everyone will try to sell them a hammer to put in a screw.

  10. By Patrick Hazel on Mar 5, 2008

    Michael,

    Rather than spending time and resources on the sisyphean task of educating merchants (who are about as diverse and inscrutable a group as one will ever find)why not just take merchants out of the security business altogether? The NRF (cited in the Farrell post) has this right.

  11. By Michael Dahn on Mar 5, 2008

    @Patrick, I agree the future of payments security is to remove the cardholder data. It’s #1 in Visa’s: “Remove, Protect, Comply”

    But, again, technology is not always the solution. Even with secure technology you can have data compromises. I think education about risk and how to secure the data and technology will be the only long term viable solution.

    Additionally, education is the short term solution because changing payment platforms is something that can take years for merchants of all sizes. Whereas education, is something that can equip people with the knowledge to protect themselves.

  12. By Patrick Farrell on Mar 5, 2008

    Fabrice -
    The merchant doesn’t need the cardholder data to do a credit card payment. The banks need it. The acquiring bank and the issuing bank are the key players for the cardholder data - the merchant just needs to know that the transaction is viable (along with the amount, etc.).

    It is entirely possible to have cardholder data sent to the acquiring bank and issuing bank without the merchant ever seeing it by simply encrypting the data inside the merchant’s data environment – it’s called tokenization. However, the tokenization needs to start at the leading edge of the payment network (the card swipe) in order to protect that data as soon as it enters a POS device. If the encryption happens anywhere past the card swipe, I would argue that it is open to capture in the merchant’s POS application and could be subject to the same issues that exist today. It is a complex solution which would also require tamper resistant protection for the keys that are doing that encryption at the swipe. And one last piece, it should be accomplished in a way that it doesn’t require any changes to the merchant’s existing POS software application. This will keep merchants from needing to make technology changes to their internal software which might sometimes be very old and difficult to modify.

    Michael -
    I do agree with you in regards to merchant education on technology solutions because there are solutions out there selling themselves as a panacea for PCI compliance and they aren’t. Hopefully they have a well educated acquirer behind them who can help them down this path as well. Here’s a link to a related blog topic you may find interesting - http://www.storefrontbacktalk.com/securityfraud/pci-vendors-statement-dubbed-misleading/#comments

  13. By wconway on Mar 5, 2008

    I have to support the argument that education — for all its inherent difficulties — is the only practical solution. Technology can help, but it is not enough by itself. I have preached that one of the business realities of PCI is that you (the merchant) are going to change the way you do business; you don’t really need all those data. If that’s the case, education, maybe with some technology, gets us a long way there.

  14. By Fabrice Faden on Mar 5, 2008

    There is a case for education and technology and both are important for the overall data security we are all attempting to achieve. However there are many merchants today that are well educated with PCI (possibly even passing a PCI PABP or PCI DSS audit) and still stuffer data compromises. I like Patrick’s suggestion of removing the data from the merchant altogether. This would certainly take merchants out of the data security business and even diminish the PCI requirements put upon them.

  1. 1 Trackback(s)

  2. Mar 4, 2008: Michael Dahn Wins Blog Of The Day | RiskAnalys.is

Post a Comment