Rob Newby blogs about the statistics and studies on the adoption of PCI compliance in Europe, based on the data points from a Register article with the same focus.  The article states:

European merchants are behind their US counterparts in getting up to speed with the Payment Card Industry’s Data Security Standard (PCI DSS), according to a survey by management tools firm NetIQ.

Rob points out that with a sample population of 65 data points:

… all I can conclude from this survey is that NetIQ customers are ignorant, which isn’t a great advert for them.

There’s a little bit of truth in both opinions (read the NetIQ comments on Rob’s blog.)  It is true that PCI adoption in Europe is slower than that of merchants in the USA, and Asia Pacific is even further, but there a very good reason for this.

You have to factor in that organizations such as APACS has been pushing Chip-PIN for many years now.  France implemented Chip-PIN for the past six years.  This is not to say that the risks are lower, but many different factors play a role.

European PCI DSS Adoption Factors

The first factor is that of education.  Whenever you talk with someone about PCI in Europe this is how the conversation goes:

“I’d like to talk with you about PCI DSS.”
“PCI DSS? What is that?”
“Well it has to do with credit card security…”
“Oh, I don’t need that, I have this Chip-PIN infrastructure.”

It’s hard to get merchants over the fact that they cannot mitigate all the risk of storing credit card data simply by rolling out Chip-PIN terminals.

The second factor affecting merchant compliance in Europe is that in countries such as Spain and Italy a merchant will not have just one or two acquirers but more like 10-12 acquiring banks.  Since each bank only does 1/10 or 1/12 of that merchant’s business it’s a hard business proposition for one of them to take the first step forward and require the merchant to validate their compliance.  The risk is high that a merchant may simply drop that acquirer from their transaction processing channel.

Asia-Pacific PCI DSS Adoption Factors

Within the Asia-Pacific (AP) region merchant adoption of PCI DSS has been slow due to the risk factors.  Each country is different, but as a region the amount of fraud happening “in-country” is rather low.  This means that credit cards compromised and used fraudulently within S. Korea is very low.  The fraud of note is that which is classified as “cross border” fraud.  This is where a credit card compromised within the USA is then used in Australia fraudulently.  Due to these fraud factors, and the historic emphasis on driving service provider compliance within the region, merchants are slower to the game.

That said, I was just in Australia and the number of QSA companies operating in the region is considerably higher both there and in Japan (two of the largest AP countries by transaction volume.)  This increase in auditors shows an increasing demand for compliance validation on behalf of merchants.  Articles that show the “slow” adoption are like trying to buy a car without looking under the hood.  You may look at an older Honda Civic and think you can beat it in a race, but not if it’s got a turbo-charged Acura engine under the hood.

I think the key to remember is that all merchants are at risk and that risk varies by industry, vertical, infrastructure, and so many other factors.  I like Rob’s reminder that:

I am prepared to admit that the spotlight will be on the Tier 1 merchants in the first instance. However, its a bit like relying on everyone else being fatter to avoid heart disease, i.e. stupid.

Popularity: 6% [?]

As you may know, my company, The Aegenis Group specializes in education services for PCI DSS and other regulatory compliance areas.  I’m happy to announce to announce we have taken it to the next level.

The Aegenis Group recently introduced an eLearning Solution specifically developed to meet the unique learning needs of the Payment Card Industry. The solution also allows Acquiring Banks to meet the education requirement mandated by certain card brands. The mandate requires Acquiring Banks to educate Level-4 merchants regarding their responsibilities for the protection of Cardholder Data and compliance with the Payment Card Industry Data Security Standard (PCI DSS).

This means that we are now offering merchant training for all merchant types, with a focus on educating the Level 3-4 (smaller) merchants.  It’s both scalable and global in its reach.  You can check it out online, and visit our booth at ETA in a few weeks.

Are you interested in educating your merchant base?  If you are an acquirer, large service provider, franchise, merchant association, etc. then contact us directly for more information.

Popularity: 27% [?]

One of the terms economists have been throwing around is that of ‘stagflation‘.  This term describes an uncommon situation where both inflation is high and there is a stagnation in terms of production and employment.  You see, inflation typically implies higher production, which implies higher employment.  Currently, unemployment is high and combined with increasing inflation.

‘Stagpliance’ is how I describe the current compliance environment.  We have high compliance numbers (pdf) that should reflect a decrease in data compromises.  The problem is that data compromise numbers are still high. So the question is, why is this seemingly atypical situation happening?

Well, one explanation is that not everyone is compliant, meaning hackers are moving from the low hanging fruit to the next branch up the tree.  This is certainly the case in some large merchants and many small merchants.  Anyone who has investigated cardholder data breaches over the last five years can tell you that attacks are becoming more complex and hackers are moving to smaller merchants. But this is not the only explanation.

What has this experience shown us?  I believe the reason for our current stagpliance is due to the continued need for proper education.  Experience has shown us that (1) technology alone is not enough and that (2) data compromise is not the the result of failing technology but the lack of education.  Data loss is not the result of poor technology, but poorly configured technology.  As more and more people pay attention to compliance, data loss is moving to the edge, where merchants do not know data exists.  It is also continuing to happen in places where merchants do not properly understand their risks - based on active attack patterns.

Last year Visa published a Visa Business Review (VBR) that specifically called for acquirers to address compliance with their Level 4 merchant population using a risk based approach.  This VBR outlined several points, some of which are here blow:

• “Define a process that prioritizes Level 4 merchants into appropriate risk categories or subgroups”
• “Describe plans to educate Level 4 merchants about cardholder data security, storage of prohibited cardholder data and PCI DSS compliance. Include the planned communication channels and approximate frequency.”

The concept here is that acquirers empower their merchants through education to understand the risks facing them, and both address compliance and mitigate those risks appropriately.  This type of grass-roots effort is a great way to give merchants the knowledge to make risk based decisions on their own.

How many merchants that are hacked understand the Top 10 risks (and associated attack vectors) they face?  Large merchants don’t even always understand their risks because they are not aware of the current ongoing attacks.  I’ve always stated that security is not created in a vacuum.   In order to implement proper security you must first understand the current attack landscape.  Many small merchants have no idea of the top attacks they need to protect against.  An equal number don’t even know they are storing something that attackers want.

What has education shown us?   Compliance without education does not equal security.  In 2007, Visa trained thousands of merchants on the intent behind compliance requirements, the top methods of data compromise, definitions of cardholder data and cardholder data environment.  In each of these classes merchants felt empowered to take a risk based approach towards achieving compliance.  They felt empowered to make the right decision instead of the checkbox decision.  This is the kind of empowerment we need to properly address the security of cardholder data.

The problem is that there are many more merchants, millions in the US, and even more globally.  We need to educate those merchants, not just about compliance, but about risk!  I’ve long said that all the information about PCI is freely available to the world today.  It exists on blogs like this, on online forums and other places.  The problem is digesting that information into something useful.  What we need is true experts to assemble risk based, guided education for the large number of merchants globally.

In person training provides the greatest value but is also the most costly form of education.  The Aegenis Group teaches classes for large and medium sized merchants, but there is also training you can obtain from other sources such as Visa’s merchant education program, and industry specific venues like the Treasury Institute.

Stay tuned for more educational assistance from The Aegenis Group.

Popularity: 52% [?]

Jay from the USA asks:

If our acquirer provided POS systems, do we need to make sure that the acquirer’s equipment and websites are PCI DSS compliant?

I’ve always said that you should “Trust but Verify”!  It is very common for a merchant to receive or be recommended a certain POS system, application, or platform from their acquirer, processors, or franchise manager.  If you are a merchant who receives such a recommendation, be sure to do your homework.

First, you need to check the Visa website to make sure that POS system/software has undergone rigorous security testing and has been validated as secure under the Payment Application Best Practices (PABP).  You can see a list of qualified products here.

Next, you need to obtain the “Implementation Documentation” or “Implementation Guide” from that POS vendor.  Although your POS may have been validated as secure, there are still a number of things YOU NEED TO DO to operate it in a secure manner.  This documentation or guide is the list of thing you need to do.  Follow it carefully and understand how to protect yourself.

Finally, you are 95% of the way there, you need to continually educate yourself about the difference between compliance and validation, the definition of cardholder data and where to find it, who to contact in the event of a compromise, etc.  You may follow this blog or you may enroll in structured learning.  Either way, you need to keep yourself informed.

Popularity: 41% [?]

Many of you have already heard about the TJX settlement with the Issuing Banks (not-Visa).  Although the case may involve Visa, it is only as an intermediary.  It is the Issuing banks that had to cover fraudulent charges that are being reimbursed.

The discount clothing retailer will pay up to $40.9 million in pre-tax recovery payments to eligible U.S. Visa issuers who issued payment card accounts identified to Visa by Fifth Third or TJX. At least 80 percent of the issuers must accept by Dec. 19 for the settlement to finalize.

I like what Walt says here, “This settlement sort of puts the $880K fine in perspective.“  It does put the card brand fines in perspective.  I have been saying for a while not that for large companies it is not the card brand fines that are the largest cost, instead it is the following:

• Issuer reimbursement (see above)
• Cost of obtaining compliance fast
• Forensic, remediation, etc.

Popularity: 43% [?]

It is important to remember that everyone has to be PCI compliant, but validation requirements may differ.  Issuers must be PCI compliant but they do not need to validate compliance (unless they are a VisaNet processor.)

What if they are both an issuer and a service provider, as described in an earlier post?  They then may be required to validate the PCI compliance of the service provider side of the business.

That being said, Issuers have hefty security requirements, outside of PCI, on the control of their cardholder data because they must store sensitive cardholder data (or else the system would not work.)

Popularity: 31% [?]

I never mentioned this, but it has been in place for a while now.  MasterCard has updated their merchant levels to match those of Visa USA.  Since MasterCard is a global company (no managed in regions like Visa) these levels apply to all merchants — globally.

Remember, if you want to know what level merchant you are, who should you ask?  Your Acquirer!  They are the one who dictates your level definition.  (Don’t forget that American Express and Discover are also acquirers.)

Popularity: 33% [?]

…thought this was interesting:

—–[snip]—–
It was hard to brush aside comments made by First Data CISO Phil Mellinger, who suggested at a recent forum that the Payment Card Industry’s Data Security Standard (PCI DSS) should be overhauled to eliminate subjectivity, ease restrictions and help more merchants comply. After all, Mellinger did develop the precursor to the current standard.

But this week I haven’t found many people who agree with him. During a panel discussion on identity fraud in New York Tuesday, I asked a couple financial practitioners if the rules should be eased to help more merchants comply. Kevin Dougherty, senior vice president of information services at Orlando, Fla.-based CFE Federal Credit Union, summed up the consensus in the room when he said, “It’s our responsibility to meet the bar that’s been set.”

Many industry professionals seem to share that attitude, if a recent scan of the blogosphere is any measure.

Let’s start with SearchSecurity.com’s own Security Bytes blog, where we ran some comments from those who have followed our coverage of Mellinger’s talk.

Chris Noell, an executive analyst, CISSP and QDSP, wrote that Mellinger’s suggestion for a simpler standard that rises over time would have been a good idea at one point, but that given where we are today, it would be a step backwards.

“Over the last four years, numerous merchants and service providers have told me that they are reluctant to do anything until the very last minute because the card brands have a way of changing their standards, invalidating compliance investments,” he wrote. “Lowering the bar now would just confirm this suspicion and cause an erosion of credibility. The 35% of Level 1 merchants who are currently compliant would feel like they had wasted money and would be understandably bitter.”

Rick Hayes wrote that Mellinger is missing the boat on PCI. “Obviously, there is an issue with merchant compliance,” he wrote. “This is compounded by the fact that generally it takes anywhere from 18-24 months to actually meet the requirements of the ‘dirty dozen.’”

But, he added, relaxing PCI DSS will not have any effect other than to increase the likelihood of more data breaches. “It certainly won’t mean that more merchants will become compliant,” he said. “What needs to be adjusted is the timeline, not the requirements. I don’t think anyone in their right mind would or should argue that implementing such basic tenants of security is a bad thing. That is really what PCI is about — basic security best practices.”

The Ambersail infosec blog offered a similar perspective. It expressed sympathy for organizations the size of First Data and said compliance must be tough for them. But lowering the compliance requirements isn’t the answer. In the end, the blog said, PCI DSS compliance demands the types of security procedures companies should already be taking.

“Compliance is tough for everyone, big and small,” the blog said. “And what we had before was, well, nothing really. Chaos.”

Moin Moinuddin, a self-described industry architect with Microsoft Corp., wrote in his ARC Thoughts blog that PCI DSS compliance is good for a company’s security and cost controls.

“For example,” he wrote, “a retailer who had never really done an internal assessment before now did this and [it] resulted in [the] consolidation of servers in the stores using [a] virtual server product. So this helps in reducing overall cost of maintenance in addition to improving security.”

The bottom line is that nobody is accusing Mellinger of giving up on PCI DSS or security. Many people agree the standard could use some changes. But they also believe companies are having trouble with PCI DSS because their security programs were lacking to begin with.

The last thing companies like that need is an easier ride to compliance.
—–[/snip]—–

Popularity: 24% [?]

Digital Transaction News (www.digitaltransactions.net) ran an article on March 29 entitled ‘Scope of TJX Breach Has Some Questioning Attainability of PCI’. Inside the article is a quote from Mr. Gwenn Bézard, research director at Aite Group LLC who said, “If a major U.S. retailer cannot have its house in order, how can you get millions and millions of small businesses, small merchants to be compliant?”

The small businesses and merchants that Mr. Bézard is so concerned about are the least of the problem. These organizations do not store cardholder data. They subscribe to a service that allows them to process a credit card away from their point of sale system. They might be susceptible to PIN pad fraud where a few hundred card numbers and PINs can be stolen when someone puts a device between the pad and the device that dials out to the processor. But they will never amount to a TJX that coughed up millions upon millions of credit card numbers.

It is the big box retailers, large regional chains and similar large merchants that are the problem waiting to happen. These are the organizations that, in an effort to cut processing costs, have set up their own processing networks which capture and store the cardholder information in the millions that is so valuable to thieves and carders. Add into that all of the intermediaries that have sprung up that handle cardholder information between the time of the sale, settlement, monthly reporting and the like and you have another group of companies that are at risk.

This is why the concept of different levels of organizations was created. The card companies recognized the concept of risk based on the number of transactions processed. With v1.1 of the PCI DSS, these levels were adjusted removing the segmentation of Internet-based transactions versus all other transactions and basically treating all processors the same. These changes recognized the fact that a transaction is a transaction, regardless of the source, and that the threat landscape had changed.

Mr. Bézard’s quote gives the impression that this problem is something that just appeared over night. It is a problem that has its roots going back 40 years with the introduction of ARPANet.

So, how do we get this problem resolved? It gets resolved one merchant, one processor or one acquirer at a time. Will there be more TJXs? Unfortunately, yes. The PCI process has just gotten seriously started. And this is not a problem that will go quietly into the night. Security is a process, not a means to an end. Carders will raise their level of sophistication and the PCI DSS will have to be refined to address these new threats.

If you want a view of what things will look like in the future, look to Mr. Bézard’s financial institution industry. For the most part, the financial institution industry has implemented all of the technological solutions available to them. The big struggle in the financial institution industry today is around educating their customers and employees to be skeptical, erasing 20+ years of customer service training that told these people that the customer is always right and that they should always be helpful, to a fault. But this is a topic for another time.

Popularity: 19% [?]

Michael Farnum wrote on “Here’s why PCI DSS exists” and his analysis is correct but needs some clarification. He writes in response to a Boston Globe article on the Stop & Shop credit card compromise. The debate is over who pays (or writes off) the cost of credit card compromises and fraudulent transactions.

According to one person quoted by the Boston Globe, “The credit card company eats it.” This is (kinda) not true.

Another blogger writes, “the PCI standards weren’t created to help consumers, they were created to protect the credit card companies from fraud and to transfer the risks from the credit card companies to merchants and merchant banks.” This is cynical and NOT true.

Michael has it partially correct when he says:

If the consumer was responsible for fraudulent charges, the credit card companies would not put any real effort into stopping this type of crime, and we would be responsible for protecting our own data. But since the credit cards are responsible, the economic driver to be more proactive on security is clear.

In order to really understand why PCI DSS exists we have to understand the state of human emotion. Someone once told me, “there is price and there is cost.” Let’s explore these a little more.

Cost of Credit Card Fraud

Who pays for fraudulent transactions? There are too many details to get at the heart of this question but in broad general terms the Issuing Bank pays the majority of the cost, the Acquiring Bank pays a lesser amount, and the Merchant pays the least. (The Merchant carried a high liability due to cost recovery programs and lawsuits, but they pay indirectly not directly.)

So the Issuing Bank is the one who eats the cost of credit card fraud but they are not in a (direct) position to prevent it. This creates a disconnect because before the PCI DSS there was no incentive for the Merchants, Service Providers, and Acquirers to secure credit card data. Why should they? It was the Issuers who payed for it.

The PCI DSS was introduced to make those who store, process, or transmit your credit card information directly responsible for its safety and security. The funny thing is that the “credit card companies” meaning the card brands/associations such as Visa/MasterCard make money regardless of credit card fraud. It is only Discover/American Express who act as both Issuers and Acquirers that “eat it”.

Price of Credit Card Fraud

Remember, there is a difference between ‘cost’ and ‘price’. The price of credit card fraud is a reduction in consumer confidence. People are more scared of using their credit card on the Internet than they are about using it in a retail store. The reality is that it is (usually) safer to make online transactions than brick-and-mortar. Imagine how well online businesses would be doing, or how much better they would be doing, if people had a higher confidence in online shopping!

If credit card compromises rise and continuously appear in the news it will eventually erode consumer confidence in the use of credit cards. This would directly impact merchants, both online and offline, as well as credit card programs and initiatives.

This is a price far greater, but less direct, than that of simply dollars lost due to the fradulent use of credit cards. The PCI DSS not only secures the data, but in doing so it helps rebuild the consumer confidence in credit cards and their safe use.

Private Industry Standards

The one thing I totally agree with Michael about is where he says this:

FYI, I am thrilled that this is a private industry standard and not something the government tried to build. HIPAA, SOX, GLBA, etc. are proving to be ineffective for the most part, so one more regulation to try to solve this problem is not needed or wanted.

Most people never understand this point. I hear merchants constantly complain about having to comply with PCI, but that is because most don’t understand how easy it is when compared with things like SOX or GLBA.

I have walked into merchants and seen audit rooms devoted full time to SOX work. In fact many of them have the words “SOX Audit Room” etched in metal beside the room. I want someone to show me a company that has a “PCI DSS Room”. It’s nowhere near as difficult, arduous, or costly as other government mandated regulations.

Popularity: 35% [?]