Rob Newby blogs about the statistics and studies on the adoption of PCI compliance in Europe, based on the data points from a Register article with the same focus.  The article states:

European merchants are behind their US counterparts in getting up to speed with the Payment Card Industry’s Data Security Standard (PCI DSS), according to a survey by management tools firm NetIQ.

Rob points out that with a sample population of 65 data points:

… all I can conclude from this survey is that NetIQ customers are ignorant, which isn’t a great advert for them.

There’s a little bit of truth in both opinions (read the NetIQ comments on Rob’s blog.)  It is true that PCI adoption in Europe is slower than that of merchants in the USA, and Asia Pacific is even further, but there a very good reason for this.

You have to factor in that organizations such as APACS has been pushing Chip-PIN for many years now.  France implemented Chip-PIN for the past six years.  This is not to say that the risks are lower, but many different factors play a role.

European PCI DSS Adoption Factors

The first factor is that of education.  Whenever you talk with someone about PCI in Europe this is how the conversation goes:

“I’d like to talk with you about PCI DSS.”
“PCI DSS? What is that?”
“Well it has to do with credit card security…”
“Oh, I don’t need that, I have this Chip-PIN infrastructure.”

It’s hard to get merchants over the fact that they cannot mitigate all the risk of storing credit card data simply by rolling out Chip-PIN terminals.

The second factor affecting merchant compliance in Europe is that in countries such as Spain and Italy a merchant will not have just one or two acquirers but more like 10-12 acquiring banks.  Since each bank only does 1/10 or 1/12 of that merchant’s business it’s a hard business proposition for one of them to take the first step forward and require the merchant to validate their compliance.  The risk is high that a merchant may simply drop that acquirer from their transaction processing channel.

Asia-Pacific PCI DSS Adoption Factors

Within the Asia-Pacific (AP) region merchant adoption of PCI DSS has been slow due to the risk factors.  Each country is different, but as a region the amount of fraud happening “in-country” is rather low.  This means that credit cards compromised and used fraudulently within S. Korea is very low.  The fraud of note is that which is classified as “cross border” fraud.  This is where a credit card compromised within the USA is then used in Australia fraudulently.  Due to these fraud factors, and the historic emphasis on driving service provider compliance within the region, merchants are slower to the game.

That said, I was just in Australia and the number of QSA companies operating in the region is considerably higher both there and in Japan (two of the largest AP countries by transaction volume.)  This increase in auditors shows an increasing demand for compliance validation on behalf of merchants.  Articles that show the “slow” adoption are like trying to buy a car without looking under the hood.  You may look at an older Honda Civic and think you can beat it in a race, but not if it’s got a turbo-charged Acura engine under the hood.

I think the key to remember is that all merchants are at risk and that risk varies by industry, vertical, infrastructure, and so many other factors.  I like Rob’s reminder that:

I am prepared to admit that the spotlight will be on the Tier 1 merchants in the first instance. However, its a bit like relying on everyone else being fatter to avoid heart disease, i.e. stupid.

Popularity: 6% [?]

Maxim Emm from Infosec in Russia has translated the PCI DSS, PCI Security Audit Procedures, and Navigating the PCI DSS into Russian.  This is an unofficial copy of these documents but could be helpful to people who would like this resource.

If none of these links work due to your browser not supporting Cyrillic characters, click the page link.

All official copies of the PCI DSS and Security Audit Procedures (SAP) are accessible from the PCI SSC website where they are offered in multiple languages.

Popularity: 30% [?]

Only if that city is in Poland.  I’m about to hop on a flight to Warsaw, Poland (check my Dopplr) to teach several classes on PCI.  We normally do about 5-10 global countries a year in addition to the numerous PCI classes we teach in the US.  I’m both excited and exhausted.

I’ve been traveling for many weeks straight and the past two weeks have been back to back conferences (RSA and ETA).  I’m about to embark on a 1.5 week trip and I hope I have everything I need.  While there I plan to make a side trip to Krakow for a day.  I have a friend with relatives there that might be able to give me a tour.

Last week at ETA, the PCI SSC released clarification documents about requirements 6.6 and 11.3.  Keep checking the PCI SSC website for the electronic copies.  I’m excited to see what new things and experiences those implementing PCI in Europe and EMEA have been experiencing.  There will be participants from Western and Eastern Europe, and I’m hoping to share the experiences that other PCI assessors are having all over the world.

One of the great advantage of teaching classes all over is the ability to learn and share information.  Also, since ETA was just last week I’ll be able to share more information about programs and information the PCI SSC has recently released.  I’m very impressed with all the people working so hard to churn out documentation.  I think there is more documentation, FAQs, and clarification papers about PCI than any other standard.

While I’m traveling I’m going to share information about the blog, forum, and the Society of Payment Security Professionals (SPSP), our Podcasts, and much more.

We are always looking to expand the list of people who are blogging so if you have an interest in contributing to PCI Answers, please email me.  We are always looking for subject matter experts (SME) and those wishing to blog in non-English languages.  If you already have a blog and want to get it syndicated then join the SPSP and add it to the payment security blog aggregation feed.

Popularity: 27% [?]

Although the PCI DSS - Security Audit Procedures (SAP) v1.1 is published in many languages, Russian is not one of them.  That is, until now.

While teaching a PCI class in Europe last year I remember speaking with someone from a Russian security firm who said there was a translated version of the SAP floating around the Internet.  The other day, while looking at sites that linked to ours I found this one from the firm Digital Security.  There was also a link to their translation of the SAP into Russian.

Popularity: 25% [?]

The PCI Europe conference is happening for the first time in 2007.  I am not there but know some friends who are attending.  I’m curious to hear about it so please post content in the comments.  I haven’t seen any blog posts about it, other than from the attending vendors.

Popularity: 32% [?]

Ian from the Public Sector Forums in the UK reminded me of an upcoming event for public sector professionals in the UK to learn more about PCI DSS compliance.

We blogged about this before and the event was so successful they are having another one. If you see the speaker list you know it will be good. The top people from Visa, MasterCard, and American Express will be there to discuss PCI DSS compliance.

Popularity: 25% [?]

After teaching a class of QSAs in Prague, one of the questions asked was if Visa Electron and Maestro cards are considered in-scope for PCI DSS compliance.

This is a very important question because many, if not all, of the bank/debit cards in Germany and many other countries are branded with the Maestro logo. Also, the Visa Electron branded debit and credit cards are widely used throughout many parts of the world.

Remember that in-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International. The question is, does this include cards owned by these brands.

The answer is, Yes. This means that any card numbers branded with the Electron and Maestro logos are in scope for PCI DSS compliance.

Update: A reminder about the difference between ‘Maestro cards’ and ‘Maestro transactions’:

Be careful as some cards are co-branded so the domestic traffic is done under a domestic brand not owned by MasterCard (out of scope from a MasterCard perspective) whilst cross border transactions are real Maestro transactions and in scope. (Germany is a classic case where this could be confusing.)

Popularity: 38% [?]

Take note that the PCI DSS is available in multiple languages. Always be sure to check the PCI SSC website for updates on this.

Currently, the Security Audit Procedures are available in the following languages:

• Chinese (Simplified)
• Chinese (Traditional)
• English
• French
• French Canadian
• German
• Japanese
• Korean
• Portuguese
• Spanish

The French have always said that Canadians do not speak true French. I suppose this proves they are correct.

Popularity: 32% [?]

The week has been quiet as people work vigorously on their PCI compliance projects. Here’s some things that might help you along.

Tenable Network Security, the company that brought you Nessus, has “produced two Nessus PCI configuration .audit files for both the Windows and Linux operating systems. These configuration checks are derived from specific recommendations and audit requirements based on the PCI 1.1 standard.”

Check their blog for the audit files. These could help out with requirement 11.2 for internal vulnerability scanning. They even have a video online of how to install and use the files.

I don’t know anything about this but I came across a petition from Mark at port7. Apparently he has set up “a petition to the Prime Minister [in the UK] to make the PCI: DSS standards a legal requirement.”

What are your thoughts on making PCI DSS a law? We have talked about this before.

Popularity: 44% [?]

If you download the latest QSA list, open it up and do a quick search for “Spain”, you’ll only come up with one name: Daniel Fernandez Bleda of Isecauditors.com, based right here in my home town of Barcelona.

I’d had someone contact me through my personal blog to talk about PCI, he was also based in Barcelona, and needed some pointers. As I am a vendor, I thought it prudent to get an independent expert in to keep his mind at rest. I was in contact with Daniel by email, but had yet to meet in person. He seemed to know what he was talking about, so I invited him in.

So, 5 of us (2 from my company, 2 from Daniel’s, 1 interested consumer) crammed into our offices at 3pm on Thursday afternoon to see what we could arrange. Daniel dealt with the queries as they arose, and very kindly conducted proceedings in English, which was obviously not his preferred method of communication. Still, a lot more natural than me speaking Spanish, so much appreciated. No hablo Espanol.

Backtracking a little, I had contacted Daniel previously to speak about PCI in Spain, thinking he would be inundated with business here, being in his unique position. We wanted to partner with him, being a vendor who might be able to surf the giant PCI wave… apparently this is not the case. Most of Daniel’s business comes from other auditing and compliance work. The QSA status (and soon to be ASV) is there to keep skills up to date and provide a little marketing. He was delighted to have the chance to speak about PCI with a real live opportunity in Barcelona.

The last time I spoke about the lack of interest in PCI in Spain I had someone on this blog (who shall remain nameless because I can’t remember who it was) tell me how they had loads of Spanish work on, but couldn’t tell me anything about them because it would breach NDA. Sorry, but I’m having difficulty believing you now, especially when you can’t provide ANY proof.

I’ve only been here 5 months now, but I’ve picked up PCI customers in the UK and US in that time, and still not a sausage in Spain, not even the scent of chorizo. We even have one of the largest banks in the area trying out our software, and the only PCI account I’ve even heard of over here is an international company getting pressure from their German processors. Caixa Catalunya passed on the pressure, but they aren’t interested for themselves in terms of PCI.

If there’s anyone more qualified to talk about PCI in Spain than Daniel, please let me know. I’d love to hear that I’ve completely missed a rich seam of business opportunity buried deep below the cracked surface of Spanish IT security.

I’m also interested to get more of an overview purely for personal reasons, otherwise I’m going nuts here.

Popularity: 41% [?]