There aren’t many people, in any industry, who jump up and down excitedly clapping their hands when they hear the word ‘compliance’. At least retailers can see the point of the PCI Data Security Standard (PCI DSS, or PCI for short), the latest version of which was released in October: obviously it is sensible business practice to look after cardholder data, particularly as the methods used by criminal organisations to extract it and turn it into cash continue to evolve.
But it is also easy to get irritated by the fact that PCI DSS needs to change over time, in part to keep up with the criminals, but also to adapt to new technologies retailers are using, such as virtualisation, cloud computing, tokenisation or point to point encryption. And compliance can be very expensive and difficult, because cardholder data is often scattered across disparate systems.
“Overall in the UK there’s a good level of adoption and most people understand and are aware of PCI, with many moving their companies towards a more secure position,” says Jeremy King, European director at the PCI Security Standards Council (PCI SSC). “But obviously there is still room for improvement.”
King believes there has been significant progress among both the largest and mid-tier UK retailers and also highlights work his organisation is doing to help smaller retailers achieve compliance, because the threat to them has increased as more criminals gravitate towards targeting card-not-present (CNP) transactions. “A high percentage of the largest UK merchants are now PCI DSS compliant,” claims Rose Luis, solutions marketing manager for payment security at Cybersource. “This bodes well for payment security overall.”
She believes the topic now has a higher profile thanks to well-publicised security breaches, but that retailers need to understand that attaining a high degree of security is much harder than simply becoming PCI compliant. “PCI DSS is a great starting point, but payment security needs to be an every-second strategy,” she stresses.
“I think retailers who avoid PCI DSS, or don’t wholeheartedly adopt it, do so at their peril,” says Bill Roth, executive vice president at compliance, security and log management specialist LogLogic. “It’s about keeping consumers safe. (Retailers) run a huge brand risk if they’re not careful.”
The financial damage may also be significant. Benj Hosack, director at forensics and incident response service provider Foregenix, cites a recent investigation on a company that had suffered a security breach - 19,000 card records had been affected, with fraudulent spend on less than 2,000. “But the fraudulent spend was £2 million,” he recalls.
“Another problem is that the time between compromise of systems and fraudulent spend is shortening: it’s now happening within a month, not three to six months later, as used to be the case,” he continues. “So if an organisation is compromised they really need to move quickly.”
Working towards PCI compliance can act as a valuable stepping stone for retailers simply keen to improve information security. For example, it illustrates the benefits of log management. As Roth explains, “You need a log management system to log all access to network resources and cardholder data and to show the auditor that people have been reading the reports.” The use of virtualisation makes this even more important, while use of the cloud can make it harder - is a service provider meeting all logging requirements?
But achieving compliance is a headache. “If you take a typical larger retailer, they will have a few hundred stores around the country and a fairly aged environment,” says Hosack. “Trying to identify where the cardholder data is is the first problem.”
William Stone, head of payment processing solutions for merchant payments at FIS, says the drive from acquirers to push merchants towards compliance was particularly noticeable over the three years leading to the upgrading of the standard in October, but that some retailers have now taken a step back, because the standard is still evolving and they anticipate further rulings from the PCI SSC on the use of point to point encryption and the use of tokenisation, which can reduce the extent to which their systems are subject to the standard. Others have chosen to outsource some of the relevant processes to PCI-certified service providers, such as FIS.
Asked if he believes some retailers have slowed down PCI compliance activity as they anticipate further changes to the standard and seek to avoid wasting money, the PCS SSC’s King says he understands this issue and has been asked about it by some retailers.
“We don’t want anybody to waste effort or money, we want to ensure this is going to be the best solution,” he says. “The (Security Requirements for Point to Point Encryption) document is going through review now and will hopefully be coming out in the next three months. That will be a supportive document to the current standard.”
Clearly the economic convulsions over the past two years haven’t helped either. But allowing strategic compliance activity to be overwhelmed by bottomline concerns would be a mistake, warns King.
“I fully understand that purse strings are held quite tight at the moment,” he says. “The problem is that this is the time when criminals are very active.” He argues that retailers should bear in mind that the cost of a breach may well exceed by far any savings made by pausing PCI activity now. “I would say, structure your method of adoption and do a good risk assessment so you are reducing your risks within the budgets and timescales available.”
Tough task
But even if retailers take a pragmatic course, by, for example, combining the drive to compliance with a planned PoS or network upgrade, attaining compliance can still be very difficult. Hosack says Foregenix has been supporting retailers aiming to achieve full compliance for around seven years. “There are merchants we were working with back then who are still working on compliance, because their networks are so large,” he says. “It’s a massive project. Apart from the technology, if a retailer is seeking full compliance there will have to be a shift in the way the organisation views security. Policies and procedures need to be changed. You need to tell people why you’re doing this and how it’s going to affect them.”
And retailers may be receiving contradictory advice from the Qualified Security Assessors (QSAs) from whom they seek advice on compliance, or auditing services. “Depending on which QSAs you talk to, you’re going to get different advice,” says Philip Hellyer, enterprise architecture group lead at Best Buy Europe. “The lack of consistency can be a problem, because you could shop around and find a QSA willing to certify you - and that doesn’t help anybody.”
Yet overall Hellyer believes the process of seeking to attain PCI compliance has had positive knock-on effects for his company. “It’s pushed us to consider where we’ve got cardholder information,” he says. Best Buy Europe has modified its processes so that, with payment processing outsourced and tokenisation used internally, card data is actually only stored in one secure area within its networks. “That has enabled us to take the store estate out of scope and that was a big saving,” says Hellyer. But the retailer has also taken the principles of the PCI DSS and applied them elsewhere.
As the big card brands and authorities like the PCI SSC work on bringing technologies like point to point encryption and tokenisation into the rules they impose on retailers; and as some retailers outsource more elements of the payment processing function to service providers, it is possible to glimpse a future in which PCI DSS is less of a challenge for retailers, because card data will barely touch their IT estates.
But the world in which retailers can avoid having to handle card data is still some years away, says FIS’ Stone. “Think of how many acquirers there are and how much they’d have to do on their systems to accept an encrypted transaction,” he says. “And think of standardisation across all those acquirers, to a standard every retail software provider could conform to.”
It’s also important not to be too card-centric when considering this issue. The launch of Orange and Barclaycard’s new Quick Tap initiative in May is just the latest reminder that mobile and contactless payments (or a combination of both) are likely to become more widely used over the next few years.
But for the time being, says Ryan Rubin, UK director of security and privacy services at audit and consultancy firm Protiviti, the top priority for retailers must be to find a practical way of securing card data, particularly as they expand online operations. “PCI compliance is a journey to help an organisation reduce the opportunity for security breaches to occur,” he says. “I’d like to see PCI ultimately disappear, with people focused on good security and not just good credit card security.”
For now the standard will remain a headache, but one that ultimately leaves the organisation better protected against crime.
Recent Stories