Some PCI Progress, But Visa Sends a List of Non-Compliant Software

Amid highly publicized data breaches at major chains like TJX Cos. Inc. and Stop & Shop Supermarket Cos., large merchants are making progress in achieving compliance with the Payment Card Industry data-security standard (PCI), though nearly two-thirds of them have still not been certified as meeting the standard. Some 35% of Level 1 merchants, defined by Visa USA as those processing 6 million or more Visa transactions annually, are now PCI compliant, Visa says, compared with 18% a year ago. The 330 retail companies in this group account for half of Visa's point-of-sale transactions. Another 51% have at least completed a so-called report on compliance, a step toward satisfying PCI requirements that involves a review of systems for security flaws and a plan to fix them. Visa refers to this process as remediation. PCI, which is backed by all the major card companies, sets out a dozen broad sets of requirements ranging from firewalls to passwords to data storage and encryption. At the same time, most large merchants have demonstrated they are not storing card-verification numbers, PINs, and certain other data encoded in magnetic stripes, one of the key requirements of PCI. Highly prized by hackers, such data are often stored unknowingly by merchants. In the TJX case, data linked to nearly 46 million accounts were stolen, the largest such breach on record. Some 93% of Level 1 and Level 2 (1 million to 6 million annual transactions) merchants have certified they are not storing the information, as determined by Visa's PCI compliance-acceleration program (Digital Transactions News, Dec. 12, 2006), which offers cash incentives to acquirers whose merchants met certain compliance deadlines. Still, Visa two weeks ago sent a letter to acquirers, processors, software developers, and independent sales organizations listing half a dozen software vendors whose POS products have been shown in data breaches to have stored card data. “We recommend that merchants stop using that software,” Eduardo Perez, vice president for payment system risk and compliance at Visa, tells Digital Transactions News. The list is not publicly available, though Perez says Visa is mulling the idea of posting it on a private page on its Web site that is available to members. Some of the vendors on the list have written multiple applications that store card data. Though Visa routinely lists products and vendors on its site that are PCI-compliant, this list represents the network's first effort to distribute specific information on non-compliant products. Perez says Visa contacted each of the vendors before sending the letter. In each case, he says, the vendor was able to provide either a patch or an upgrade that would not store prohibited card data. He says Visa also listed these compliant versions in the letter. “Obviously, they weren't happy, but in most cases they wanted [the information] out there because it gave them more ammunition as to why merchants should upgrade,” Perez says. The response so far from acquirers and merchant processors has been good. “It's still relatively soon, and right now acquirers and processors are absorbing this list and deciding what to do with it,” says Perez. “But all in all the response has been positive and they are starting to use it.” He hopes that once the information gets around in acquirer and merchant circles, drooping demand for non-compliant software will exert pressure on vendors. “Once this information gets out, market forces will start to take effect,” he says. The effort to clamp down on data storage is largely aimed at small merchants, where the risk is highest that POS software is storing data either without the merchant's knowledge or because the merchant mistakenly thinks the data are needed for chargeback research. As a result, such merchants are starting to draw the attention of data thieves. There are around 6 million Level 4 merchants?those doing fewer than 1 million transactions a year?and they account for nearly one-third of Visa's volume. “Hackers are concentrating on smaller merchants,” Perez said last week at an Electronic Transactions Association trade show in Las Vegas. “That's where we see the greatest vulnerability.” Visa and other organizations, including the newly formed PCI Security Standards Council LLC (Digital Transactions News, April 20), hope this year to make a set of software guidelines, known as Payment Application Best Practices (PABP), part of the PCI requirements. Visa has certified 135 software products from 80 vendors as meeting PABP. Visa concedes overall PCI compliance among Level 4 merchants is low. Precise numbers aren't available because, though these merchants are obliged to comply, they aren't obliged to validate compliance. Compliance levels for other merchant groups vary widely, Visa reports. Twenty-six percent of Level 2 merchants are PCI-compliant now, with another 22% in remediation. Level 3 merchants?e-commerce businesses doing between 20,000 and 1 million annual transactions?have achieved 51% compliance, with a further 16% in remediation. Processors with a direct connection to Visa are 87% compliant, up from 79% a year ago. Sixty-two percent of agents, which include ISOs that process, transmit, or store transactions, are compliant, up from 40%. Some 12% are in remediation. Visa has identified 76 direct-connect processors and 432 agents.