You Can’t Set It And Forget It with PCI, Network Execs Say

The Payment Card Industry data-security standard (PCI) is a favorite punching bag of merchants, but executives from Visa Inc. and MasterCard Inc. defended the set of security rules before an audience of independent sales organizations as the best tool available for keeping cardholder information safe from computer hackers. They also challenged the mentality that passing an annual PCI assessment means a merchant can breathe easy on security for another year. “We're looking at that finishing line. Data security is an ongoing process,” said Diana Greenhaw, information security specialist at Visa. Greenhaw and John Verdeschi, vice president of advanced payments at MasterCard, gave a PCI presentation on Wednesday at the Electronic Transactions Association's 2009 Annual Meeting and Expo in Las Vegas. She called PCI a “strong” and “robust” foundation for card security. Repeating what PCI defenders have said earlier, Greenhaw said no entity that has been compromised has been PCI-compliant at the time of the breach, even though some, such as merchant acquirer Heartland Payment Systems Inc. and retailer Hannaford Bros. Inc., said they had passed their most recent PCI audits before their breaches. While that position has many merchants wondering why they must spend the time and money to comply with PCI (Digital Transactions News, April 23), Verdeschi noted that breached entities might not have maintained compliance. Staying compliant, he said, “is a challenge.” He added in answer to a question that, “technically speaking, companies will fall in and out of compliance.” In fact, even the most security-conscious companies get breached, Verdeschi noted. But if they've done their homework, the breach is contained to one part of the computer system, does not result in data being compromised, and is discovered quickly and remedied, he said. Another reason a merchant or processor may pass a PCI audit but still be breached is that the scope of its PCI assessment “was not comprehensive enough,” he said. While the PCI Security Standards Council updates and manages the rules, the card networks are in charge of enforcement. In regard to merchants, the networks delegate most enforcement duties to merchant acquirers. Beginning in the fourth quarter, MasterCard will institute a new system by which it wants processors to report PCI compliance. The system, which Verdeschi called “six milestones,” makes no changes to PCI's 12 major categories or 240 specific requirements, but it will help acquirers set priorities in implementing PCI, he said. They are: –Emphasizing PCI's mandate for merchants not to store cardholder data any longer than necessary. “If you don't need it, don't store it,” Verdeschi said. –Securing the perimeter around a computer system that handles card data, such as with a firewall. –Securing software applications that touch card data. –Controlling access to computer systems, one way being through strong passwords. –Protecting the primary account number (PAN), one technique being encryption. –Complying with everything else in the PCI rules. Greenhaw said that, in contrast to some reports, Visa does not oppose encryption. Heartland has called for end-to-end encryption of card data in the transaction process, and payment-card terminal vendors also are promoting encryption. But encryption imposes its own costs, including somewhat slower transaction speeds. “Encryption is a very valuable [tool], but it is not a silver bullet,” Greenhaw said. Visa this week reported incremental progress by U.S. merchants in validating their PCI compliance in the past quarter. Some 93% of 362 so-called Level 1 merchants, those submitting more than 6 million or more Visa transactions a year, had validated PCI compliance as of March 31 compared with 91% on Dec. 31, 2008. These big merchants account for 50% of Visa's transactions. Among 702 Level 2 merchants, those submitting 1 million to 6 million Visa transactions, 88% had validated PCI compliance as of March 31 compared with 87% on Dec. 31. Level 2 merchants generate 13% of transactions. Validated PCI compliance among the 2,627 Level 3 merchants, which produce less than 5% of transactions, remained the same at 57%. Level 3 merchants are those that submit 20,000 to 1 million Visa e-commerce transactions annually. Visa aggregates PCI data reported by merchant acquirers. And among Visa's estimated 6 million small, so-called Level 4 merchants, validated compliance remains “low,” Greenhaw said (Digital Transactions News, April 23). Visa requires acquirers to have plans to bring small merchants into PCI compliance, but so far the effort has focused mostly on merchant awareness and education.