Home » Data Protection » PCI and Compliance

In Depth

International Challenges in PCI Security

Bruce Larson, CSO at American Water, and others discuss the challenges of maintaining PCI DSS compliance when the company has a global reach. (Third in a series)

By Bill Brenner, Senior Editor

Page 2

"Why does Visa USA offer merchants a $20 million bonus to become compliant and not other regions?" he asked. He suspects it's because e-commerce is more popular and profitable in the U.S. In the bigger picture, he says, it can be harder for foreign companies to come up with the cash needed to achieve compliance.

No financial incentives were mentioned in a recent statement from Visa Inc. announcing new global PCI compliance deadlines. Under the deadlines, announced last week, global merchants and service providers must show by Sept. 30, 2009 that they are not storing full magnetic stripe data (track data), security codes or PIN data after a transaction is approved. Sept. 30, 2010, is the deadline for all service providers and Level 1 merchants to file compliance reports.

David Taylor, founder of the PCI Knowledge Base, agrees companies outside the U.S. don't enjoy the same degree of financial support. "There really are no global incentives, just a marketing pitch in the Visa Global PCI Deadlines announcement last week to service providers," he says.

Visa spokesperson Rosetta Jones confirmed Monday that the company does not currently offer any financial incentives for merchants outside the U.S.

"While Visa USA did offer some monetary incentives for U.S. merchants for a short period of time, the major motivator for merchants to achieve compliance has been their desire to properly protect cardholder data and to prevent being the target of a data compromise," she says.

Keep the global perspective
Regardless, security experts agree companies must look at PCI security as a global mandate and ensure that the same controls used in the U.S. are being used elsewhere. There's a danger of that not happening when companies find themselves deep in the weeds trying to get their arms around the sheer scope of the standard, says Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles.

His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.

"File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency," he says, noting that's good for business as a whole -- wherever in the world the company operates from.

PCI DSS: THE NEXT PHASE
About this series: The PCI Security Council recently released the latest version of its data security standard. CSOonline marks the occasion by asking companies where they continue to struggle in the battle for security and compliance, and what lies ahead.