All About the PCI Data Security Standard

More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

1 2 Page 2
Page 2 of 2

“PCI says this [need for antivirus control] is more applicable if you’re running Windows servers and less applicable if you’re running Unix servers,” says Barrett, whose company, an eBay division, processed $37.8 billion online payments during 2006. “It doesn’t actually say, if you’re running a Unix server you’re exempt from the requirement. You get into discussions with auditors about whether it’s enough. I expect PCI to mature over the next year or so, so that those discussions become much more routine.”

Likewise, the vulnerability that Stop & Shop dealt with, involving criminals who tampered with the equipment customers use to swipe their credit cards and input PINs, is not currently addressed in the PCI standard. “I think the standard will mature,” Kirkwood says, “and as it matures, it will be more comprehensive.” (For details, see “Bolting on Security at Stop & Shop” at

The bigger issue for CSOs, however, may be the nature of the discussions with the standards council, and how united a front the credit card associations are really presenting.

Barrett and Kirkwood both mention that a PCI audit acceptable to one card association does not always satisfy the other associations. Kirkwood says, “It’s the same standard, but it’s not like you can say you’re PCI-compliant and then you’re done for all the entities. Why don’t we have one PCI assessment of Ahold, and have that apply to everyone? I think that’s the way we’re going to evolve; we’re just not there yet.” Kirkwood thinks he understands the reasons why. “At American Express, we couldn’t rely on Visa certification, because if something happens to the merchant, then American Express would be in a really bad situation, saying they relied on what Visa did. The public would say, why did you do that?”

Council or no, Kirkwood says, it’s simply hard for any one body to take on that kind of responsibility. “If a central organization says, ‘We certify ChoicePoint,’ who gets sued when ChoicePoint has a problem? If you did that, you would have to have a limitation of liability that says something like, ‘We’ll review them, but don’t hold us accountable if something happens to them.’ Therefore the certification doesn’t mean too much.”

Suddenly, government intervention doesn’t sound like such a crazy idea.

The Best of All Possible Standards?

Of course, there are a raft of reasons why government intervention doesn’t work much better than the PCI standard. Look no further than HIPAA, which contains both security and privacy provisions for healthcare organizations. Despite the fact that the law is more than a decade old, there have been no fines to speak of, leaving some organizations scratching their heads about why they should bother complying. Meanwhile, federal CIOs and CISOs complain that the 2002 Federal Information Security Management Act has turned into nothing but an exercise in completing paperwork, rather than improving security. The one piece of federal legislation that did prompt widespread work on information security controls—the Sarbanes-Oxley Act—stemmed from one small section, 404, and corporate America is currently in rebellion that the end has not justified the multimillion-dollar means. The problem is always an economic one—not that compliance costs too much money, precisely, but that the money it costs isn’t worth spending.

The challenge for the card associations now is twofold: to prove the value of the PCI standard in and of itself, and to create an incentive system that gives organizations the final shove if the standard on its own doesn’t provide enough value. One-time compliance incentives may simply be too small. Visa’s $20 million incentive could be split up by as many as 33 merchant banks, which could then choose (or not choose) to pass on the incentives to thousands of their merchant customers. And even fines may not be enough. Visa, for instance, levied $3.4 million in fines in 2005 and $4.6 million in fines in 2006. But compliance likely would have cost fined organizations even more.

“It’s kind of like, you can drive a car without car insurance, but if something happens you’re going to be in big trouble,” says Rowe, of Chief Security Officers. “I think a lot of [merchants] are accepting the risk and hoping the controls they have in place will prevent a breach even though they may not be in compliance.”

The associations, leery of exercising their death penalty, have done so only once. After hackers accessed some 40 million card numbers stored by payment processor CardSystems Solution in 2005, both Visa and American Express cut off the company’s ability to process payments. The company went into bankruptcy, where its assets were acquired by Pay By Touch. CardSystems ­disappeared.

More encouragingly, Visa has announced that it will start making PCI compliance a requirement for some reductions in the interchange fees they charge to merchants who accept credit card payments. This is more a backward penalty than a new incentive: A merchant that currently qualifies for the reduced fee, known as tiered interchange, could lose that reduction because it’s not PCI-compliant. Visa’s Perez says the largest merchants could stand to lose millions of dollars annually. “It’s a very compelling incentive,” he says.

Count on chief security officers—risk managers at heart—to look at all these changes pragmatically. “If I was going to get fined $5 million but I brought in $150 million in business, that’s fine,” Kirkwood says, speaking hypothetically. “It becomes a cost of doing business.” A bigger motivator, however, is interchange fees. “That impacts the profit per transaction, which has a much bigger potential than anything else.”

Since announcing the changes, Visa has seen some increase in its compliance rates. Among what are known as Level 1 merchants, which process more than 6 million Visa transactions per year, compliance rose from 36 percent in December 2006 to 40 percent in January 2007. Among Level 2 merchants, which process between 1 million and 6 million Visa transactions each year, compliance inched up to 16 percent from 15 percent since the Level 2 requirements took effect in July 2006.

In the same time period, however, calls for regulatory action stepped up even more quickly. Shortly after the TJX breach disclosure, Barney Frank, chairman of the House Financial Services Committee, issued a stern rebuke, calling the incident “further evidence” of Congress’s need to intervene. “[T]hose institutions where breaches have occurred must be identified and they must bear responsibility,” the Massachusetts Democrat said in a statement. “Specifically, this means retailers or wholesalers must take responsibility, contrary to what common practice is today.”

No one really wants more regulation; everyone just wants the security breaches to stop. Jay White, global information protection architect at Chevron, where some business units must comply with the PCI standard, isn’t alone in pointing out that it would, in theory, be easier for private industry to police itself. “There are times when you are applying resources just for government compliance as opposed to having it add any business value,” White says. “I would rather have industry be self-regulated, until companies demonstrate that they can’t self-regulate.”

The PCI standard is corporate America’s big chance to demonstrate that it can self-regulate. The question now is, How long before it will have proven just the opposite?

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)