IT Compliance Institute, January 17, 2006:

Trends and Technologies

Handling PCI Hurdles

The PCI standard took effect on June 30, 2005, but companies have been slow to chase the compliance banner. What obstacles must payment card companies overcome to bring the standard to bear?

By Mathew Schwartz

Remember June 30, 2005? That’s the day the Payment Card Industry Data Security Standard (PCI DSS) took effect.

Backed by American Express, Discover, MasterCard, and Visa, the PCI standard groups companies processing credit card transactions into one of four levels, based on annual transactions processed: level 1 (over 6 million), level 2 (150,000 to 6 million), level 3 (20,000 to 150,000), and level 4 (all others). Service providers have their own levels from 1 to 4 as well.

Each PCI level mandates specific security requirements, ranging from on-site audits, to quarterly scans, to answering a questionnaire about such things as effective firewall use and whether sensitive information is restricted on a need-to-know basis. Not being compliant with PCI means companies can face fines or see their business ties severed.

With the PCI deadline in the past, are most companies in compliance? The short answer is, no. Reasons for the poor uptake to date range from scant marketing by PCI’s backers and banks’ inadequate educational efforts to the technical complexity of the standard.

According to Visa, 30 percent of covered companies were compliant as of the June 30 PCI deadline (with more applications in the pipeline), but others say differently. “I’d put a question mark next to that figure. I’d think it was down in the 10 percent region that were actually compliant by then,” says Nigel Tranter, a partner and PCI-certified auditor in Payment Software Co., a small auditing firm based in San Jose, Calif., that works predominantly in the payment industry. “We’re working with a number of small and large companies that are still struggling to be compliant, and one of the biggest reasons is because the standard is quite tough.”

Another reason for slow PCI uptake may also be inadequate educational efforts by the PCI backers themselves. “The biggest hurdle we and our merchants had was just understanding what it was,” notes Jen Heil, chief technology officer of San Jose-based MonsterCommerce Inc., which provides e-commerce services to more than 5,000 companies and is a PCI level 1 service provider. “Visa’s been a little quiet; I wish they’d be a little louder about this, and about the ‘why do I have to do it,’ before everyone starts asking if you’ve done it. The more information we can provide to our merchants regarding what’s going on in the industry and certifications that are out there, the better.”

While PCI predominantly targets e-commerce, it also applies to any organization taking cards physically, though that side of things has also lagged. “The issue here is Visa relied on the banks in promoting and getting this done, and there are a large number of banks who, for whatever reason—why, I’m not going to speculate—haven’t pushed PCI as hard as they could,” says Tranter. “There are a large number of people I’ve spoken to out there who are surprised this PCI stuff even exists.” Even after the PCI deadline, he says, he knows merchants who contacted banks, saying they were ready to comply, and their banks said, “What are you talking about?”

Some also question whether the PCI standard is thorough enough to be effective. For example, Brian Grayek, chief technology officer of Preventsys Inc. in Carlsbad, Calif., highlights how PCI only requires on-site audits at level 1 companies. All other compliance is self-reported. He sees that discrepancy as cause for concern. “There are only a handful of people who are at level 1,” he notes. “Ninety percent—or more—of the merchants are going to be in [at least] level 2 and 3, and they only have to do a 75-question form and a scan every quarter.”

Beyond effectiveness, governance is another concern. “The real challenge here will be in getting these requirements enforced,” says Chris Farrow, director of the Configuresoft Center for Policy & Compliance. “As long as the PCI DSS relies heavily on self-auditing, many vendors will continue to drag their feet.”

With the deadline now about half a year in the past, is mass PCI compliance imminent? Based on continuing inquiries from potential clients, “I still think we have a long way to go,” says Tranter. “But that’s just a gut feel on my part.”

Tips for Passing PCI

For companies that must still adopt PCI, how tough is the standard? Tranter says he doesn’t recall auditing any company that passed PCI the first time. “We’ve had companies that are ISO 9000 compliant, SAS70 compliant, and they still failed [PCI] the first time through.”

Documentation is a frequent problem. “There are some documentation ideas in PCI that we call quite high-caliber, in that they require formal review, formal signoff, and a chain of command before something can take place, and that’s very foreign to many organizations,” says Tranter. For example, some IT departments historically just implemented firewall changes or reconfigured servers themselves, without having to get chain-of-command permission first. Under PCI, that has to change.

Many companies also struggle with PCI’s key-management requirement. “A lot of people don’t understand what that means,” says Tranter. “We’ve encountered companies that have encrypted databases and very proudly showed us what they’d done. So we asked, ‘Where’s the key?’ They said, ‘It’s in the database.’” Obviously, that’s not effective key management. Tranter says PCI implies a company will use dedicated key-management technology.

The third most common problem is the failure to meet PCI requirement 6.5: “develop Web software and applications based on secure coding guidelines such as the Open Web Application Security Project (OWASP) guidelines.” The requirement deals with “the testing and the software development of applications to protect them against application-level hacking,” including SQL injections and cross-site scripting attacks, says Tranter. Yet “a lot of companies haven’t gotten their heads around what that means.”

Often, he says, an organization covered by PCI will have “good network setup, good application development processes, but then we don’t see anything that’s formally testing OWASP specifications.”

Finally, Tranter recommends organizations not focus exclusively on technology when striving for ongoing PCI compliance. “There is one potential element of PCI which is kind of missed—the human dimension, which is how people interact and how the business operates, and how people help with the security of systems. That’s not quantified with PCI, and that’s what auditors have to go in and assess.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.