In another sign that PCI DSS compliance isn’t going very well for everyone, the National Retail Federation has shipped a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data.
From the letter, written by NRF Chief Information Officer David Hogan:
“All of us — merchants, banks, credit card companies and our customers — want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. With this letter, we are officially putting the credit card industry on notice. Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.”
The letter notes that credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card company retrieval requests. According to NRF, retailers should have a choice as to whether or not they want to store credit card numbers at all.
We’ve written quite a bit lately on all the trouble some merchants had meeting the Sept. 30 deadline set by Visa USA for companies to be in full compliance with PCI DSS. A recent report from VeriSign, for example, suggested many companies are still struggling with the demands of PCI DSS. The company based its report on a review of 60 PCI audits it recently conducted for 50 large companies and measured the extent to which companies are meeting more than 230 data security requirements. The company determined that 53% failed to meet key elements of PCI DSS and that companies were coming up short in such areas as regular testing, securing applications, logging and protecting data. The chief point of failure for 48% of customers was that they weren’t regularly testing their controls to make sure they work.
Of course, companies that haven’t done what Visa wants will face higher fees from the credit card network, and that’s left the NRF pretty upset.
I find this interesting because I’ve interviewed many PCI DSS auditors and IT professionals and they all say the same thing: Companies have no business hanging on to credit card data after a transaction is made. I didn’t realize this year-to-18-month storage requirement existed.
Even so, I think the NRF may be overreacting to all the data breaches that seem to be piling up by the day. There’s a lot of panic about the fact that data breaches keep occurring despite all the work companies have been forced to undertake to comply with the likes of PCI DSS. Those who are struggling to meet the standard are looking for someone to blame.
I’m not going to go off on these companies because there are a lot of reputable merchants out there that want to make their networks as secure as possible but don’t always have the resources to do all that’s needed. When a merchant faces the possibility that someone will revoke their ability to take credit cards despite their best compliance efforts, a little anger is inevitable.
Nevertheless, I’ve talked to several IT shops who are finding ways to meet PCI DSS. Granted, it’s easier to succeed if you’re a bigger company with more money and manpower, but there’s a lot of perspective out there that merchants need to drink in. As any security pro worth his or her salt will tell you, the name of the game isn’t simply to meet a deadline. Compliance, be it PCI DSS, HIPAA or GLB, is an ongoing process that will frequently need tweaking in response to new hacker tactics and emerging security technologies.
A merchant may not have done all that is needed to meet that Sept. 30 PCI DSS deadline. But if the business knows where the weaknesses are and outlines a solid game plan to address it, it’s doubtful that they’ll lose the right to do credit card transactions. And if there is a requirement that credit card data be stored for a certain amount of time, the answer is to encrypt that data and keep it walled off from the rest of the network through segmentation.
In an effort to bring some sanity to the business community, I’ve scoured the blogosphere in search of some wisdom. It didn’t take me long to find some. And so here it is:
The PCI DSS Compliance Demystified blog is, as its keepers put it, “devoted to demystifying the PCI DSS compliance process and linking you with as many resources as we can. The goal is to decentralize the information and provide a better ROI to your company or your clients.”
The Realtime IT Compliance Community blog is a good source for information related to IT compliance, regulations, information security and data protection. It includes links to other blogs, articles, white papers, and podcasts as well as links to external resources.
Dr Anton Chuvakin’s blog frequently focuses on information security and PCI DSS.
The PCI DSS News and Information blog is a collaboration between NACUBO and the Treasury Institute and is a place where you can keep up to date on recent developments and ask questions.
The IT Toolbox community, which includes a ton of blogs, has a lot of handy links to PCI DSS information, including this “PCI Made Easy” whitepaper link.
The CSO Central blog often includes a lot of helpful advice on PCI DSS.
There are many more security blogs out there offering information on PCI DSS, but the blogs I’ve just listed show that there are plenty of voices of reason out there, and the first step to achieving compliance is to approach it without fear.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.