A Look at PCI in 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

What are the PCI stories we are likely to see in the coming year? We know there is a new/revised version of PCI due to become effective in October, but what are the likely changes?

And let’s not forget the card brands themselves or the technology vendors who constantly promise to make merchants’ lives easier (if maybe a little more expensive). With a new year in front of us (and caution behind), here are some forecasts and speculation for the coming year in PCI.

May 1st will see the updated release of PCI labeled “version 2.0.” My reading of the tealeaves is that the Council will take the opportunity to declare the revised standard a whole new version rather than simply an upgrade from the current version 1.2. It may all be appearances, but calling it a new version communicates the evolution of the standard.

Some will criticize the move contending PCI is a shifting, unstable standard, but I don’t think too many people buy that argument. PCI needs to evolve to reflect the latest attack vectors and technology, and tagging the latest release as a new version communicates that dynamism. And yes, it’s good PR for the Council, too.

Version 2.0 could mandate automated cardholder data discovery. One change I anticipate is mandating the use of automated cardholder data discovery tools. I say that for a couple of reasons. First, the Council has been encouraging QSAs to use data discovery tools in our assessments. They even provide a list of both open source and commercial products at QSA training sessions complete with examples of how to configure them.

Then at September’s PCI Community Meeting the Council gave Verizon a prime slot to pitch their data breach investigations report. That report highlighted that in 38 percent of breaches—representing fully 67 percent of compromised records–the breached entity had no idea it was storing the cardholder data. You can’t protect what you don’t know you have, and the only way to be sure you know where all your data are is to conduct an automated search.Therefore, I am looking for the Council to require automated data discovery starting in October.

Why is this important for merchants? If you have a lot of locations, you have work to do setting up and scanning all those databases, workstations and servers. Especially watch to see if the Council decides to implement data discovery like it did wireless scanning (Requirement 11.1).

If this happens, merchants will not be able to sample locations and will have to search each one. The good news is that you can conduct these searches internally and there are good open source products available. Your QSA likely would only need to verify the results of your automated discovery and to review the scope of your search.

Council PCI training will be oversubscribed. Both Level 1and Level 2 (thank you, MasterCard) merchants have an incentive to send staff to the Council’s PCI training. The training runs about $1,000 per person for the two-and-a-half day session, but it can be a bargain if you can leverage it to reduce the effort in your annual assessment.

As a QSA, I love it when my client knows a lot about PCI since it makes the assessment go much smoother. Another advantage for merchants is that you are less likely to fall afoul of knuckleheaded mistakes like missing a quarterly scan when you have somebody on staff who knows and understands the requirements.

I have two words of advice to those who take the training: pay attention. The training is good if a bit tedious at times, but there is a test at the end to get the credential (details are still being decided). You won’t want to explain to your boss how you blew the test (and the budget). The training will continue to be across regions, so check the Council’s website for the dates and locations. Sign up early, as space will be limited.I expect no Level 2 merchant blowback against MasterCard. The card brands should remain relatively quiet this year. That is, I don’t look for significant new mandates from Visa or game changing surprises from MasterCard that impact merchants directly.

While I don’t expect it, I will be watching for signs of merchant reaction to MasterCard’s new Level 2 validation requirement. Specifically, I will be interested to see if some reasonably visible L2 merchant drops MasterCard acceptance in a very public display of displeasure over its new PCI validation requirements.

I support MasterCard’s move for more comprehensive validation of Level 2 merchant compliance. Unfortunately, the requirements were communicated poorly and they proved to be a moving target. I still do not agree with the reciprocity provision and shifting the date will only delay the merchant train wreck.

Even with all of that, I can’t see a merchant dropping MasterCard acceptance: merchants want to make the sale. People carry fewer cards these days so reducing your customer’s payment options makes no sense and it is inappropriate to involve the customer in your dispute.

There are, however, at least two precedents. Several years ago, some restaurants very publicly rebelled against American Express’s higher fee structure and stopped accepting that brand. More recently, many colleges and universities have dropped Visa acceptance because Visa is the only brand that does not allow the schools to pass on the merchant fee. And Best Buy has now stopped accepting Visa contactless cards because of what the retailer saw as a fee hike.

Unlike the restaurant boycott of Amex, I don’t think Visa will step in with an advertising blitz supporting a merchant who drops MasterCard. Similarly, there could be negative publicity for a merchant perceived as taking this action because they “do not take customer privacy seriously.” Nevertheless, it will be interesting to see if any L2 merchant gets sufficiently incensed to justify accepting only one bank card brand – albeit the larger one – and not the other.

There will be no technology silver bullets. I expect no major breakthrough in technology easing merchants’ PCI burden this year. I can’t tell you how much I want to be wrong, but I just don’t see it happening.

The Council is investigating several technologies that could impact PCI compliance and even change the DSS itself. The hurdles are pretty high, given all the existing merchant systems and process that would need to change to implement these technologies. And, in this economy, it will be difficult for most merchants to justify the investment and disruption.

Do you disagree? Let me know. Leave a comment below or send me an E-mail at [email protected].