Dying Is Easy, PCI Is Hard

PCI deployment isn?t perfect, but it?s quite impressive how far it?s come given the mammoth obstacles. As its most public face, Visa has taken a lot of the criticism, but it also deserves much of the credit.

As a group, humans are a tough audience. Cruelly and quixotically, the more difficult and massive the task, the quicker we are to point out the shortcomings rather than praise the accomplishments.

In retail technology today, there are few efforts more monumental and difficult than attempts to regulate credit card security. The Payment Card Industry Data Security Standard (known simply as PCI) is the industry?s best shot.

Please don?t get me wrong. There are plenty of issues with PCI deployment today. But let?s not be too quick to attack the very good for not achieving the unattainable perfection.

Consider the challenge of creating a single set of security rules that would be applied to businesses as diverse as Wal-Mart, 7-Eleven, McDonalds and Rite-Aid as well as single-store retailers on street corners across America. Some of those companies have large IT staffs and process billions in transactions while others might still be using electronic cash registers (and some that are not so electronic).

It is a committee-formed set of rules?think of the glacial pace of most standards efforts?that needs to be one step ahead of the world?s top cyber thief networks.

Michael Barrett, the chief information security officer at PayPal (and a new member of the PCI Council), phrased it well when he said PCI?s weakness is that ?it?s both too specific and too vague. It needs to be specific about what needs to be done, but not specific as to how it needs to be done.?

PCI?s main effort to date to strike such a balance is something called compensating controls, where retailers can avoid adhering to a particular rule if they can make a persuasive argument to the auditor of an alternative method that would deliver roughly the same result. Thus far, Barrett said, compensating controls need work and they tend to be far too time-consuming.

Compensating controls are ?a painful exercise and you have to go through it every year? and endure ?a very long discussion with the auditors about whether or not you have the series of controls,? Barrett said, adding that some text in the edict is ?downright confusing.?

But Barrett?s tone changes rapidly when the conversation turns to the many major retailers today who are still not PCI compliant. ?It really does describe an everyman kind of security program. As a consequence, you really ought to be able to pass? if you have a halfway decent security program, he said. ?What I have no sympathy for? are retailers who say that PCI is worthless and who therefore don?t even try.

Last week, this column talked about a memo from one of the nation's largest credit card processing banks?Fifth Third Bank?and how it reflected Visa softening one of its financial threats to non-compliant retailers.

"Visa?s initial program announcement stated that, effective October 1, 2007, non-compliant merchants will no longer be eligible for Visa" reduced transaction fee programs, the memo said. "Now, according to Visa?s clarification on their policies regarding tiered interchange qualification and fines, merchants that have not validated full compliance by September 30, 2007, will no longer qualify for the best available tiered interchange rates. This means that Visa (transactions) submitted from non-compliant merchants, that are normally eligible for tiered interchange, will be downgraded one interchange tier."

Although neither people from Visa nor Fifth Third would comment before the stories were published, Visa did surface after the column ran to seek a clarification. The story quoted the memo accurately, but Visa?anonymously, of course?challenged Fifth Third's contention that Visa had initially planned on banning retailers from program entirely. Visa had never specified, the card holder's person argued.

Beyond the problem of proving a negative (how can we ever prove that no one from Visa ever said a particular comment?), this raises an interesting issue. Beyond a few legally-phrased memos from time to time, most of the communication from Visa has been passed word of mouth. Is it possible that Visa representatives in the field made the threat more specific than corporate had intended? Or was Fifth Third speculating?

This also nicely illustrates the huge burden on Visa. Technically, we should be saying credit card companies, but Visa is the only one that has stepped up to the plate to address these issues. Visa has periodically released compliance numbers, a move that MasterCard, AmericanExpress and Discover haven't even tried. Why should they? If Visa's out there taking the heat, why bother?

From an information-hungry writer's perspective, our understanding of the state of compliance today is not particularly weakened due to the absence of those other players. In the U.S., it's almost impossible to find a retailer that accepts credit cards that doesn't accept both Visa and MasterCard. It's almost as difficult to find a merchant that takes AmEx or Discover and doesn't also take Visa. Still, this does make Visa this lightning rod for any PCI criticism.

Among the many culprits that are keeping the PCI compliance figures lower than Visa wants them to be is, for lack of a better term, legacy systems. You can't quite blame Visa?or PCI or, for that matter, the retailers?because so much of the installed equipment and software dramatically predates PCI's existence.

That legacy problem is why some retailers are saying that they might need as many as two more years to become fully PCI compliant, especially with encryption, according to one Visa security official who also asked to remain anonymous.

The good news is that this particular PCI hurdle will theoretically not be an issue in five to ten years, as technology attrition wipes out the pre-PCI systems.

That official also clarified a confusing new Visa program for retailers that will not be compliant by Oct. 1, 2007. If they're willing to pledge that they will be compliant by Oct. 1, 2008, Visa is offering them three months of their fee reduction. (The memo said as many as three months, but this Visa official said the intent is that will be the full three months, wherever practical.) The money, however, won't be paid until the retailer actually gets a compliance certification, presumably before Oct. 1, 2008.

There's little doubt that Visa is taking the security compliance issue seriously, but it's in a delicate position. Setting aside the political issues (Visa needs these retailers for all of its revenue and there are alternative programs cropping up), pushing a security compliance program is nothing if not delicate. With the goal being to improve credit card security, Visa knows that pushing too hard will backfire, giving more retailers an excuse to not even try. But pushing too gently is almost as bad because these programs are expensive and time-consuming and retailers won't do them without an incentive and a threat.

Perhaps it's only fair to cut Visa a little slack and to take a moment to acknowledge the tremendous contribution it's made. So just for this column ending, I'll just say, "Great job! (pause) And if you guys could perhaps do something about the auditor conflict of interest." Sorry. I weakened.