"This is a bow to reality," said Mark Rasch, a former federal prosecutor who now specializes in retail security issues. "The first version was more of a Utopian of what Visa and MasterCard thought were workable standards based on what people should do. This is a minor tweaking based upon what people are doing."
Although there are several factors influencing the changes to the Payment Card Industry (PCI) data security standard rules, the makeup of the governing body is a critical one. Last week, the PCI data security group was officially expanded beyond just Visa and MasterCard to also include AmericanExpress, Discover and Japan's JCB.
David King is the CIO of the $2.7 billion Regal Entertainment Group, which is the nation's largest movie theater chain. He applauded many of the new PCI requirements, but he especially liked the new makeup of the PCI standards group.
"We have been having to deal separately with Visa, MasterCard, AmericanExpress and now Discover, who are all clamoring for compliance audits and meeting with their people and being reviewed," King said. "I'm glad that we'll be dealing with a single body and maybe a single set of criteria. That'll be good."
The rules were updated in PCI's Data Security Standard version 1.1 partially to address criticism that the rules did not factor in practical considerations of running retail chains. For example, a requirement for file integrity monitoring software to watch for unauthorized modification of critical system files had mandated that file comparisons be done daily. It's now been softened to weekly.
"In thinking about the new changes, we asked, 'How do you apply it in a realworld scenario?'" said Seana Pitt, chairperson of the PCI Security Standards Council and a VP of global merchant policy and data quality for AmericanExpress. "If you look at the information on a daily basis, it's just a lot of data to work through. This approach is more applicable to the day-to-day running of an IT organization. It did not erode the security."
Michele Borovac, director of marketing at Decru, a storage vendor that has been closely watching the PCI process, agreed. "It's overkill to try and run it daily. It's a burden and the data simply doesn't change that often," Borovac said.
One change in the other direction was a requirement that wireless analyzers need to be used periodically. In the old version, such analysis was only required when a wireless application was being used, but the new rule requires that the testing be done "even if wireless is not currently deployed" so as to find rogue wireless networks surreptitiously installed.
Today's larger retailers "have very complex networks" and it's "very easy to plug in something in the heat of the moment," Pitt said. It's not that difficult for wireless access to be accidentally enabled given the large number of hardware, software and networking devices today with wireless capabilities.
Regal's King was not comfortable with the new wireless requirement. "I feel that it's a little bit of an overkill," he said, because the complexity of a typical large retailer does not fit neatly into the new rule.
"Even if one does detect the presence of wireless activity inside one's firewall, whether or not that wireless activity is secure or whether credit card activity is flowing across that wireless component, whether or not one can enter through that wireless port and get through to encrypted data," King said. "The complexity of an environment that a Level One merchant is going to have needs to be looked at more from an engineering standpoint than 'Let's take a wireless analyzer and let's put it inside your stores and see if I can detect any wireless activity.'"
Part of the reason for that is the nature of where Regal has many of its movie theaters. The fact that many movie theaters are located inside malls and are immediately proximate to tons of smaller merchants?many of whom may have their own wireless access?makes for some challenging tests.
"So they're going to turn on a WiFi finder and they're going to find lots of wireless connections. Some secure, some not secure," Rasch said. "They can't just say, 'Well, those aren't ours' because they have no idea whether this is a rogue part of their network that somebody has put up. How do you validate--in a place that may have 20 or 30 WiFi connections--that none of them are yours? It's a difficult task."
Another change was prohibiting cardholder data to be stored or copied during remote access. The earlier version had demanded that all such access be disabled. "In the past, they said, 'You can't access it. Period,'" Borovac said. "Retailers said, 'That's not plausible. We need to give people who are working remotely access."
The potentially must significant change involved compensating controls, which can be used instead of encryption. Before, encryption was considered mandatory.
The change was mostly a concession to costs and logistics because many retailers argued that it was not practical for them to encrypt all cardholder data and they proposed alternative?and more complicated--ways of protecting the data. Many older retailers with substantial legacy systems had been especially concerned, Pitt said. "To think about encrypting data on that mainframe is costly and it takes a long time," she said.
Decru's Borovac argued that the PCI committee?whether consciously or subconsciously?is discouraging retailers from using compensating controls by putting in place a much more onerous certification process for those using compensating controls compared with those who encrypt. "It comes down to the ease that will people will want to pass their audits," Borovac said.
Regal's King agreed, which is his chain has aggressively embraced encryption, even though it sharply limits their CRM abilities to learn about their customers and market to them.
"I think that investing in encryption is going to be so less onerous and so less expensive as opposed to going with a whole variety of compensating controls. Things change, situations change, technologies change. And to manage all of the different compensating controls that one would need to have if one doesn't have encryption is going to require huge overhead and it will be a huge distraction," he said. "We encrypt from the moment that the credit card number is electronically digitized from the point of scanning through our systems. The credit card information is all encrypted, flowing from POS to the provider and back and that's it. It's not in back-office systems. It's not in corporate systems. It's not transmitted around. It's not in databases. We have lost some of the identifying mechanisms that we could use for things like loyalty and some of our buying patterns and stuff. That's been far less impactful and far easier to manage."
One change that was already announced was a PCI reclassification of retailers based on an ostensibly better feel for how transactions are being handled today.
The reclassification is "recognizing the way the threat environment is changing. Brick and mortar merchants are getting hacked at, if anything, a greater rate than E-Commerce merchants. The reclass at the merchant level reflected that," said Chris Noell, executive analyst with TruComply, a security consulting firm. "Before, you could process as many as six million transactions in a brick-and-mortar context before you had any validation requirements at all. Now that threshold has dropped to a million, which I think is a more appropriate risk management stance for the industry to take."
Rasch urged retailers to carefully check to see if their classification has changed because the new criteria is unpredictable. "There's no consistent theme here. Some people get classified up. Some people get classified down," Rasch said. "If you thought you were a Level One, you might now be a Level Two and if you thought were a Level Two, you might now be a Level One."