Without a doubt, the most popular strategy for dealing with PCI compliance and data security is avoidance. Not unlike the game of "hot potato," which dates back to the pilgrims, the goal is to find someone who is willing to put up with the hassle of PCI compliance and then give that person all the credit card data.
Whether you call it outsourcing or tokenization, software-as-a-service, virtualization or even, gasp, cloud computing, it's essentially a "risk avoidance" strategy. However, most of what we see in our research is more avoidance than strategy.
One of the new provisions of PCI 1.2 that has received little attention, compared to its importance, is the requirement that merchants do a due diligence evaluation of service providers prior to engaging them to collect, process or store credit card data. Based on our research, that due diligence typically consists of asking service providers if they are PCI compliant. However, it is almost impossible for service providers to be compliant at the company level. They can provide PCI compliant "environments" and "services" to their customers. But they have so many different customers and so much data, and they may well make extensive use of server virtualization, that it renders some of the PCI requirements unenforceable. For this reason, we believe a best practice is to conduct—or have an objective auditor conduct—an architectural review of any third parties being considered to provide PCI-related services. This will not only satisfy the new PCI 1.2 requirement, it will also help the merchant set up a process for regularly monitoring the PCI compliance and security of card data in the hands of each third party, which is another part of the modified PCI 1.2 requirement.
One of the most common problems that retailers encounter when trying to do a PCI self-assessment or work with a QSA to do one is that most merchants simply do not know all the places where their credit card data can "hide." For example, it is very common for large quantities of card data to be "discovered" months after a thorough PCI assessment. And that's even after creating data flow diagrams and running tools designed to find data that matches a specific set of criteria. The chances are very good that handing off all a merchant's card data to a service provider is not going to provide any more certainty about where that merchant's credit card data actually "is," particularly if the service provider should subcontract some of the data storage and management tasks to yet another company—a "fourth party," if you will. The bottom line here is that it is inconsistent with the spirit of the PCI standards and retail industry best practices to adopt a lower standard of "due care" for confidential data that is collected, processed or stored by a service provider. We recommend a detailed risk analysis of the technical and managerial process of payment outsourcing and the use of tokenization, and any other technology or process that is not directly addressed by the PCI standards.
When it comes to technologies like tokenization, virtualization and cloud computing, merchants should neither rush to embrace them because they promise risk transference and PCI avoidance nor reject the use of these technologies simply because they are not mentioned by name in the PCI standards. The goal is to develop a common risk analysis methodology that can be used to evaluate any business process change (e.g., outsourcing) or technology change (e.g., virtualization) that is not directly addressed by a specific PCI standard. In addition, each time merchants consider treating credit card data in one way, because of PCI, they need to consider treating ALL their confidential data the same way. If a breach or accidental data loss should occur, then it would be difficult to justify treating confidential data with different levels of due care simply because of industry standards.
If you have a question about PCI, outsourcing, tokenization, service providers or any other related topic, you can ask the
PCI Knowledge Base panel of more than 75 PCI experts in our discussion forums. We have one specifically focused on "Ask a QSA" and we're considering adding one just for PA DSS. Let us know if you think that's a good idea. Also, if you're a retailer, we want to get you involved in the PCI Best Practices study we're doing with the National Retail Federation. It's 100 percent anonymous. Just send us an E-mail at [email protected]