PCI Education More Neglected Than We Thought

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Two recent surveys of how merchants approach PCI compliance—one by Cisco Security Solutions; the other a joint survey by the National Retail Federation and First Data—provide insights into merchant attitudes, priorities and challenges. Although there were several differences between the surveys, what I find interesting is that when you reflect on the findings, a common theme emerges: The critical role of educating merchant staff on proper handling of payment card data.

The Cisco survey was comprehensive, with over 500 responses from IT executives across a wide range of vertical industries. Respondents included large Level 1 merchants and smaller, Level 2 and 3 merchants.

The survey has a lot of good news. Respondents were familiar with PCI requirements, and 70 percent said their organizations were more secure because of PCI compliance than they would have been otherwise. This result appears to be quite an endorsement of PCI, even though some respondents felt the requirements were "burdensome." My response to the burdensome reference is that nobody ever said security was easy, just that it was smart.

Although the Cisco survey addressed several very interesting areas (e.g., how much money respondents' companies spent on PCI over the past five years, spending plans for 2011, etc.), I was struck by the responses to Question 33: What problems are you experiencing with regard to PCI compliance; check all that apply.

The top vote getter was not any perceived vagueness or "lack of clarity" in the PCI requirements (mentioned by 22 percent), lack of staff resources (28 percent), needing to change entrenched business practices (29 percent) or even the second most-mentioned option of upgrading "antiquated systems" to make them compliant (32 percent). Rather, the number-one challenge was educating employees on the proper handling of cardholder data, selected by a whopping 43 percent of respondents.

That a group of 500 IT executives responsible for PCI compliance rated educating their internal staff on how to handle sensitive cardholder data as their biggest PCI challenge is interesting. It signals a PCI disconnect within merchants. At one level, this result tells me that IT executives believe they can handle the technical requirements of PCI, but they are worried about what their internal users are doing. At another level, it says merchants still view PCI as an IT issue and not a business issue. Most interestingly, though, it says that perhaps the cheapest tool you have (i.e., education) may be the one with the biggest impact on your organization's security and PCI compliance.

My take is that by "education," the IT executives surveyed did not mean three-day, intensive PCI training courses. Rather, I believe they meant training for anyone who comes in contact with cardholder data, including sales staff, store managers and marketing analysts, on what they can and cannot do with that data. You can encrypt and protect your data as much as you want. But once users gain access to the unencrypted data, you have lost control.

Training reinforces your data protection policies, like not sending primary account number (PAN) data in an E-mail, not loading cardholder data on a flash drive so you can work on it at home, and not keeping spreadsheets or scans containing cardholder data on a laptop. I have seen each of these practices, by the way, and I know what these IT executives know: You have users who think keeping PAN data in a spreadsheet on their laptop is not retaining electronic cardholder data; it's just them being productive.The good news is that training has the biggest financial payoff for achieving and maintaining compliance. Training is cheap. It is a few hours once or twice a year. It is having users sign a piece of paper acknowledging their responsibility each year. I firmly believe people want to do the right thing, either because they are moral beings or because they want to keep their jobs. Either way, the idea is to tell users what they can and cannot do with cardholder data—and then enforce the rules.<pPCI v2.0 requires a comprehensive effort to determine a merchant's PCI scope. This requirement, coupled with the spread of personal technology, means educating users should be a high priority for IT managers.

The NRF/First Data survey of small to midsize retailers leads me to a related conclusion about the criticality of education for security and PCI compliance. In that survey, the overwhelming majority of businesses (86 percent) said they care about protecting their customers' card data and they feel payment card security is important to their business. That certainly is great news, but what followed had me scratching my head.<pOf those businesses that store PAN data, only 68 percent reported taking any steps at all to protect that data. That sounds a bit like me saying I recognize traffic accidents are dangerous, so I'll use my seatbelt about two-thirds of the time. Or telling the IRS I know I should pay my taxes, but how about I just pay two-thirds of them.

That nearly a third of small and midsize retailers are retaining cardholder data without protecting it should be very frightening news for security professionals and, unfortunately, very good news for the bad guys.

Once again, I believe education can be a big part of the solution. It's good that smaller retailers have heard of PCI (66 percent of survey respondents), but we have to do better. For example, about the same percentage (64 percent) made the incredible statement that their business is not vulnerable to payment card data theft. I don't know what newspaper these merchants are reading or where they get their news, but it seems like a lot of small retailers are not making a connection between storing cardholder data and their risk of a very expensive data compromise.

As an industry we have done a good job of raising awareness of PCI DSS, but we now need to move to convincing the majority of small retailers that they are at risk. I want to commend the NRF and First Data for this survey. It paints a very interesting and complex picture, and I'm only looking at a small part of it. The challenge now will be what the industry can do to get the rest of the PCI message to vulnerable small and midsize retailers.

An alternative to education might be technology. Actually, it might be two technologies. For retailers who feel they need to retain cardholder data, tokenization can be an attractive solution. They can track what they need to track, but by using meaningless tokens instead of PANs. For the rest of those retailers, a point-to-point encryption approach that encrypts cards when they are swiped might be a good way to reduce PCI scope and risk.

Right now, we are all waiting for additional guidance on these promising technologies from the PCI Council. But the potential for reducing retailer risk is enormous.

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].