Affording PCI Security

Written by David Taylor
January 15th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Just spent the last few days at the National Retail Federation’s (fairly) big show in New York. Between the weather and the economy, some people apparently decided to work on their resumes instead of making the trip. For those folks, and even for those who showed up, here are several insights related to security, compliance and PCI from the hundreds of people we talked to this week.

  • The NRF Announced 25 PCI Best Practices
    This Monday (Jan. 12), the National Retail Federation announced a set of 25 PCI best practices designed to improve “cost-effective compliance.” We vetted these practices with the NRF’s CIO council and spoke with many others about them. The primary reaction was that “cost” is the correct focus at this point. We talked to several people who have security responsibilities, and PCI is one of the few things for which there is still budget.

    But for the near future, anything they buy also has to have additional justification. For this purpose, several of the NRF’s best practices are focused on replacing manual controls (and labor costs) with automated controls. Log management, configuration management and threat management are all areas where poorly coordinated manual procedures expend skilled labor to do relatively lower level tasks and, thus, have the best justification.

  • PCI Compliance Has Become Boring
    On the tradeshow floor, I watched for awhile as two very nice ladies attempted to stop passers by with the line: “Are you PCI compliant?” They were getting nowhere with that pitch—people either said “yep” or ignored them. After speaking with them at some length, it turned out that the most common response was “I think so.” But even those who weren’t sure didn’t want to learn any more. I believe the problem is that once PCI is assigned (still, for the most part, to IT), most people in the company assume that it’s “done.” So, all the harping by vendors, assessors and even leading retailers that PCI needs to be part of operations and continuously monitored is being ignored by most people on the business side, because they assume it’s being “handled” and that compliance has been “achieved.”

  • PCI Leads To Bi-Polar Disorder
    I discussed my observation above with several other security folks at the show. The conclusion we reached is that there is a major gap between most retailers’ “real” level of security and compliance and what many businesspeople in the organization believe it to be. One of the reasons for the misunderstanding can be attributed to the “pass/fail” PCI compliance grading system. Although compliance with the PCI standards is difficult to achieve, receiving a “passing grade” from an assessor (for Level 1 merchants) leads—in the vast majority of cases—to a period of “slacking off” on security, until the ramp up to the assessor’s visit a year later. Even smaller merchants, where they do their own self-assessment, experience this “manic/depression” cycle when it comes to such things as documentation of access controls, log review and other tasks related to compliance monitoring.

  • Beyond PCI Is PA-DSS And PCI PED
    Several companies on the show floor were talking about “beyond PCI” issues and technologies. As the NRF’s PCI best practices point out, PCI needs to be managed as part of an overall governance, risk management and compliance (GRC) strategy. That’s nice, of course, but not as tactical as many people are thinking these days. Rather, I think a better “beyond PCI” message is to focus on PA-DSS and PCI PED, which have specific deadlines and very clear mandates, and yet the scope of their implications is understood by very few. If you don’t know what these terms refer to, then I’ve made my point. The PCI best practices also include clear recommendations to begin planning now to make any necessary upgrades or replacements of affected payment applications and PIN entry devices, because the process typically will take months, particularly for those retailers who will have to switch vendors.

  • The Bottom Line
    If you are interested in learning more about the NRF’s PCI best practices, they were issued through the NRF’s ARTS committee, which is responsible for retail industry standards. You may also visit the
    PCI Knowledge Base, as we worked with the NRF to conduct the research that generated these best practices. Or, just send me an E-mail at

  • advertisement

    One Comment | Read Affording PCI Security

    1. SK - TKI Says:

      Good article Dave! Always good to hear your perspective on PCI. Beyond PCI is the foundation of what I advise all of my clients. We refer to it as “holistic PCI”. Looking at all of the programs, the level of applicability, and practicality of implementation. You are right, in that many organizations are not awware of the PA DSS and PCI PED requirements. Keep sharing the knowledge!


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.