Dying Is Easy, PCI Is Hard

Written by Evan Schuman
August 23rd, 2007

PCI deployment isn?t perfect, but it?s quite impressive how far it?s come given the mammoth obstacles. As its most public face, Visa has taken a lot of the criticism, but it also deserves much of the credit.

As a group, humans are a tough audience. Cruelly and quixotically, the more difficult and massive the task, the quicker we are to point out the shortcomings rather than praise the accomplishments.

In retail technology today, there are few efforts more monumental and difficult than attempts to regulate credit card security. The Payment Card Industry Data Security Standard (known simply as PCI) is the industry?s best shot.

Please don?t get me wrong. There are plenty of issues with PCI deployment today. But let?s not be too quick to attack the very good for not achieving the unattainable perfection.

Consider the challenge of creating a single set of security rules that would be applied to businesses as diverse as Wal-Mart, 7-Eleven, McDonalds and Rite-Aid as well as single-store retailers on street corners across America. Some of those companies have large IT staffs and process billions in transactions while others might still be using electronic cash registers (and some that are not so electronic).

It is a committee-formed set of rules?think of the glacial pace of most standards efforts?that needs to be one step ahead of the world?s top cyber thief networks.

Michael Barrett, the chief information security officer at PayPal (and a new member of the PCI Council), phrased it well when he said PCI?s weakness is that ?it?s both too specific and too vague. It needs to be specific about what needs to be done, but not specific as to how it needs to be done.?

PCI?s main effort to date to strike such a balance is something called compensating controls, where retailers can avoid adhering to a particular rule if they can make a persuasive argument to the auditor of an alternative method that would deliver roughly the same result. Thus far, Barrett said, compensating controls need work and they tend to be far too time-consuming.

Compensating controls are ?a painful exercise and you have to go through it every year? and endure ?a very long discussion with the auditors about whether or not you have the series of controls,? Barrett said, adding that some text in the edict is ?downright confusing.?

But Barrett?s tone changes rapidly when the conversation turns to the many major retailers today who are still not PCI compliant. ?It really does describe an everyman kind of security program. As a consequence, you really ought to be able to pass? if you have a halfway decent security program, he said. ?What I have no sympathy for? are retailers who say that PCI is worthless and who therefore don?t even try.

Last week, this column talked about a memo from one of the nation’s largest credit card processing banks?Fifth Third Bank?and how it reflected Visa softening one of its financial threats to non-compliant retailers.

“Visa?s initial program announcement stated that, effective October 1, 2007, non-compliant merchants will no longer be eligible for Visa” reduced transaction fee programs, the memo said. “Now, according to Visa?s clarification on their policies regarding tiered interchange qualification and fines, merchants that have not validated full compliance by September 30, 2007, will no longer qualify for the best available tiered interchange rates. This means that Visa (transactions) submitted from non-compliant merchants, that are normally eligible for tiered interchange, will be downgraded one interchange tier.”

Although neither people from Visa nor Fifth Third would comment before the stories were published, Visa did surface after the column ran to seek a clarification. The story quoted the memo accurately, but Visa?anonymously, of course?challenged Fifth Third’s contention that Visa had initially planned on banning retailers from program entirely. Visa had never specified, the card holder’s person argued.

Beyond the problem of proving a negative (how can we ever prove that no one from Visa ever said a particular comment?), this raises an interesting issue. Beyond a few legally-phrased memos from time to time, most of the communication from Visa has been passed word of mouth. Is it possible that Visa representatives in the field made the threat more specific than corporate had intended? Or was Fifth Third speculating?

This also nicely illustrates the huge burden on Visa. Technically, we should be saying credit card companies, but Visa is the only one that has stepped up to the plate to address these issues. Visa has periodically released compliance numbers, a move that MasterCard, AmericanExpress and Discover haven’t even tried. Why should they? If Visa’s out there taking the heat, why bother?

From an information-hungry writer’s perspective, our understanding of the state of compliance today is not particularly weakened due to the absence of those other players. In the U.S., it’s almost impossible to find a retailer that accepts credit cards that doesn’t accept both Visa and MasterCard. It’s almost as difficult to find a merchant that takes AmEx or Discover and doesn’t also take Visa. Still, this does make Visa this lightning rod for any PCI criticism.

Among the many culprits that are keeping the PCI compliance figures lower than Visa wants them to be is, for lack of a better term, legacy systems. You can’t quite blame Visa?or PCI or, for that matter, the retailers?because so much of the installed equipment and software dramatically predates PCI’s existence.

That legacy problem is why some retailers are saying that they might need as many as two more years to become fully PCI compliant, especially with encryption, according to one Visa security official who also asked to remain anonymous.

The good news is that this particular PCI hurdle will theoretically not be an issue in five to ten years, as technology attrition wipes out the pre-PCI systems.

That official also clarified a confusing new Visa program for retailers that will not be compliant by Oct. 1, 2007. If they’re willing to pledge that they will be compliant by Oct. 1, 2008, Visa is offering them three months of their fee reduction. (The memo said as many as three months, but this Visa official said the intent is that will be the full three months, wherever practical.) The money, however, won’t be paid until the retailer actually gets a compliance certification, presumably before Oct. 1, 2008.

There’s little doubt that Visa is taking the security compliance issue seriously, but it’s in a delicate position. Setting aside the political issues (Visa needs these retailers for all of its revenue and there are alternative programs cropping up), pushing a security compliance program is nothing if not delicate. With the goal being to improve credit card security, Visa knows that pushing too hard will backfire, giving more retailers an excuse to not even try. But pushing too gently is almost as bad because these programs are expensive and time-consuming and retailers won’t do them without an incentive and a threat.

Perhaps it’s only fair to cut Visa a little slack and to take a moment to acknowledge the tremendous contribution it’s made. So just for this column ending, I’ll just say, “Great job! (pause) And if you guys could perhaps do something about the auditor conflict of interest.” Sorry. I weakened.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.