New Credit Card Rules Crack Down On Wireless, Lighten Up On Encryption

Written by Evan Schuman
September 15th, 2006

Recent changes to credit card security rules reflect a maturing of the payment rules, with wireless monitoring requirements made much more strict while file software integrity monitoring frequency and the encryption demand have both been softened.

“This is a bow to reality,” said Mark Rasch, a former federal prosecutor who now specializes in retail security issues. “The first version was more of a Utopian of what Visa and MasterCard thought were workable standards based on what people should do. This is a minor tweaking based upon what people are doing.”

Although there are several factors influencing the changes to the Payment Card Industry (PCI) data security standard rules, the makeup of the governing body is a critical one. Last week, the PCI data security group was officially expanded beyond just Visa and MasterCard to also include AmericanExpress, Discover and Japan’s JCB.

David King is the CIO of the $2.7 billion Regal Entertainment Group, which is the nation’s largest movie theater chain. He applauded many of the new PCI requirements, but he especially liked the new makeup of the PCI standards group.

“We have been having to deal separately with Visa, MasterCard, AmericanExpress and now Discover, who are all clamoring for compliance audits and meeting with their people and being reviewed,” King said. “I’m glad that we’ll be dealing with a single body and maybe a single set of criteria. That’ll be good.”

The rules were updated in PCI’s Data Security Standard version 1.1 partially to address criticism that the rules did not factor in practical considerations of running retail chains. For example, a requirement for file integrity monitoring software to watch for unauthorized modification of critical system files had mandated that file comparisons be done daily. It’s now been softened to weekly.

“In thinking about the new changes, we asked, ‘How do you apply it in a realworld scenario?'” said Seana Pitt, chairperson of the PCI Security Standards Council and a VP of global merchant policy and data quality for AmericanExpress. “If you look at the information on a daily basis, it’s just a lot of data to work through. This approach is more applicable to the day-to-day running of an IT organization. It did not erode the security.”

Michele Borovac, director of marketing at Decru, a storage vendor that has been closely watching the PCI process, agreed. “It’s overkill to try and run it daily. It’s a burden and the data simply doesn’t change that often,” Borovac said.

One change in the other direction was a requirement that wireless analyzers need to be used periodically. In the old version, such analysis was only required when a wireless application was being used, but the new rule requires that the testing be done “even if wireless is not currently deployed” so as to find rogue wireless networks surreptitiously installed.

Today’s larger retailers “have very complex networks” and it’s “very easy to plug in something in the heat of the moment,” Pitt said. It’s not that difficult for wireless access to be accidentally enabled given the large number of hardware, software and networking devices today with wireless capabilities.

Regal’s King was not comfortable with the new wireless requirement. “I feel that it’s a little bit of an overkill,” he said, because the complexity of a typical large retailer does not fit neatly into the new rule.

“Even if one does detect the presence of wireless activity inside one’s firewall, whether or not that wireless activity is secure or whether credit card activity is flowing across that wireless component, whether or not one can enter through that wireless port and get through to encrypted data,” King said. “The complexity of an environment that a Level One merchant is going to have needs to be looked at more from an engineering standpoint than ‘Let’s take a wireless analyzer and let’s put it inside your stores and see if I can detect any wireless activity.'”

Part of the reason for that is the nature of where Regal has many of its movie theaters. The fact that many movie theaters are located inside malls and are immediately proximate to tons of smaller merchants?many of whom may have their own wireless access?makes for some challenging tests.

“So they’re going to turn on a WiFi finder and they’re going to find lots of wireless connections. Some secure, some not secure,” Rasch said. “They can’t just say, ‘Well, those aren’t ours’ because they have no idea whether this is a rogue part of their network that somebody has put up. How do you validate–in a place that may have 20 or 30 WiFi connections–that none of them are yours? It’s a difficult task.”

Another change was prohibiting cardholder data to be stored or copied during remote access. The earlier version had demanded that all such access be disabled. “In the past, they said, ‘You can’t access it. Period,'” Borovac said. “Retailers said, ‘That’s not plausible. We need to give people who are working remotely access.”

The potentially must significant change involved compensating controls, which can be used instead of encryption. Before, encryption was considered mandatory.

The change was mostly a concession to costs and logistics because many retailers argued that it was not practical for them to encrypt all cardholder data and they proposed alternative?and more complicated–ways of protecting the data. Many older retailers with substantial legacy systems had been especially concerned, Pitt said. “To think about encrypting data on that mainframe is costly and it takes a long time,” she said.

Decru’s Borovac argued that the PCI committee?whether consciously or subconsciously?is discouraging retailers from using compensating controls by putting in place a much more onerous certification process for those using compensating controls compared with those who encrypt. “It comes down to the ease that will people will want to pass their audits,” Borovac said.

Regal’s King agreed, which is his chain has aggressively embraced encryption, even though it sharply limits their CRM abilities to learn about their customers and market to them.

“I think that investing in encryption is going to be so less onerous and so less expensive as opposed to going with a whole variety of compensating controls. Things change, situations change, technologies change. And to manage all of the different compensating controls that one would need to have if one doesn’t have encryption is going to require huge overhead and it will be a huge distraction,” he said. “We encrypt from the moment that the credit card number is electronically digitized from the point of scanning through our systems. The credit card information is all encrypted, flowing from POS to the provider and back and that’s it. It’s not in back-office systems. It’s not in corporate systems. It’s not transmitted around. It’s not in databases. We have lost some of the identifying mechanisms that we could use for things like loyalty and some of our buying patterns and stuff. That’s been far less impactful and far easier to manage.”

One change that was already announced was a PCI reclassification of retailers based on an ostensibly better feel for how transactions are being handled today.

The reclassification is “recognizing the way the threat environment is changing. Brick and mortar merchants are getting hacked at, if anything, a greater rate than E-Commerce merchants. The reclass at the merchant level reflected that,” said Chris Noell, executive analyst with TruComply, a security consulting firm. “Before, you could process as many as six million transactions in a brick-and-mortar context before you had any validation requirements at all. Now that threshold has dropped to a million, which I think is a more appropriate risk management stance for the industry to take.”

Rasch urged retailers to carefully check to see if their classification has changed because the new criteria is unpredictable. “There’s no consistent theme here. Some people get classified up. Some people get classified down,” Rasch said. “If you thought you were a Level One, you might now be a Level Two and if you thought were a Level Two, you might now be a Level One.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.