advertisement
advertisement

This is page 2 of:

NRF and Other Retail Groups Gang Up On PCI, Demand More Reasonable Rules

June 11th, 2009
  • End To End Encryption Rules?
    As security debates continue between the end-to-end encryption and the tokenization gangs, the group asked that PCI finally get into the issue and declare some explicit guidelines.

    “Follow, and adopt, the ASC X9 announcement of its plan to develop a new standard to protect cardholder data that may include end to end data encryption,” the letter said. “By leveraging end to end encryption of credit card transactions, the industry could implement broad and consistent protections for consumers, businesses and the global electronic payment system by rendering card information useless to thieves.”

  • Streamline PCI, Deliver A Shorter Must-Do List
    Pointing out the latest rev of PCI is quite long and that compliance is today dependent on complete compliance (the PCI Council is one of the few places where a 99 percent test score is failing), the letter asked for more of a triage approach.

    “Utilize the concepts of key controls and controls rationalization to restructure the more than two hundred detailed requirements of the PCI DSS. These concepts are similar to what the U.S. Government enacted for publicly traded companies as part of the Sarbanes-Oxley Act,” the letter said. “This would reduce the reporting and maintenance burden on companies by ensuring they place a focus on the key controls that reduce overall risk for their particular business model.”

  • Stop Forcing Retail Execs To Store More Than They Need
    This is one of the older requests being made, as the NRF’s Hogan has been arguing for years that to make retailers less susceptible to data breaches, stop forcing them to keep so much unnecessary data in their servers.

    To paraphrase famed bank robber Willie Sutton, why do cyber thieves target retailers so often? Because that’s where the data is. Hogan’s argument has been that if the credit card companies are so intent on protecting the data, let them share the burden of housing those files, much of which the retailers would rather not have lying around.

    “Require credit card companies and their banks to provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to store credit card information for dispute resolution, putting customers at unnecessary risk,” the letter said.

    A day after the letter was sent and released publicly, PCI’s Russo issued a statement that the council “actively seeks and encourages collaborative input on the PCI DSS from all interested parties” and it then touted that its current board “has significant merchant, restaurant and petroleum industry representation including Wal-mart, Tesco, McDonalds and Exxon Mobil.”

    Other than a brief comment on end-to-end encryption—namely that the PCI Council “recently issued an RFP on emerging technologies, including further research into end-to-end encryption, and anticipates a detailed analysis and position paper presented to us by the end of the summer”—Russo’s statement didn’t agree or disagree with any of the five proposals.

    At the end of Russo’s statement, he seemed to dismiss the group’s suggestion that the council bends its rules to allow for more retail feedback at an earlier, instead suggesting that the group is the one that should come to PCI, rather than the other way around.

    “We appreciate the input from these industry associations and we do encourage those that are not formal Council stakeholders to join up and become active participants, lending practical security expertise – along with their ideas – to evolve payment data security standards,” Russo’s statement said.


  • advertisement

    7 Comments | Read NRF and Other Retail Groups Gang Up On PCI, Demand More Reasonable Rules

    1. Bryan Larkin Says:

      Is it just me, or does the fact that retailers are going through this compliance stuff with PCI give rise to the hope that they may be more understanding of their suppliers? When each retailer provides their suppliers with the equivalent of a quarter-sized PCI compliance requirement in their vendor compliance guides, how can they hope for success?

      Imagine being a supplier who receives a vendor compliance guide from 20 different retailers – with about 5% of the compliance penalties being the same across all the retailers (which is accurate based on an RCC study from a couple years ago). Maybe retailers will consider more strategic supply chain-oriented metrics for, rather than tactical departmentally-based means of, driving supply chain success.

    2. PCIjeff Says:

      I think this letter shows how out of touch the NRF really is with PCI. I just looked at the PCI web site and it clearly list that the feedback period starts July 1sy of this year and the new standard will not be released until October 2010. How much more feedback does NRF think that retailers need?

      I also don’t find anything in the current PCI DSS v1.2 that says you can’t use end-to-end encryption. The PCI standard is a minimum baseline for information security. If retailers want to do more and implement end-to-end encryption I don’t see anything stopping them. Do they really want PCI to require every merchant and service provider to implement end-to-end encryption? Think of the cost and time to implement that!

      Lastly, why does the NRF continue to say that PCI requires retailers to store cardholder data? The standard is very clear about not storing data that is not needed, having a defined retention period, and rendering data that you do store unreadable. I personally can’t find anything in the PCI DSS v1.2 that says they must store cardholder data.

      I think this group should be more informed and read the PCI standard before they attack it.

    3. Patrick Dooley Says:

      The sadness of this is that the standards are fair and somewhat basic to common sense. It just goes to prove that greed and laziness are the two most important things in American business today.
      Peace

    4. sparky Says:

      PCIJeff says: “I think this group should be more informed and read the PCI standard before they attack it.”

      You may want to reread the points and then dig a little further to understand the whole process before throwing this out. I think you will find that there is so much more to this whole mess than just the current version of PCI-DSS.

      Their point about credit card retention is simple (by the way, if you read the article they never said that PCI requires the retention): credit card companies and banks require the merchants to keep the card number in a retrievable format *if* the company ever wants to win a payment dispute. This isn’t a PCI-point, it’s part of the agreement between the cc companies/banks and the merchant. Rather than insisting that the PAN and expiry date and name be stored, give the retailers the option of using other identifiers. In other words, they are suggesting that PCI build in a requirement that the banks/issuers have to live by as well. If they did this very few retailers would actually opt to keep the cc data at all. Most don’t do it for fun, they do it to protect themselves from chargebacks/disputes etc because they have no other option. I believe someone recently told congress that PCI-DSS was not much more than an elegant patch for a broken system. This is why.

    5. PCIjeff Says:

      Sparky – Here is what the letter says…

      Require credit card companies and their banks to provide merchants with the option of keeping
      nothing more than the authorization code provided at the time of sale and a truncated receipt,
      rather than requiring merchants to store credit card information for dispute resolution, putting
      customers at unnecessary risk.

      The PCI Council does not dictate to the credit card companies what there rules should be. This should have been in a letter to the credit card companies not the PCI Council.

    6. A reader Says:

      Jeff,

      The PCI council was assembled by and represents the Payment Card Industry, who is made up of the credit card companies, and who was put together to represent the credit card companies in matters of security. It certainly seems like a reasonable point of contact to me.

      Would you rather the individual members of the NRF speak to each and every bank, and hope a solid standard emerges from the chaos? I should think that collective discussion in a single forum would be more productive.

    7. PCI Guy Says:

      The majority of the PCI program is no longer needed, not since the “Safe Harbor” provisions were eliminated. The card companies can simply replace PCI *requirements* with the following statement:

      “Notice: You are responsible for any and all costs caused by a data security violation of your transaction processing systems. Merchants are required to obtain certification from a qualified data security professional stating that the merchant’s transaction processing systems provide adequate data security. Recommended data security guidelines and a list of data security professionals who have been trained in them can be found on the PCI SSC web site.”

      The end result of the above approach would be identical to what we have today, but it would eliminate all the hysteria about “achieving” and “maintaining” the mythical and elusive “PCI compliance,” which is completely unnecessary since merchants who are breached will be held responsible for costs and fined anyway (just ask Heartland).

    Newsletters

    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
    advertisement

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    StorefrontBacktalk
    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.