Evan Schuman's StorefrontBacktalk

Vague guidelines and conflicting audit firm interpretations?coupled with retailers that fall into multiple PCI categories?are making for some unhappy retailers.

The Retail Industry Leaders Association (RILA) held a retail meeting in March and is preparing for another next month, all on the topic of PCI deployment problems.

“When the credit card industry specified requirements for retailers, the retail industry seemed to lose momentum on its own data assurance work,” said an invitation to attend the meeting of what RILA is calling the PCI Project. “Some PCI requirements are vague. Some are unattainable. Retail companies that participated in the March 16 meeting cited numerous examples of low-result PCI requirements, one-size-fits-all rules that don?t work for various kinds of retail formats” and they also reported “potentially crippling costs.”

Cathy Hotka, a RILA senior VP, said there is universal retail industry support for the goals and objectives of PCI and its efforts at making payment systems more secure. The problem, she said, are the rules’ rigidity or, more accurately, the rigid way they are often being interpreted.

“What does it mean to implement PCI in the real world? Some of the requirements that came out of the original PCI rules were kind of ‘One Size Fits All,’ which was difficult for some of the retailers to get around,” Hotka said. “There has been some difficulty in making the rules work and getting common answers from the audit firms that provide advice to retailers.”

Hotka’s favorite examples are rules that impose unrealistic hardships on smaller retailers and that don’t appreciate the practical staffing flexibility that retailers need.

“Take, for example, a very small store where certain kinds of information is being kept in the register during the day. In theory, under PCI rules, all customers have to be escorted into the store with an escort wearing a badge because the store is of a certain size and that’s the way the rule is written. That’s the kind of thing we’re addressing,” she said.

Hotka, who was discussing PCI during this week’s StorefrontBacktalk‘s Week In Review audiocast, also cited a staffing PCI frustration from a larger company: “A great big hotel chain expressed some frustration with one of the rules that said that it was not possible for people to serve more than one operation. A resort might have a spa and a golf course and five restaurants and a pool. Various people from the larger site could not go elsewhere. Somebody from the Spa could not be a substitute at the pool because that would be against regulations.”

Security consultant?and former federal prosecutor– Mark Rasch was also on the audiocast panel that discussed PCI. Rasch said the problem is less one of how the PCI guidelines are phrased and more a matter of how they are being interpreted, particularly by audit firms the retailers are hiring to prove compliance.

“The guidelines are written fairly broadly and you sit there and say, ‘How do we apply them?’ One audit firm will tell you, ‘No, you can’t do this. It’s prohibited by the guidelines’ and another audit firm will say, ‘This is perfectly fine,'” he said. “Never let regulatory compliance be the enemy of doing the right thing. You need to do the right and appropriate thing.”

Rasch said that the PCI rules are running into several deployment challenges, but that similar hurdles have confronted just about major security guideline effort.

“This happens in every area of security, whether it’s HIPAA, Sarbanes-Oxley or the PCI standards. What makes PCI much more difficult is that many companies don’t even know where they fit in the chain of PCI. They don’t know if they are issuers, if they’re processors, if they’re merchants,” Rasch said, adding that many retailers today fall into multiple categories, making strict compliance much more difficult.

The retailer “may serve several different functions within that chain. In terms of aggregating the volume of transactions that they do, they may be a very large issuer and a very small processor. That happens as companies start going into new business areas.”

He cited as an example the POS/loyalty/CRM card being massively deployed now by the $9 billion 26,000-restaurant Subway chain.

“A good example is Subway. Subway is thought to be a merchant. You go in and you buy a sub and you give your credit card and that’s it. But, with their stored value cards, they’ve become an issuer as well so they’ve been taken from one regulatory scheme to another regulatory scheme within the PCI standards,” Rasch said. “New business opportunities and new ventures take you into new areas of PCI and you need to be aware of them.”

Another PCI deployment hurdle is the “Who’s In Charge?” debate. Hotka said that issue came up repeatedly as her organization tried to identify the proper people to meet with.

It was very difficult “to locate the correct people within each company. I think we found a total of four people (within retail) who had the title of chief information security officer,” Hotka said. “Many people had the CIOs in charge, there were VPs of architecture, directors of application development, there were compliance folk. In some cases, the right person to talk to was the loss prevention person.”

For many retailers, executives do a kneejerk point to the Chief Information Officer’s station. “Some companies will point, just by default, at the CIO and say, ‘Oh, the buck stops there,'” Hotka said. “But the CIO in fact may not know anything about this and is the person who just signs something periodically.”

Rasch commented that the responsibility confusion is especially ironic, given that it’s one of the few areas where PCI guidelines are unusually explicit. “One of the things that PCI requires is that you have an individual responsible for information security,” he said.

Rasch argues that the way PCI guidelines are written are not the problem and that significant wording changes could easily make the situation worse.

“If you were to write them even more explicitly, that would create even more problems. The PCI standards are intended to be just that: standards and guidelines of good behavior. If you get to too much of a level of granularity, then you’re going to get into some really difficult problems where they just don’t work in the real world,” Rasch said. “So they’re intended to be fairly high-level reasonable standards of things to do. The problem is that if they’re too broad and too general, you can’t audit against them and you can’t certify compliance. If they’re too detailed, they don’t work so there has to be a balance between them.”

How, then, do the problems crop up? “What happens is the auditing firms and the people who do assessments against PCI standards come in and there’s a certain amount of interpretation that they have to do to say, ‘This is a good program’ and ‘this is a bad program,'” Rasch said, adding that the only response is for a retailer to prove that adequate compensating controls are in place so credit card transactions are, in reality, not in danger.

What is a retailer to do if an audit firm says a reasonable legitimate business practice is against the guidelines? “What you do is you go find another audit firm and you demonstrate to that audit firm that you have adequate compensating controls,” Rasch said. “And if it really becomes a violation of PCI, then you’ve got to go back to Visa and MasterCard and say, ‘Listen, we either need an exception or we need the rule changed because this is not a genuine threat. It’s not a real threat to payment information and we should be allowed to do this.”

Another panelist at the audiocast was Jupiter Research analyst Patti Freeman Evans, who has worked extensively with retailers on PCI issues.

“It was very hard to understand what the compliance really meant and what it meant to our systems and procedures,” Evans said. “And then, once we got a grasp on that, then we had to understand how long it would take us to comply, what the costs were going to be and then how we could make a case for it. ‘Well, here’s the reporting. At least we’re reporting that we’re not doing it right. At least we know that we’re not doing it right and we’re making some reasonable effort to actually get there.'”

Evans then asked fellow panelist Rasch whether that was how most retailers were handling PCI issues.

“Oh, if only they were up to that standard,” Rasch said. “Right now, people are circling and dancing around PCI . The large retailers are starting to do assessments to see where they are and put plans in place to become more compliant. The smaller merchants are saying, ‘PCI? What does that stand for?'”