PCI Education More Neglected Than We Thought

Written by Walter Conway
January 26th, 2011

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Two recent surveys of how merchants approach PCI compliance—one by Cisco Security Solutions; the other a joint survey by the National Retail Federation and First Data—provide insights into merchant attitudes, priorities and challenges. Although there were several differences between the surveys, what I find interesting is that when you reflect on the findings, a common theme emerges: The critical role of educating merchant staff on proper handling of payment card data.

The Cisco survey was comprehensive, with over 500 responses from IT executives across a wide range of vertical industries. Respondents included large Level 1 merchants and smaller, Level 2 and 3 merchants.

The survey has a lot of good news. Respondents were familiar with PCI requirements, and 70 percent said their organizations were more secure because of PCI compliance than they would have been otherwise. This result appears to be quite an endorsement of PCI, even though some respondents felt the requirements were “burdensome.” My response to the burdensome reference is that nobody ever said security was easy, just that it was smart.

Although the Cisco survey addressed several very interesting areas (e.g., how much money respondents’ companies spent on PCI over the past five years, spending plans for 2011, etc.), I was struck by the responses to Question 33: What problems are you experiencing with regard to PCI compliance; check all that apply.

The top vote getter was not any perceived vagueness or “lack of clarity” in the PCI requirements (mentioned by 22 percent), lack of staff resources (28 percent), needing to change entrenched business practices (29 percent) or even the second most-mentioned option of upgrading “antiquated systems” to make them compliant (32 percent). Rather, the number-one challenge was educating employees on the proper handling of cardholder data, selected by a whopping 43 percent of respondents.

That a group of 500 IT executives responsible for PCI compliance rated educating their internal staff on how to handle sensitive cardholder data as their biggest PCI challenge is interesting. It signals a PCI disconnect within merchants. At one level, this result tells me that IT executives believe they can handle the technical requirements of PCI, but they are worried about what their internal users are doing. At another level, it says merchants still view PCI as an IT issue and not a business issue. Most interestingly, though, it says that perhaps the cheapest tool you have (i.e., education) may be the one with the biggest impact on your organization’s security and PCI compliance.

My take is that by “education,” the IT executives surveyed did not mean three-day, intensive PCI training courses. Rather, I believe they meant training for anyone who comes in contact with cardholder data, including sales staff, store managers and marketing analysts, on what they can and cannot do with that data. You can encrypt and protect your data as much as you want. But once users gain access to the unencrypted data, you have lost control.

Training reinforces your data protection policies, like not sending primary account number (PAN) data in an E-mail, not loading cardholder data on a flash drive so you can work on it at home, and not keeping spreadsheets or scans containing cardholder data on a laptop. I have seen each of these practices, by the way, and I know what these IT executives know: You have users who think keeping PAN data in a spreadsheet on their laptop is not retaining electronic cardholder data; it’s just them being productive.


One Comment | Read PCI Education More Neglected Than We Thought

  1. david marsh Says:

    Walt, I had an interesting conversation on this last week with a mutual contact in the QSR business. He had an interesting perspective – maybe it is not so much a case of the smaller merchants being unaware, maybe it is a case of not wanting to admit it. Maybe it is human nature to not want to admit that you know it is a problem, but since you really perceive it as an expensive hassle, you are less likely to admit that on a survey.
    I am not going to pretend to be a psychiatrist, but I do know that many merchants will continue to resist anything that they perceive as an unnecessary cost to their business. Until there is a bigger pain to them in the form of penalties paid for non-compliance, some will simply pretend that the risk of breach does not exist…


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.