This is page 3 of:
The Latest PCI Compliance Stats Disappointing For Level 3s
But that scenario still assumes the person answering the compliance question even knows the answer. What if he or she is confused about what constitutes prohibited data? Much more likely, what if that person believes the retailer is not storing such data but many of his or her colleagues are secretly doing it? (Marketing. Always blame marketing. When seeking out an ethics-challenged department, marketing is universally a prime choice.)
To be fair, it doesn’t even have to be ethics-challenged. Other departments—and even some people in E-Commerce or IT—may simply not know the rules. At a large chain, data retention questions are simply impossible to answer honestly. But they are easy to reply to apathetically, because the answer being sought is so clear.
The 2009 Visa report brought some new “prohibited data retention” data points into the mix. For the first time, Visa added columns for Level 3 and Level 4 merchants. But the included data wasn’t especially helpful (“Not applicable” and “To Be Determined,” respectively). Visa also added VisaNet Processor (direct connection) and Agent (downstream). Rather than the 100 percent or 99 percent for Level 1s and Level 2s, though, VisaNet and Agent got the vague “high,” with no definition. (We assume “high” is better than the undefined “moderate.” It at least sounds better.)
So, does this mean that VisaNet and Agent are, to some unspecified extent (but presumably a lot higher than one percent—given Visa’s willingness to report 99 percent for years), indeed retaining prohibited data? That’s comforting.
Regardless, the key story here is merchant compliance and the failure so far to get the millions of merchants that account for a third of all Visa card transactions to be PCI compliant. What is good for large merchants should also be good for smaller merchants, especially because these smaller merchants self-assess (versus needing an outside assessment by a QSA) and they can use a self-assessment questionnaire (SAQ) that can be a short as 11 questions. Smaller merchants have been victimized disproportionately, and the consequences of a major breach and fine may mean bankruptcy.
A year ago, when StorefrontBacktalk PCI Columnist Walt Conway first started tracking these numbers, he figured the brands would turn their attention to small merchants in 2009. And Visa did indeed issue a series of mandates. But these requirements don’t seem to be having much of an impact based on the numbers Visa itself reports.
It will take a concerted effort on the part of the brands to make progress, and their only leverage is interchange. Incentive interchange rates successfully paved the way for broad adoption of electronic terminals at the point of sale back in the 1980s and 1990s. Maybe that approach can be used again to incent merchants to become PCI compliant and stay compliant. We’re not sure how it would work, but clever minds should be able to devise a program with appropriate incentives and penalties, like was done with CAP.
The only alternative is to have more mandates and acquirer reporting. Unfortunately, these requirements have had only “moderate” success so far. And yet it is hard to see widespread compliance coming about any other way.
One answer may be the acquirer-provided secure processing products that are announced weekly. We need to get to “plug-and-play PCI” that will work for the franchisee, college athletic department, golf course, theater and hardware store that is not compliant today and needs to be. Even with this approach, an interchange incentive from the brands sure would help.
-Marc
April 15th, 2010 at 11:29 am
Why would companies be jumping to get PCI compliance if it is not mandated by law? Especially when they can hold off as long as possible and then get compliance without wasting each year’s audit fee since 2007 (per article’s start date)… so companies who got on board back to 2004 got screwed by paying yearly fees since then.
April 16th, 2010 at 3:04 pm
@cestmoi, Thanks for your comment, but I have to disagree with such a cynical view of PCI and the benefits of compliance. Companies should want to be compliant to protect their customers and their brand. If you are going to take payment cards then you have an obligation to be secure. Being PCI compliant and – more importantly – being secure is important to your business and your customers. Rather than being a waste, PCI compliance is a smart investment.
I guess you could avoid compliance and try to fly under your acquirer’s radar, or you could lie on your SAQ. But you do not really benefit by such action. You increase your risk of an expensive data breach which is more expensive than being compliant and, hopefully, secure. In other words, if you think compliance is expensive, noncompliance can cost more.
April 20th, 2010 at 6:06 pm
PCI can unlock IT budgets, so it’s important to determine the cost of compliance. However, I’m with you, Walt, that the cost of non compliance is way higher than that of compliance. Surveys show the average cost of a data breach being $6.6 million. With this info, it’s very easy to argue that compliance is not expensive.
One of the reasons why a breach is so expensive is because breaches go undiscovered and uncontained for weeks or months. Imagine leaving the door to your home wide open, and not finding out what robbers stole for months! It could get very expensive. Close that breach to detection gap and you can control the damages to your organization much quicker.
May 28th, 2010 at 4:21 pm
PCI compliance is a money making thing for scan companies and Visa/MC is in bed with these companies. Getting scanned and submitting a report to the banks will not stop a hacker. If you still get hacked even though you have every safety element possible on your site, the banks will still fine the merchant. Period. Where are the banks saying that if you submit PCI scan and self assessment to then quarterly, then you are off the hook if you get hacked? They will still find a reason to fine the merchant. Why are merchants going to pay for scumbags crimes?