The Two Scenarios Coming From The PWC PCI Report

Written by David Taylor
September 30th, 2009

Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.

At the PCI SSC Community Meeting last week, the biggest highlight was the presentation of a report the group sought from PricewaterhouseCoopers (PWC). The first presentation of the PWC report of PCI Emerging Technologies made it clear that by expanding the technological scope of PCI DSS, companies will be able to reduce the scope of their PCI compliance efforts. High priorities over the next year will be end-to-end encryption, tokenization and virtual terminals. But is it safe to act now?

  • Changing PCI DSS To Save It
    It’s clear that Fortune 1000 merchants still enjoy their distaste for PCI DSS and their distrust of the process. And it’s fair to say that many merchants actually hate the PCI standards and their purveyors. At last week’s meeting, the Standards Council and the card brands attempted to embrace their detractors via the oft-repeated “we want your feedback” refrain. The response? The merchants in attendance were generally well behaved in public (perhaps they fear reprisals), and there were no reported fistfights, as much fun as that would have been.

    I think one of the reasons for the less-than-hostile response was the PWC report itself, which was the highlight of the event. The report made it clear that the SSC (and, presumably, the card brands) were open to making some much-needed changes to the standards. Most of the changes that seem likely in the near term will involve embracing some increasingly popular security approaches that focus on reducing the scope (footprint) of credit card data in the typical organization.

  • Implications For PCI DSS Scope
    The consultants at PWC began with an analysis of 12 security technologies that emerged from 160 interviews with industry players, and then narrowed the list for their “deep dive” investigation to several that they concluded had the best potential to be automated, could be integrated with existing infrastructures and could have a meaningful potential impact on PCI scope, rather than being treated simply as compensating controls. The three technologies they chose were end-to-end encryption, tokenization and virtual terminals, all of which have the potential to significantly reduce the size and scope of the credit card data environment in most companies and, thereby, reduce PCI compliance management costs and security breach costs.
  • Beyond Enterprise Approaches–Toward Outsourcing
    The implications of the PWC report as they are integrated (in a to-be-determined way) into the PCI SSC will challenge the security strategies and architectures of most Fortune 1000 companies. Essentially, all three approaches PWC studied are focused on shifting the storage of credit card data outside the enterprise. That’s outsourcing. Not the most popular term in large IT shops, which have spent millions of dollars on enterprise security programs–“defense-in-depth” security architectures to protect confidential data, of which credit card data is but one type. Even as the corporate IT security philosophy aims to “protect digital assets,” merchants have been extremely vocal at the CEO and CFO levels about not wanting the credit card data on their systems. So how will the PCI SSC and merchants respond to these conflicting priorities? There are a couple of distinct scenarios.

  • advertisement

    2 Comments | Read The Two Scenarios Coming From The PWC PCI Report

    1. Mike Says:

      I too attend the PWC presentation at the PCI Community meeting last week and found it to be a complete waste of time. The PCI Council has been pointing to this study and saying we should wait for the results until they would answer any questions related to scoping, tokenization and end-to-end encryption.

      Well we waited for the study and in my opinion didn’t get any more information than we already had from reading the articles that have been posted over the last six months on these same topics. PWC just simply published the same data that other sources have been discussing for some time now.

      A better question to ask is why does the PCI council even need PWC? If the PCI Council has a Technical Working Group (TWG) and a Chief Technology Officer (CTO) in Troy Leach shouldn’t these people be able to research these technologies and determine what the recommended solutions should be for merchants. Based on what I saw at the community meeting, neither Mr. Leach nor the TWG are technical enough to evaluate these technologies. So merchants continue to wait for guidance from an unqualified group of people as to how to protect their credit card data.

      Organizations have tried to reach out to the PCI Council for answers but the emails we submit take two to three months for an answer and then we receive “talk to your QSA” as a response. We tried to ask questions at the community meeting but were told that “they could not comment on specifics”. This group simply does not have the technical knowledge or background to guide the PCI standard in the right direction!

    2. David W. Says:

      For the last 2 years, a consistent them at the community meetings has been the conflict between “the standard is too vague” and the “the standard is to explicit”. It’s a legacy problem with roots in the evolution of Information Security standards

      In the Info Sec world, there is usually a policy hierarchy. The old ESF/ISF formula dictated a “Policy > Standard > Baseline > Procedure” approach. There was only one high-level Info Sec policy, accompanied by a few, slightly more detailed Standards (i.e “Data Classification Standard”. Baseline Controls defined the standard control set for a specific technology (i.e. UNIX baseline) and Procedures gave step by step instructions for implementing the baseline (think “Account Request” process).

      The PCI DSS is indeed a standard. It is a high-level document, relatively static, that is more oriented towards “what” than “how”. Given the issuing body and the audience, it’s probably the best level form which to approach the issue. It leaves the freedom to develop the “baselines” and “procedures” in the hands of the implementers (where it belongs).

      The PwC study is the first foray into “how” for the PCI SSC, and a response to member input into requests for greater detail in that area. It’s also quite probably as far as the Council will be willing to go in that direction. I suspect the council will pursue their historic course of action in this regard. These technologies will be treated like tokenization, with the implementation left up to the merchant and validation left up to the QSAs.

      Specific, published guidance will likely be derived from PCI SSC Special Interest Groups (SIGs). The Wireless and Pre-Auth SIGs have been quite productive, and the Virtualization and Scoping SIGs are making progress. I would not be surprised to see SIGs spring up surrounding these study topics, with guidance forthcoming in 2010. But I’ve been wrong before……


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.