Why Most PCI Self-Assessments Are Wrong

Written by David Taylor
April 23rd, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

The reason that so many PCI self-assessments are wrong is that they focus on the mainstream business processes of the company. They often ignore a lot of “back-channel” or “just-in-case” practices that result in card data coming into the company not protected by the various PCI and other data security measures to protect more mainstream applications, data repositories and processes.

Here are 3 examples, all of which come from personal experience:

  • Collecting Data Just in Case
    I’m at the Electronic Transactions Association (ETA) and RSA Security conferences this week. When I checked into my hotel, which was paid for in advance via Expedia, the desk clerk said he had to make a photo copy of both my credit card and my driver’s license. When I asked him why, he said their auditor requires it, and that the auditor reviews all the photo copies every 30 days.

    He also said that if I wanted my photo copy back when I checked out, he would give it to me. From a PCI perspective, it’s clear they are shipping thousands of photo copies of card data and drivers license data from each hotel to corporate every month. It’s also clear that, since they are returning the photo copies to those guests who request it, that the auditor is reviewing incomplete (and therefore unreliable) data and that the audit likely serves no business purpose, other than being a potential CYA backup, “just in case” something goes wrong.

    The company has gathered a lot of confidential data that, I’d be willing to bet money, is not considered in their self-assessment and is, in all likelihood, not reliably purged on a regular basis. This is all risk, with virtually no reward—a classic worst practice.

  • Giving Too Much Data Access to Store Clerks
    My wife went to return an item to the local mall, to a major women’s clothing chain, but she had forgotten her credit card. “No problem,” the clerk told her. All she had to do was give the associate her social security number and they would use the social security number to look up the credit card number.

    Considering that my wife never remembered providing her social security number to this store (and given that her husband is a data security geek), she was reluctant, but decided to see of they really had her SSN. They did and the clerk showed her that, yes, she had a lookup feature that allowed her to pull up the full customer record from the SSN. The PAN would also have worked, she was informed.

    What I don’t know is whether the retailer in question was actually buying customer SSNs from a third party or whether my wife simply forgot she provided this information on, say, a questionnaire at some point. Either way, there is no justification for allowing clerks to have this kind of customer data query functionality or for training clerks to ask for SSNs as a way to look up a PAN. For sure, this is not PCI compliant, but I’d would, again, be willing to bet that this process and this retail clerk access was not included in this retailer’s self assessment . Even a QSA might have missed it if the process wasn’t documented.

  • Forgetting About “Sidewalk Sales” and Other Special Events
    Last fall, I went to a “tent sale” at a midsize sporting goods store, a regional chain. It was held in the parking lot of the store and the store had brought out all the old POS systems they could find in storage to cope with the volume and because their in-store systems weren’t portable. As I’m sure you can guess, some of the old systems were neither FACTA nor PCI compliant and showed all 16 digits: the classic “knuckle buster” issue. We’ve all seen this, but my point is that I think it’s very unlikely that the PCI compliance issues associated with continuing to use these systems for special events were either ignored for the purposes of the self-assessment or some note was made about how some “compensating control” was used such as locking up the paper receipts, etc. Again, it’s simply a matter of spending the money so that these old systems can be retired (or sold on ebay to another retailer, so it becomes his problem!).

  • The Bottom Line
    One of the value propositions for Level 2 and 3 merchants initially using a QSA or other PCI consultant to do a gap analysis is that they can catch these “alternate channel” PCI issues, because they have seen them before and know what questions to ask. Even if you don’t want to spend money on a QSA or consultant, it is important to ask lots of questions, call some large meetings and solicit input from people involved in all different aspects of the business.

    Perhaps the most common problem I’ve seen in more than 4 years of working in PCI compliance is that months after the PCI assessment is complete, someone will find a new “treasure trove” of card data, or identify a procedure where card data is collected that was missed the first time around. Call it trial and error or whatever you want, my experience has been that most PCI self-assessments will miss the types of card data security issues noted here.

    Obviously, we’d really like to hear other examples. All our discussions are 100 percent anonymous, so if you’d like to talk about it, or send an example of your own, visit the PCI Knowledge Base and comment in our discussion forums, or just send us an E-mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.