Why PCI Doesn’t Get Easier the Second (or Fourth) Time Around

Written by Walter Conway
June 8th, 2011

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

It seems logical to expect that the effort a retailer expends validating its PCI compliance should lessen with each passing year. To some extent that logic holds, but only to a relatively small extent. Why is this the case? Why don’t assessments get a whole lot easier each year? Why is last year’s compensating control no longer acceptable? And why are practices assessed as compliant last year not compliant now?

The answer to all these questions is simple: Things change. And those changes are typically caused by one of three things: PCI DSS itself changes; the threat environment changes as the bad guys adopt new tactics; or, most often, the retailer’s own payment environment and, therefore, its PCI scope, changes. Think about it. How many times does a year go by in which retailers don’t expand their network, add new servers and expand the number of end users?

Let’s start with changes to the PCI DSS itself. The move from version 1.1 to 1.2 had some significant changes. Requirement 6.6, which sought either an application review or Web application firewall in front of public-facing Web applications, became mandatory. The PCI Council also clarified external vulnerability scanning and penetration testing requirements, and it set a sunset date for WEP as a means to secure wireless networks.

Although many changes are “evolutionary,” they will require additional work. For example, Requirement 6.2 tells merchants and processors not only to identify new security vulnerabilities but also to “assign a risk ranking” to each one. Then merchants need to reflect these self-developed risk rankings in both their applications (Requirement 6.5.2) and their internal vulnerability scans (11.2).

Another change affects merchants with in-scope wireless networks protected with WPA, which “is no longer considered strong encryption on its own.” These merchants need to either upgrade to WPA2 (and hope that remains adequate) or re-think their use of wireless.

The PCI Council can change the Self-Assessment Questionnaires (SAQs). It may introduce new ones that can make a merchant’s validation easier (e.g., SAQ C-VT). The Council can also make changes that increase a merchant’s validation work and cost. Many merchants face this situation as they grapple with the new SAQ C requirements. Of course, there’s also the looming mobile payment changes.

Because PCI is now on a three-year lifecycle, merchants, processors and assessors can anticipate a fair degree of stability, at least through 2013 (sans those imminent mobile payment changes). The same cannot be said about the bad guys, who are devising new attacks constantly. As such, merchants need to reflect these emerging risks in their risk analyses (Requirement 12.1.2).

This year, for example, most merchants will need to update their risk analyses to reflect the risk of their security vendor or service provider being compromised. I doubt many merchants (or processors) included this contingency in their risk analyses, but after the RSA experience, they now will need to do so. While there, make sure incident response plans are up to date with changes in national (or international) and state breach notification legislation.

I can’t tell you how often I look at an incident response plan that has out-of-date contacts, people who have moved to a different part of the company (or even left), and incorrect or missing phone numbers. It seems these details rarely get updated during the course of the year (at least judging by the dust that sometimes needs to be blown off the binder), so it can be like starting over each year.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.