Companies struggle with PCI DSS requirements

By Ron Condon, U.K. Bureau Chief 04 Sep 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The latest meeting of the PCI DSS User Group, held in London on September 3, gathered representatives from a variety of high-street retailers and financial-services companies, but one theme appeared to unite them all: the difficulty of becoming compliant with every detail of the standard.

PCI DSS is a very prescriptive standard, designed to protect credit card data when it is being collected and processed by banks and merchants. Compliance deadlines for the data security standard, originally set for four years ago, have continued to slip, and many of those attending the user group said they were unlikely to achieve compliance within the next two years.

"We are secure, and we take security very seriously, but we are not going to be bulldozed into going through a compliance process that will cost us an arm and a leg before we are ready," said one attendee, who preferred not to be named.

PCI DSS compliance for midmarket businesses The PCI Data Security Standard isn't just for large companies that make the news with their data breaches. Mike Chapple explains how SMBs can easily meet the compliance requirements.

Nigel Dickens, CISO at insurance company Cardif Pinnacle Insurance Management Services plc, gave one example of where the standard could be difficult to implement. "Part of the standard requires you to restrict the number of people who have access to encryption keys, and you have to be able to prove you manage keys safely," he said. "It can be done, but it's quite resource-intensive. In many cases, keys may be completely incompatible -- you may have digital certificates in one area, PGP keys in another, and passphrases being used as an encryption key somewhere else. They are all incompatible. You can start pulling things together, but it may depend on you being able to put in something new and start afresh."

Another tricky problem among the PCI DSS requirements, he said, is the handling of call recordings where customers give the full details of their credit card over the phone. "You are forbidden to store the CV2 number, but how the hell do you get that out of the call recording? Call recording systems are very expensive and last a long time."

Other attendees complained that their systems suppliers and other specialist providers, such as e-commerce website designers, were struggling to provide compliant products. For instance, a high-street retailer explained that his point-of-sale terminals -- supplied and maintained by a subsidiary of BT Group plc, and in common use among many leading retailers -- are non-compliant because they store credit card details in locally stored log files. The log files are essential for maintenance and bug-fixing, but they could theoretically be retrieved by a thief. The supplier is still trying to come up with a solution, he said.

Others raised the issue of ensuring that websites are compliant while maintaining the company brand. "We are concerned about how to control the payment experience of our customers if we outsource the payment process," said one retailer.

Have a PCI question? SearchSecurity.co.uk is the official media partner of the PCI DSS User Group. If you have any questions about PCI DSS, please send them to our editor inbox, and we will find an expert to respond.

Another concern was the associated Payment Application Data Security Standard (PA DSS), which aims to secure payment applications by prohibiting the storage of identifiable information, such as full magnetic stripe, CVV2 or PIN data. Several retailers said the range of compliant off-the-shelf applications was extremely limited, and only available from a couple of very small suppliers so far.

The lack of a firm and consistent deadline for the PCI DSS requirements is also the cause of some confusion. Attendees felt that banks and acquirer organisations are all operating on their own timescales, so that while some are pressing merchants to make progress, others are taking a more relaxed approach.

Some pressure is being applied on smaller merchants, those at Levels 3 and 4, in the form of higher fees for non-compliance, but the impression amongst attendees was that the larger retailers, perhaps those at Levels 1 or 2, could dictate terms with its acquirer.

Jan Fry, head of PCI at ProCheckup Ltd., the security company that hosts the PCI DSS User Group, warned that companies can expect to come under greater pressure to comply. "The card companies focused initially on the U.S., but now they are turning their attention more to Europe," he said.

He added that the minimum companies should do is "show progress" to their acquiring banks. "You need to have a roadmap in place for compliance. It means the acquirers can report back to Visa that progress is being made. The acquirers themselves are now getting pressure from the card companies," he said.

Fry agreed that the current picture is still a bit confusing. "Sometimes we see the acquirers applying pressure to a Level-1 merchant, while another Level-1 player has had no contact from their acquiring bank. At the same time, a small e-commerce guy will be getting regular calls for PCI progress."

The PCI User Group, formed in 2005, allows merchants and retailers to regularly come together and share their PCI-related experiences and issues with fellow professsionals.

* SearchSecurity.co.uk is the official media partner of the PCI DSS User Group. If you have any questions about PCI DSS, please send them to our editor inbox, and we will find an expert to answer them.

Tags: Compliance Regulation and Standard Requirements,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary