Experts fret over credit card compliance
PCI DSS fails to settle SMEs
Efforts by the credit card industry to boost merchant security are likely to flounder unless tighter regulations are accompanied by punishments against transgressors.
The Payment Card Industry Data Security Standard (PCI DSS) methodology aims to improve the security of cardholder data among banks, service providers and the merchant community. The industry self-regulation standard is more prescriptive and detailed than earlier regulatory regimes (such as Sarbannes-Oxley) but still leaves plenty of room for interpretation. Although voluntary, at least in theory, those subject to a breach who aren't able to show they've followed best practice by signing up to PCI DSS risk having their ability to process cards taken away.
Merchants and service providers need to validate compliance against an audit by a qualified assessor.
But there are major holes in the process of becoming compliant, and even greater challenges in staying compliant as networks are evolving, according to panelists discussing the issue at the NetEvents technology summit in Malta on Thursday. Hundreds of qualified assessors attempting are audit hundreds of thousands of merchants creating a potential gap in the system.
Neal Hartsell, VP of product marketing at IPS supplier TippingPoint, said that although the high profile credit card security beach at TJX has stole the headlines problems at small merchants also present a severe risk. For example the link between a scanning device through to the software application on the PC in a small store is often unencrypted, even though the data is encrypted is placed in an encrypted tunnel after it leaves the computer. A keystroke logging planted on such machines therefore presents a severe security risk.
The problem is that small shops don't know PCI DSS exists and, if they do, they don't take the process seriously enough. "SMEs are not able to make these kinds of decisions, which ought to be the responsibility of vendors," Hartsell said.
Bob Walder, chief scientist at testing and certification firm NSS Labs, said small merchants using self-assessment will be tempted to just tick boxes saying they had set up a firewall or secured their network. Part of the problems is that assessors act more like consultants than health inspectors. Nothing will happen unless you take away merchant accreditation.
Many merchants wonder why they should invest in PCI DSS compliance when it does little to help them sell more products, Walder added.
Hartsell criticised SOX compliancy as a "wasted effort" from a security perspective because it failed to outline tactics for achieving strategic directions. PCI DSS is better because it outlines best practice, such as using a firewall and a secure wireless LAN, but doesn't go far enough. "DSS and it tells me what I have to do, but it doesn’t actually tell me how I’m going to do it", said Walder, who added a product accreditation scheme was needed. ®
Lots of retailers just don't have a clue
There is a huge problem with awareness of the PCI DSS. A lot of our clients that are large retailers are just not aware of it. They are also not used to running "controlled" environments so the whole process of having to become compliant with a standard is a culture shock, let alone maintaining control over their systems to stay compliant!
This isn't just SME's its high street stores too. Merchants need to do more to protect our card data when it hits their back office systems. I've seen places that I wouldn't shop at again now I know what they do!
According to our card processing t&cs, there is no risk to the merchant from chip and pin transactions. The only risk is from signature-verified transactions which...well...we haven't done one for over 12 months. According to various articles I've read this was decided as a strategy by the processors to encourage take up.
My company is lucky in that in over 10 years of accepting plastic we've never had a single chargeback. We had 1 request for 'proof of signature' which we supplied once and that was never charged back. Just lucky I guess.
Hello... EMV Anyone? Anyone?
The banks in the U.S. are performing a novel form of multi-level fraud by promoting "identity theft" services and conveniently ignoring/denying/discrediting EMV simply because they stand to lose much more money if they go to EMV.
To follow-up on the excellent "balance of risk II" comment, guestimate the level of gross fraud at about 1%-3% of all transactions. You can figure the "net fraud." e.g. the cost the bank assumes. And then subtract Net Fraud from the income generated by "identity theft" services and the banks come out way, way ahead.
So, even if the gov't paid 100% of the costs of implementing emv. It's the money the bank loses with the elimination of "identity theft" and merchant charge backs that stops them.