Credit card companies should be encouraged to work with smaller vendors when it comes to compliance, but it is too soon to write off PCI regulations.
Following claims made yesterday that the Payment Card Industry Data Security Standard (PCI DSS) are not suitable for small businesses, and that enforcements could cause a business to go under, Jan Fry, head of PCI at ProCheckUp Labs, agreed with the principal that PCI DSS is by no means a ‘one-size fits all' standard, but complaining about it will not get companies anywhere.
Fry said: “Everyone has had at least five years to digest the standard. It stuns me that organisations are stuck in this ‘I don't like it, so I'm not going to do it' mentality. ‘Mike' seems to suggest that there is only one option - full compliance with every little bit of the standard or you are going to be exterminated!
“Well, for starters, there are four different self-assessment questionnaires. Acquirers are also generally quite understanding of complexities and difficulties that certain aspects of the standard introduce. More often than not, initially they just want to be assured that you are aware of the standard and to see some progress towards compliance.”
Fry agreed that much of the standard is not clearly written in parts, but merchants too often read a requirement once, fail to understand it and then give up.
Commenting on Mike's claims that PCI could ‘cripple an organisation', Fry said that simply getting away from the flashy devices that claim to solve ‘all your PCI DSS headaches in one box', companies will find cost-effective solutions to meet the intent of the requirements.
Amichai Shulman, CTO of Imperva, previously conducted a joint survey with the Ponemon Institute which found that PCI DSS compliance was being adopted only by larger organisations, and that perceived costs seems to be the number one deterrent for smaller organisations.
Reacting to Mike's comments, he agreed that there should be a variation of the standard for smaller entities.
He said: “We must remember that information security is eventually about risk management. I ran lately into an eCommerce site whose database was breached and put on sale in hacker forums. Tracing this incident back I found out that the application was nothing but PCI DSS compliant. The front-end web server was not protected against any application level attacks (and in particular SQL injection) and the database was holding in cleartext credit card information including the forbidden CVV.
“However, the database contained the data of roughly 1,000 users. Knowing the costs involved in becoming PCI compliant and maintaining compliance over time it is apparent that these are much higher than the potential damages resulting from this breach to any of the parties involved (merchant, issuer, credit card company). Clearly covering the risk posed by such small incidents can be achieved by a minor increase in transaction fees that would be used to buy insurance.”
He said that credit card companies should encourage small vendors to work through payment services rather than have their own transaction processing code, as by doing this the vendor's application does not need to store or process sensitive card holder data.
“Encouragement can be done in the form of reduced transaction processing costs. At the same time, a variation of the standard should be created for smaller organisations to include those parts of the more general standard that present the highest return on investment in terms of reducing the risk of a breach,” said Shulman.
“This is of course no excuse for mid-size businesses to neglect the security of their clientele's data. In fact there are solutions today that allow for pretty small organisations to enjoy, for example, the protection of a web applications firewall without having to actually own or manage one. This is the kind of responsible behaviour that we as consumers should demand from online vendors we use.”