I have been intrigued by the way that the Payment Card Industry Data Security Standard (PCI DSS) is enforced for some time now.
After all, it is not controlled by a government-appointed regulator, its enforcement level seems to be minimal, and quite frankly I have often perceived it to be an ‘opt-in' benchmark. Perhaps I am wrong about the latter, or all those points, but one thing is clear is that its drivers the PCI Security Standards Council (SSC) have felt a little out of reach for us in Europe.
If you have felt that, you will be delighted to know that a new European director, Jeremy King, has been appointed to the SSC and his first interview in his new position was granted to SC Magazine.
King told me that as a former MasterCard employee, specialising in PCI for six out of the last ten years, he was part of the team that set up the point-of-sale PIN entry device (POS PED) programme and spent the last two to three years giving support in other PCI areas.
In his role, he has set several goals, of which three are key:
- Increase awareness of PCI to Europe
- Increase European involvement of PCI SSC
- Manage the needs of individual countries within Europe itself, the core 32 areas of Europe and the SEPA region, the European Union and into those countries within the EU.
King said: “The first thing is I need to get myself in Europe and make people aware that there is a European presence.”
Asked if there is a difference between countries from a technical perspective, King said: “Absolutely, and the third goal comes in here as we are managing the needs of 32 countries.
“Europe is not the United States, and each individual country has individual needs and requirements and ways of doing things for 30-40 years, so there will be situations where a particular solution will fit the UK but not Spain or Germany.
“So there are needs that we will need to look at, and utilising the educational documentation within PCI we should be able to ensure that with individual needs, those countries will still be able to meet the needs of PCI and get themselves on to a compliant status.”
He said that a key area that the SSC is looking to implement is to improve participation,as ‘from participating comes the opportunity to have input into the standards'. He said: “We are trying to get the message out and that will help me achieve the second goal.”
There are so many issues and questions to be asked about PCI, so I threw the invitation to some of the companies we have spoken to about PCI to ask the questions they want answers to.
Firstly, Rackspace asked that with a new version of the PCI standard (1.3) out in October, how will changes affect people still struggling to meet the requirements of 1.2, and how much leeway will people have?
King said: “2010 is a really busy year, and a great time to join PCI because everything is happening at once as we are introducing the new PCI DSS. The current standard was rolled out in May, and with the latest version of the Payment Application Data Security Standard (PA-DSS) being rolled out, there is a lot of new information for people to take on board and one of the ways we are trying to help the merchants is we have modified our lifecycle.
“We are now on a three year lifecycle for all of the standards so merchants can get more time to understand what the changes are and understand what they are impacted by, get up to speed and get compliant.
“Once it is released we are not expecting to see everyone compliant from day one, there is some leeway in which they can move towards meeting the new level.”
Ella Nevill, director of marketing and communications at the PCI SSC, clarified that it had been sharing the standard with participating organisations over the summer. They determined that sharing in autumn was not effective as systems were locked down from the summer to Christmas so merchants could look at it until the New Year anyway. Therefore the new standard will be introduced from January 2011, while the old standard will ‘sunset' at the end of December 2011.
Tripwire claimed earlier this year a third of merchants do not understand the requirements of PCI DSS compliance and only 11 per cent are certified as compliant. It asked how satisfied the council was with the level of compliance within level one and two, and level three and four merchants?
King said: “It is safe to say that whilst some of the merchants are making a very good effort and working their way towards compliance, it is also safe to say that others still have some way to go, and one of my key roles is to help those level one and two merchants, especially in Europe and understand how applicable PCI DSS is to them and to get compliant.
“We're trying to look at smaller merchants to see if there is better help and support that we can give and that is something within PCI the experts are looking at to see if we can help with compliance.”
LogRhythm also pointed to the Tripwire survey, and asked what the council plans to do about this to encourage uptake of the regulations?
King said that he had already started to meet with the acquirers, as they are responsible for the merchants. Using the acquirers would the council get the message out towards their merchants about the importance of PCI.
He also said that he had been talking to financial services companies, and by starting at the top of a pyramid he was using that as a method to filter down the information.
“So we are trying to spread information down and then use a supporting role and feed down the pyramid to the merchant level. They not only realise that it is something that they need to do but understand the rational and reasons for it, which is what we are all about – protecting the card holder data, and ensuring that the card holder data is protected and they feel that they are secure through the transaction,” he said.
Looking at enforcement, Rackspace asked if there were plans to get more involved in enforcing the consistency of PCI fines and penalties across the board?
King said: “The key role of PCI is that we are a standards body so it is our role to provide the standards that other bodies can be evaluated and shown to be compliant.
“That really comes down to individual card brands, but what I will say to the merchants is be aware of the impact, be aware of what happens to their reputation because that is critically important to them, because if they are the source of a major breach their name will be dragged through the newspapers and the card holders will not have the confidence to deal with them. Reputational damage is there, fines are down to card schemes and card holders will vote with their feet.”
I asked King if there are any plans for penalties at all? He stated that there was not, as the SSC was about trying to encourage people to comply with the standard and improve security.
“We are not saying just comply with our standard, it is the building blocks and a good basis for security to build a good level of security and from that, a good level of compliance will follow. They should not be trying to tick all the boxes of compliance as that is not going to give you security, it is the other way around,” he said.
Technology has moved on considerably since the standard was first launched back in 2004, and with other sectors incorporating the new developments into their own regulations, LogRhythm asked if the council planned to incorporate such technology developments into the PCI DSS?
King said that the simple answer was yes, as the council is always looking at new technology and its technical working group was looking at some areas, such as EMV and how EMV and PCI DSS fit together.
Nevill said that it was important for the SSC to ‘stay as technology agnostic as possible'. She said: “You won't see a standard that writes all of the emerging technology into the standard.”
Finally, Tripwire said that many merchants are granted leniency in their first crack at compliance, but this varies by qualified security assessor (QSA). They asked what the council is doing to ensure more consistent and rigorous compliance, and if the council is satisfied with the degree of variance of assessment between QSA?
King said: “I think one of the key words over all of our standards is to ensure consistency and consistency of application, and we have introduced a quality standard within the QSA and we have been undertaking a lot of QSA training and we also have a clearly defined feedback method because there is a number of PCI DSS requirements which do require some interpretation.
“You are never going to get a situation where you will not get a slightly different view, so what we need to make sure is that the overall result is that a merchant who applies this will get a pass and those that do not, will get a fail.”
King concluded by saying that consistency ‘is difficult to achieve but we are all working to achieve it'. Perhaps one of the biggest challenges for PCI DSS is to ensure that merchants take it seriously and see it as worth participating in.
As we have seen with data loss, the reputational damage can often be worse than the actual infiltration of information, and with card payments there is a need to ensure that it is done safely and securely. With a presence in Europe, perhaps that realisation will now be taken much more seriously.