With the compliance deadline just four days away, many retail merchants are still trying to climb over high hurdles in the Payment Card Industry (PCI) security requirements -- and figuring out what will happen if they can't make it in time.
The PCI Data Security Standard (PCI DSS), a set of security requirements for retailers and other businesses that process credit cards, is mandated by the major credit card companies, including Visa and MasterCard. If companies don't comply, they may be subject to fines, or they may even have their ability to process credit cards revoked.
Despite the threats of fines and penalties, however, it looks as though many retailers are about to miss yet another PCI compliance deadline. Experts estimate that more than a third of Level 1 merchants -- the largest retailers -- will fall short. Smaller retailers generally are even further away.
"Sixty percent of the respondents in the U.S. and the U.K. will plan to be fully compliant in the next year, while 51 percent of companies in Germany and 40 percent of companies in Spain and France are planning to take more than one year to comply with PCI," says Forrester Research in an RSA-sponsored study of the largest merchants published earlier this week. "Twenty-two percent of the global respondents plan to take at least two years or more before becoming fully PCI compliant."
In a separate study of 60 recent PCI audits at 50 major companies, security vendor VeriSign found that some 53 percent of organizations failed at least one of PCI's 230 requirements. That's an improvement over last year's study, in which 73 percent of companies failed the audit, VeriSign says.
If they don't make it by Sept. 30, it will be the third time the stragglers will have missed a PCI compliance deadline. The credit card companies had originally mandated compliance by June 2005. The deadline was stretched to 2006, and then the deadline for the revised PCI 1.1 was extended to Sept. 30 of this year. (See Retailers Lag on Security Standard.)
So what's taking so long? Experts differ on which is the largest obstacle, but three elements consistently come up in all of the conversations: access management, application security, and encryption.
More than a quarter of companies are still struggling with the process of classifying credit card data and finding a secure place to store it, which means they still have a lot of work to do on access control, Forrester observes. Another 25 percent said developing effective policies and procedures for access control is their biggest sticking point. Twenty percent said implementing proper access control technologies is a chief hurdle.
But application security was one of the chief topics discussed last week at a meeting of the PCI Security Standards Council, which attracted more than 300 IT and compliance officers at major companies to Toronto.
"One of the biggest questions was whether companies should do detailed code review or put in an application firewall," said Joe Lindstrom, senior director of compliance consulting at Symantec, who was a panelist at the meeting. "The standard says you must do either one, but it doesn't require you to do both, so a lot of companies are struggling with what to do there."
Computer forensics experts at the Council meeting testified that as many as 60 percent of the breaches they have investigated in PCI environments can be traced to flaws in five or six retail applications, Lindstrom reported. "They didn't want to give out the names of those apps, but they are mostly payment processing applications that are specific to the retail environment."
Encryption, cited often last year, also continues to be among the most difficult technical obstacles to PCI. Twenty-seven percent of respondents to the Forrester survey said data encryption is the most challenging area of PCI compliance -- approximately the same number of respondents that cited identity and access management. A key element here is the wireless environment, where WEP continues to be the dominant technology despite its proven hackability, experts observe.
But while many large U.S. merchants and payment processors struggle with these technical issues, credit card companies are likely more worried about smaller retailers and non-U.S. regions that are not nearly as far along as their Level 1 counterparts. For many of these companies, the problem is not technology, but resources.
"The forensics people we heard from said that more than 80 percent of the [credit card] compromises they see are coming from merchants who are at Level 4 -- the smallest retailers," said Lindstrom. "This is where the least [PCI compliance] work has been done."
The forensics experts also confirmed the RSA study's suggestion that other regions are falling behind the U.S. in PCI compliance. "The reports are that there is actually a dropoff in compromises in North America, but that's being offset by growth in Europe and Asia," Lindstrom said. The data is becoming more difficult to track because criminals are now using anti-forensics tools and other methods to better cover their tracks, he said.
With so many companies struggling to meet the PCI requirements, vendors are turning out in droves to launch PCI compliance management tools and PCI-compliant products. ArcSight, Astaro, Shavlik Technologies, and many other companies have launched PCI tools in the last few weeks, and the PCI Security Vendor Alliance has released a free tool that aids with PCI risk assessment.
Despite all these tools, however, many companies will not achieve PCI compliance in time for Sept. 30. So what will happen to them? Experts observe that many Level 1 merchants already are paying fines -- and, in some cases, paying higher processing fees -- as a result of missing previous deadlines. In other cases, the fines are being absorbed by banks or financial institutions who want to keep their best credit card merchants online.
"Some merchants have looked at it and determined that the cost of coming into compliance would be higher than the cost of the fines, so they've elected not to do anything," Lindstrom observes. "Those are the ones that likely will begin to see fines being leveled against them." In those cases, financial institutions may decide to pass the costs of the fines on to the retail merchants who aren't compliant, he says.
But such punitive actions don't help improve overall credit card security, which remains at risk despite three years of PCI deadlines.
"Merchants typically keep too much [credit card] data," the Forrester report says. Eighty-one percent retain credit card data. Seventy-three percent store expiration dates, and 71 percent store verification codes. Fifty-seven percent store magnetic card stripe data. Many companies store the data in order to help identify customers or do business analysis, but under PCI, they are not supposed to be storing any of this data for more than a few weeks.
If retailers don't toe the PCI line more carefully in the future, however, the law may step in, experts say. The state of Minnesota already has passed legislation outlawing the storage of credit card data. (See Cyber Law Cuts Two Ways.)
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.