Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Many Retailers Will Not Make PCI Compliance Deadline

Problems with applications, access management leave credit card processors facing fines - and vulnerabilities

With the compliance deadline just four days away, many retail merchants are still trying to climb over high hurdles in the Payment Card Industry (PCI) security requirements -- and figuring out what will happen if they can't make it in time.

The PCI Data Security Standard (PCI DSS), a set of security requirements for retailers and other businesses that process credit cards, is mandated by the major credit card companies, including Visa and MasterCard. If companies don't comply, they may be subject to fines, or they may even have their ability to process credit cards revoked.

Despite the threats of fines and penalties, however, it looks as though many retailers are about to miss yet another PCI compliance deadline. Experts estimate that more than a third of Level 1 merchants -- the largest retailers -- will fall short. Smaller retailers generally are even further away.

"Sixty percent of the respondents in the U.S. and the U.K. will plan to be fully compliant in the next year, while 51 percent of companies in Germany and 40 percent of companies in Spain and France are planning to take more than one year to comply with PCI," says Forrester Research in an RSA-sponsored study of the largest merchants published earlier this week. "Twenty-two percent of the global respondents plan to take at least two years or more before becoming fully PCI compliant."

In a separate study of 60 recent PCI audits at 50 major companies, security vendor VeriSign found that some 53 percent of organizations failed at least one of PCI's 230 requirements. That's an improvement over last year's study, in which 73 percent of companies failed the audit, VeriSign says.

If they don't make it by Sept. 30, it will be the third time the stragglers will have missed a PCI compliance deadline. The credit card companies had originally mandated compliance by June 2005. The deadline was stretched to 2006, and then the deadline for the revised PCI 1.1 was extended to Sept. 30 of this year. (See Retailers Lag on Security Standard.)

So what's taking so long? Experts differ on which is the largest obstacle, but three elements consistently come up in all of the conversations: access management, application security, and encryption.

More than a quarter of companies are still struggling with the process of classifying credit card data and finding a secure place to store it, which means they still have a lot of work to do on access control, Forrester observes. Another 25 percent said developing effective policies and procedures for access control is their biggest sticking point. Twenty percent said implementing proper access control technologies is a chief hurdle.

But application security was one of the chief topics discussed last week at a meeting of the PCI Security Standards Council, which attracted more than 300 IT and compliance officers at major companies to Toronto.

"One of the biggest questions was whether companies should do detailed code review or put in an application firewall," said Joe Lindstrom, senior director of compliance consulting at Symantec, who was a panelist at the meeting. "The standard says you must do either one, but it doesn't require you to do both, so a lot of companies are struggling with what to do there."

Computer forensics experts at the Council meeting testified that as many as 60 percent of the breaches they have investigated in PCI environments can be traced to flaws in five or six retail applications, Lindstrom reported. "They didn't want to give out the names of those apps, but they are mostly payment processing applications that are specific to the retail environment."

Encryption, cited often last year, also continues to be among the most difficult technical obstacles to PCI. Twenty-seven percent of respondents to the Forrester survey said data encryption is the most challenging area of PCI compliance -- approximately the same number of respondents that cited identity and access management. A key element here is the wireless environment, where WEP continues to be the dominant technology despite its proven hackability, experts observe.

But while many large U.S. merchants and payment processors struggle with these technical issues, credit card companies are likely more worried about smaller retailers and non-U.S. regions that are not nearly as far along as their Level 1 counterparts. For many of these companies, the problem is not technology, but resources.

"The forensics people we heard from said that more than 80 percent of the [credit card] compromises they see are coming from merchants who are at Level 4 -- the smallest retailers," said Lindstrom. "This is where the least [PCI compliance] work has been done."

The forensics experts also confirmed the RSA study's suggestion that other regions are falling behind the U.S. in PCI compliance. "The reports are that there is actually a dropoff in compromises in North America, but that's being offset by growth in Europe and Asia," Lindstrom said. The data is becoming more difficult to track because criminals are now using anti-forensics tools and other methods to better cover their tracks, he said.

With so many companies struggling to meet the PCI requirements, vendors are turning out in droves to launch PCI compliance management tools and PCI-compliant products. ArcSight, Astaro, Shavlik Technologies, and many other companies have launched PCI tools in the last few weeks, and the PCI Security Vendor Alliance has released a free tool that aids with PCI risk assessment.

Despite all these tools, however, many companies will not achieve PCI compliance in time for Sept. 30. So what will happen to them? Experts observe that many Level 1 merchants already are paying fines -- and, in some cases, paying higher processing fees -- as a result of missing previous deadlines. In other cases, the fines are being absorbed by banks or financial institutions who want to keep their best credit card merchants online.

"Some merchants have looked at it and determined that the cost of coming into compliance would be higher than the cost of the fines, so they've elected not to do anything," Lindstrom observes. "Those are the ones that likely will begin to see fines being leveled against them." In those cases, financial institutions may decide to pass the costs of the fines on to the retail merchants who aren't compliant, he says.

But such punitive actions don't help improve overall credit card security, which remains at risk despite three years of PCI deadlines.

"Merchants typically keep too much [credit card] data," the Forrester report says. Eighty-one percent retain credit card data. Seventy-three percent store expiration dates, and 71 percent store verification codes. Fifty-seven percent store magnetic card stripe data. Many companies store the data in order to help identify customers or do business analysis, but under PCI, they are not supposed to be storing any of this data for more than a few weeks.

If retailers don't toe the PCI line more carefully in the future, however, the law may step in, experts say. The state of Minnesota already has passed legislation outlawing the storage of credit card data. (See Cyber Law Cuts Two Ways.)

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • ArcSight Inc.
  • Astaro Corp.
  • RSA Security Inc. (Nasdaq: EMC)
  • Shavlik Technologies
  • Symantec Corp. (Nasdaq: SYMC)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 11/19/2020
    New Proposed DNS Security Features Released
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
    How to Identify Cobalt Strike on Your Network
    Zohar Buber, Security Analyst,  11/18/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: A GONG is as good as a cyber attack.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-20925
    PUBLISHED: 2020-11-24
    An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions...
    CVE-2020-5641
    PUBLISHED: 2020-11-24
    Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
    CVE-2020-5674
    PUBLISHED: 2020-11-24
    Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
    CVE-2020-29002
    PUBLISHED: 2020-11-24
    includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
    CVE-2020-29003
    PUBLISHED: 2020-11-24
    The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.