Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Many Retailers Will Not Make PCI Compliance Deadline

Problems with applications, access management leave credit card processors facing fines - and vulnerabilities

With the compliance deadline just four days away, many retail merchants are still trying to climb over high hurdles in the Payment Card Industry (PCI) security requirements -- and figuring out what will happen if they can't make it in time.

The PCI Data Security Standard (PCI DSS), a set of security requirements for retailers and other businesses that process credit cards, is mandated by the major credit card companies, including Visa and MasterCard. If companies don't comply, they may be subject to fines, or they may even have their ability to process credit cards revoked.

Despite the threats of fines and penalties, however, it looks as though many retailers are about to miss yet another PCI compliance deadline. Experts estimate that more than a third of Level 1 merchants -- the largest retailers -- will fall short. Smaller retailers generally are even further away.

"Sixty percent of the respondents in the U.S. and the U.K. will plan to be fully compliant in the next year, while 51 percent of companies in Germany and 40 percent of companies in Spain and France are planning to take more than one year to comply with PCI," says Forrester Research in an RSA-sponsored study of the largest merchants published earlier this week. "Twenty-two percent of the global respondents plan to take at least two years or more before becoming fully PCI compliant."

In a separate study of 60 recent PCI audits at 50 major companies, security vendor VeriSign found that some 53 percent of organizations failed at least one of PCI's 230 requirements. That's an improvement over last year's study, in which 73 percent of companies failed the audit, VeriSign says.

If they don't make it by Sept. 30, it will be the third time the stragglers will have missed a PCI compliance deadline. The credit card companies had originally mandated compliance by June 2005. The deadline was stretched to 2006, and then the deadline for the revised PCI 1.1 was extended to Sept. 30 of this year. (See Retailers Lag on Security Standard.)

So what's taking so long? Experts differ on which is the largest obstacle, but three elements consistently come up in all of the conversations: access management, application security, and encryption.

More than a quarter of companies are still struggling with the process of classifying credit card data and finding a secure place to store it, which means they still have a lot of work to do on access control, Forrester observes. Another 25 percent said developing effective policies and procedures for access control is their biggest sticking point. Twenty percent said implementing proper access control technologies is a chief hurdle.

But application security was one of the chief topics discussed last week at a meeting of the PCI Security Standards Council, which attracted more than 300 IT and compliance officers at major companies to Toronto.

"One of the biggest questions was whether companies should do detailed code review or put in an application firewall," said Joe Lindstrom, senior director of compliance consulting at Symantec, who was a panelist at the meeting. "The standard says you must do either one, but it doesn't require you to do both, so a lot of companies are struggling with what to do there."

Computer forensics experts at the Council meeting testified that as many as 60 percent of the breaches they have investigated in PCI environments can be traced to flaws in five or six retail applications, Lindstrom reported. "They didn't want to give out the names of those apps, but they are mostly payment processing applications that are specific to the retail environment."

Encryption, cited often last year, also continues to be among the most difficult technical obstacles to PCI. Twenty-seven percent of respondents to the Forrester survey said data encryption is the most challenging area of PCI compliance -- approximately the same number of respondents that cited identity and access management. A key element here is the wireless environment, where WEP continues to be the dominant technology despite its proven hackability, experts observe.

But while many large U.S. merchants and payment processors struggle with these technical issues, credit card companies are likely more worried about smaller retailers and non-U.S. regions that are not nearly as far along as their Level 1 counterparts. For many of these companies, the problem is not technology, but resources.

"The forensics people we heard from said that more than 80 percent of the [credit card] compromises they see are coming from merchants who are at Level 4 -- the smallest retailers," said Lindstrom. "This is where the least [PCI compliance] work has been done."

The forensics experts also confirmed the RSA study's suggestion that other regions are falling behind the U.S. in PCI compliance. "The reports are that there is actually a dropoff in compromises in North America, but that's being offset by growth in Europe and Asia," Lindstrom said. The data is becoming more difficult to track because criminals are now using anti-forensics tools and other methods to better cover their tracks, he said.

With so many companies struggling to meet the PCI requirements, vendors are turning out in droves to launch PCI compliance management tools and PCI-compliant products. ArcSight, Astaro, Shavlik Technologies, and many other companies have launched PCI tools in the last few weeks, and the PCI Security Vendor Alliance has released a free tool that aids with PCI risk assessment.

Despite all these tools, however, many companies will not achieve PCI compliance in time for Sept. 30. So what will happen to them? Experts observe that many Level 1 merchants already are paying fines -- and, in some cases, paying higher processing fees -- as a result of missing previous deadlines. In other cases, the fines are being absorbed by banks or financial institutions who want to keep their best credit card merchants online.

"Some merchants have looked at it and determined that the cost of coming into compliance would be higher than the cost of the fines, so they've elected not to do anything," Lindstrom observes. "Those are the ones that likely will begin to see fines being leveled against them." In those cases, financial institutions may decide to pass the costs of the fines on to the retail merchants who aren't compliant, he says.

But such punitive actions don't help improve overall credit card security, which remains at risk despite three years of PCI deadlines.

"Merchants typically keep too much [credit card] data," the Forrester report says. Eighty-one percent retain credit card data. Seventy-three percent store expiration dates, and 71 percent store verification codes. Fifty-seven percent store magnetic card stripe data. Many companies store the data in order to help identify customers or do business analysis, but under PCI, they are not supposed to be storing any of this data for more than a few weeks.

If retailers don't toe the PCI line more carefully in the future, however, the law may step in, experts say. The state of Minnesota already has passed legislation outlawing the storage of credit card data. (See Cyber Law Cuts Two Ways.)

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • ArcSight Inc.
  • Astaro Corp.
  • RSA Security Inc. (Nasdaq: EMC)
  • Shavlik Technologies
  • Symantec Corp. (Nasdaq: SYMC)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Ransomware Is Not the Problem
    Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
    How Can I Test the Security of My Home-Office Employees' Routers?
    John Bock, Senior Research Scientist,  6/7/2021
    New Ransomware Group Claiming Connection to REvil Gang Surfaces
    Jai Vijayan, Contributing Writer,  6/10/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Zero Trust doesn't have to break your budget!
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-06-16
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
    PUBLISHED: 2021-06-16
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
    PUBLISHED: 2021-06-16
    Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
    PUBLISHED: 2021-06-16
    Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
    PUBLISHED: 2021-06-16
    FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).