The PCI Noose is Tightening

PCI/CISP has been a requirement since 2001 and yet we’ve found ways to “back-burner” compliance. We’ve distracted ourselves with a million other operational tasks and pressed for budgets to fuel those initiatives. Meanwhile, the criminals of the world were stealing at a record rate causing the security sector to literally change overnight. All kinds of privacy issues surfaced through mainstream media sources, corporate blunders, and whistle blowers. Before long, privacy and data protection were top issues with politicians and CEOs alike.

That said, our mindset has to change if we want to remain in business, because now there are consequences should you decide to simply discuss privacy and data protection yet fail to sway organizational culture and implement organizational change to address this issue.

What are they up to now?

Just last month, MasterCard imposed fines on merchants that haven't met its requirements to keep transactions secure. Visa also took aim at the nation's largest merchants with fines that start at $10,000 a month and can rise to $100,000 a month. These fines are not levied against merchants yet, rather, those who process transactions on the behalf of merchants.

This news is especially difficult for small merchants who can’t afford the security upgrades required to meet compliance.

Admittedly, it’s a challenge motivating smaller organizations to invest in anything that doesn’t generate revenue. For now, small merchants are safe because the credit card payment industry is working its way down from the largest to the smallest customers, broken down by levels 1 through 4, one being the largest of customers.

However, taking a lax attitude because they are not beating down your door today is one way to tempt fate. Use the time to get a plan together to meet compliance because one thing is for sure, PCI/CISP is not going away and they will be knocking at your door sooner or later.

If there is only one ray of light, it’s the fact that they are currently only fining those who are not cooperative, not necessarily those who are not compliant. One credit card company stated that fines won’t begin until March of 2007 but they have the right drop the hammer now under certain conditions. This generosity is certain to be short lived so don’t wait. Begin moving toward compliance right now.

In addition to fines levied by the card companies, credit card processing companies are now required to ask if you’re PCI compliant when signing a new processing contract. They will have a number of questions, the most important of which is, “Are you PCI compliant?” If the answer is no, then they cannot enter into a contract with you.

What isn’t clear at this point is what processing companies will do when renewing a contract with an existing customer who is not compliant. Smart money says that while they want your business, they certainly don’t want the risk of engaging in a contract with a non-compliant organization. Can you afford to lose your ability to process credit card sales?

To make matters worse, changes in PCI DSS will shift companies into different levels, most of which will be rated higher than they are currently. The expanded qualifications will most notably bump up more companies to the second-highest tier by classifying them as those who processed 1 million to 6 million annual transactions, regardless of the channel. Visa had previously categorized Level 2 as processing 150,000 to 6 million ecommerce transactions each year.

This sounds like a lot of work for those who are imposing PCI/CISP. Who is policing this?

A standards body called PCI Co. will be the compliance arm that will manage and maintain the Payment Card Industry Data Security Standard (PCI DSS). This new body will certainly add teeth, motivating companies to meet compliance. PCI Corporation will perform these tasks for all payment card companies that are members of PCI.

What should you do?

Before you do anything, be sure that you clearly understand what the requirement means. Encourage your security engineers and architects to ask questions directly to the card companies before you develop a strategy to move your organization into compliance. It’s also important to understand that compliance will require skill sets that exist outside of the world of security. So be sure that you identify those with institutional knowledge as well as those who hold the technical knowledge and abilities.

Look out for the fine print.

The PCI standard calls for very specific activities, some of which people may believe they are already performing. But do these activities qualify under the standard? One good example of a fine print “gotcha” is that a group certified by PCI must perform your vulnerability assessments. This means that your own in-house scans are worthless.

Needless to say, this adds costs to your bottom line. It’s in your best interest to read the information posted on the PCI security site, which helps you understand the logistics of compliance so that you can prepare your budget requests.

For more, please see: https://www.pcisecuritystandards.org/certification/

As a final note, the other thing you should do while migrating toward compliance is engage in some self-preservation. Many things can happen to CSO’s should they fail to meet compliance, some of which carry criminal charges. A good idea is to consult the legal department and review your official job responsibilities to determine your personal and professional legal liabilities should your organization fail to meet compliance and fines are levied.

In that case, you can be sure that a rope will be hung around someone’s neck. It would be wise to take steps to ensure that it’s not yours.