PCI’s Required Reading

The Payment Card Industry Security Standards Council (PCI SSC) is expected to release version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS) this month. A short summary of the changes that are expected to occur was distributed by PCI SSC in August.

In an interview with Chain Store Age, Bob Russo, general manager of PCI SSC, sought to calm any concerns or misconceptions about the impact the updated version might have on merchants.

“This is really about clarifying what was unclear in version 1.1—we are not adding requirements or sub-requirements, it’s just clarification,” he stated. “We issued the short summary in August because we didn’t want anyone to feel surprised or think there was going to be a need for big process changes or a need to spend more money to be in compliance. When version 1.2 is released, there may be just a few tweaks that were not highlighted in the summary—but there will not be big changes.”

One issue addressed in version 1.2 will be further explanation of scoping, which has been an area of confusion for many retailers.

Troy Leach, technical director for PCI SSC, explained, “When we’re talking about scoping, we’re looking at where the card information flows through the merchant’s organization, from the point a credit or debit card is swiped to where it travels through the network to their gateway, service provider or bank.”

Scoping looks at when transaction data is in process, stored and transmitted, and it defines what part of the merchant’s infrastructure has access to cardholder information.

“If a merchant can reduce where the information flows, then they can reduce the scope of audits and consequently reduce the cost of overall PCI evaluation,” advised Leach.

In addition to more detailed clarification of scoping, version 1.2 will also remove the ambiguity surrounding certain dated requirements. For instance, references to perform activities on a “regular basis,” will be assigned specific time frames. A good example would be in the area of log data. Version 1.2 will specify that retailers maintain an audit trail, or log of all data in the network, for a minimum of the last three months.

Probably the most profound clarification in version 1.2 has to do with wireless networks. Although it should come as no surprise, there will be specific language defining the end of WEP (wired equivalent privacy). As of March 2009, there will be no new implementations of WEP and current implementations of WEP must be discontinued by June 30, 2010. However, there are viable alternatives available through WiFi-protected access (WPA) and WPA2.

For the most part, industry analysts applaud PCI DSS and welcome the added clarifications. John Kindervag, senior analyst at Forrester Research, Dallas, brings the added insight of having worked as a qualified security assessor (QSA) for PCI DSS compliance.

“To my dismay, I found that most organizations were not even close to being compliant,” Kindervag said. “One issue is that security is not sexy—you can sell green IT or corporate social responsibility, but companies don’t want to invest in security. That seems ironic since [a retailer’s] first responsibility as a corporate citizen is to protect consumer data.”

The two weaknesses he saw most frequently were a refusal to accept that track data could never be stored and a fear of encryption processes.

Jeff Wakefield, VP of marketing at VeriFone, Clearwater, Fla., pointed out that retailers’ concerns about encryption are often founded in the magnitude of implementing encryption across numerous disparate POS systems, which is particularly true for retailers that have experienced mergers and acquisitions.

“I recently worked with a retailer that had more than 100 different applications running—to put encryption everywhere that data is stored is a huge undertaking,” he noted.

One trend that VeriFone supports, which complements the concept of scoping, is to encrypt transaction data at the PIN-entry device and route it directly through an application server to the payments processor. By doing this, the retailer never places sensitive cardholder data into the POS system and greatly reduces the scope of the audited network.