Browse archive

Latest news

Experts highlight top data breach vulnerabilities

NYPD detective accused of hiring email hackers

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

A closer look at Mega cloud storage

CISOs need to engage with the board

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

PCI DSS Compliance: A Difficult But Necessary Journey

by Andre Muscat - GFI Director of Engineering - Monday, 5 November 2007.

Knee-jerk reaction?

The PCI DSS is not the result of a knee-jerk reaction to an increase in security breaches but it is a studied approach to data security taken by each of the card companies. Before 2004, American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International had a proprietary set of information security requirements which were often burdensome and repetitive for participants in multiple brand networks. Seeing the need for greater cohesion and standardization, these associations created a uniform set of information security requirements that became known as the PCI Data Security Standard (PCI DSS), governing all the payment channels: retail, mail orders, telephone orders and e-commerce.

Deadlines looming

For more than two years, credit card companies have been encouraging retailers to comply with the strict set of 12 requirements that are aimed at securing cardholder data that is processed or stored by them. Unfortunately, with two deadlines looming – 30 September and 31 December 2007 for Level 1 and Level 2 US merchants – it seems that many companies will not be ready in time. Even with a last minute push, it is highly improbable that retailers – large or small – have the time or the resources to become compliant in such a short-time frame. Most companies, especially in the SMB market, want to become compliant but they are still struggling to introduce basic security practices let alone implement all the systems needed to become compliant. The most recent compliance statistics from Visa for the month of July indicate an improvement but they are far off the targets that Visa and the other card companies hoped for.

According to figures for July, 40% of Level 1 retailers were compliant, up from the 35% compliance rate in May 2007. With the somewhat smaller Level 2 retailers, the July figures showed a 33% compliance rate – up from 26% in May – and the smaller Level 3 retailers showed 52% compliance, just slightly up from the 51% that Visa reported for that group in the same month. Visa did not release figures for Level 4 retailers; however it said compliance remained low.

Such a low compliance rate – after more than two years of preaching by the credit card companies – is possibly due to three reasons. First, some companies have taken a very laid-back approach to the issue, realizing only recently that the credit card companies mean business. Now, they are rushing to comply by the deadline, suddenly aware that they have a massive task ahead of them. Second, many small and medium sized companies do not have the resources or the finances to invest in the more personnel or a technology solution to meet the PCI requirements. Third, some retailers have complained that the standard does not distinguish between retailers on the basis of their size.