Variations of the Payment Card Data Security Standard have been in place for several years, but many retailers still feel they don’t understand what exactly is required of them to comply with it, writes Alison Clements

Most British retailers acknowledge the importance of improving the security of card holder information across their transactional systems and data centres. Every IT director in the sector will

be aware that there are penalties for non-compliance with the Payment Card Industry Data Security Standard (PCIDSS), the worldwide standard for information security.

However, the British Retail Consortium (BRC), the trade association for the UK retail industry, has received many complaints from retailers about the lack of clarity surrounding the standard and enquiries about what exactly they need to do to comply.

So what is happening? And how can retailers ensure they become compliant without wasting money unnecessarily on technology or consultation?

“Nobody knows what full compliance will actually look like,” says Alisdair Gray, director of the BRC’s Brussels office. “Our members say there is no clarity. The goalposts keep moving, and this high level of uncertainty around what exactly they should be investing in is holding people back from fully complying with it.”

Before a supermarket or fashion group gives the go-ahead for a multi­million pound compliance project, the executive board needs to be crystal clear about what work should be carried out, he emphasises.

“In some cases, the Qualified Security Assessors (QSAs) who advise retailers on these projects recommend a six-month project. And, when that’s complete, discover they didn’t need to do most of it after all,” says Gray.

PCIDSS compliance certainly is far from straightforward for retailers both here in the UK and abroad. Each card scheme has its own set of timelines for compliance and penalties.

And there is confusion about the scope of where data lies across a retail organisation. Knowing whether or not systems suppliers are compliant further complicates matters and there is a lack of clarity about what might happen when the retailer is compliant but the supplier is not. In addition to this, remaining compliant over the long term also presents a challenge, since compliance must still be in place whenever a system’s architecture is updated or new processes are added.

Continuous compliance

Rob Warmack

Tripwire’s Robert Warmack: “Simple systems changes after an audit jeopardise PCIDSS compliance”

“What many large retailers are finding is that gaining compliance certification isn’t just a one-off,” says Robert Warmack, senior director of international marketing for Tripwire, a provider of IT security and compliance automation solutions.

“The standards are all about continuous compliance; so retailers need to see this as a constant state of awareness, not something that can be achieved once and then forgotten about. Simple systems changes after an audit not only jeopardise PCIDSS compliance, but also create real security vulnerabilities.”

One of the greatest challenges, he says, will be maintaining compliance between audits. “Unless you can carry out continuous monitoring and reporting, it’s a pointless exercise,” says Warmack. Despite the layers of uncertainty, retailers have no choice but to embark on compliance projects, since failure to do so could result in fines, or banks that ultimately shoulder the risk refusing to handle retailers’ payment business if they are exposed to fraud in any way.

The largest retailers are making the most headway; but small Level 3 and 4 players with fewer transactions per year are struggling to understand what is needed.

“Big brands cannot afford to take risks,” says Warmack. “The biggest threat to retailers is when breaches of security become public knowledge - as happened to TK Maxx in 2007 in the US, and to Hannaford Bros supermarkets in 2008. “Damage to brand reputation is something retailers really do need to avoid at all costs.”

Robin Adams, director of security, fraud and risk management consulting services at The Logic Group, welcomes the fact that the PCI Security Standards Council has implemented a quality assurance scheme, which means QSAs are working to an explicit agenda.

“We carry out QSA work and feel it is a lot clearer now people in that role know what they should be looking for,” says Adams. “Our research shows that retailers are increasingly convinced that being more secure is a business benefit - 88% said so in our survey. Many of our retail clients may not be fully compliant yet, but what they are sensibly doing is analysis to tighten up areas of vulnerability, particularly around legacy point-of-sale systems and store environments. Data centres at head office are more likely to be secure, but store networks are more open to security breaches.”

Carrot and stick

The BRC believes many of the grey areas can be sorted out and is communicating with the card schemes, acquiring banks and the PCI Security Standards Council to do just this. One suggestion is that the PCI Security Standards Council should develop a knowledge base of valid technical solutions, which retailers could access, thus speeding up the process of compliance.

Another idea is for the banks and card schemes to consider introducing incentives - reduced merchant service charges, for example - as a carrot for retailers to meet compliance standards.

The organisation is also calling for more consistency in the way standards are applied. The feeling is that UK retailers are presently subsidising the protection of the global payments system - in places where chip and pin is not yet in place, for example.

It is not surprising that new research by Tripwire suggests only 11% of UK companies are certified as PCI compliant. Less than half of these are retailers. The research, carried out earlier this year, also found that 35% of companies did not fully understand what was required for compliance, and nearly a third did not know whether they would be compliant by the scheme’s next deadline - September 2010.

“We also think it is worrying that only 26% of organisations have a dedicated PCI project manager,” says Warmack. “PCIDSS really requires a dedicated project team, strongly led, not just to oversee the technological issues, but also to embed good security hygiene through processes and in the wider company culture.”

It looks like the majority of Level 1 and 2 merchants will be fully compliant some time in 2011. A spokesman for the PCI Security Standards Council says it sets no compliance deadlines.

“We maintain that those involved in the payment chain need to take steps to securely protect sensitive credit card data now,” he says.

Published deadlines refer to card brand-specific or bank-specific deadlines for their compliance programmes. Pressure from the acquiring banks and card schemes is building, so consultant KPMG recommends taking a prioritised approach (see table).

Cutting the cost

Technological breakthroughs could help cut the cost of compliance. Adams says there is growing interest in encryption of card numbers. Totally encrypted card data is beyond the scope of PCIDSS.

Similarly, ‘tokenisation’ replaces credit card data with a reference pointer to that data. A credit card transaction sends a reference token along the payment chain and, at the processing end, the token is verified and the transaction processed, all without having exposed any card holder data to networks along the payment chain.

Retailers can opt to use hosted payment services provided by a third party, thereby passing on some responsibility for fraud protection. Rohit Anhal, consultant at multichannel solutions provider K3, explains that a managed service will be more expensive than a local solution.

“However,” he adds, “the benefit is fast-track PCI compliance, as no local card data or payment files are created in the customer environment and settlement is handled by a Level 1 payment service provider, such as Servebase or Commidea.” This reduces overheads and brings the added benefit of system performance monitoring.

Vodat International also provides a fully managed payment solution that has built-in PCI compliance for retailers looking to remove card holder data from their own systems. A number of its customers are trialling it. Vodat International chief Mike Bielinski says his company is now developing a second generation card payment solution.

“This offers more flexibility: retailers can keep their existing point-of-sale systems out of scope, as the solution’s secure connection is not connected to the till,” he says.

These solutions offer help but, for the retail community, the costs and the confusion aren’t going away soon.

“Those that have gone through the compliance process so far are realising this is just the beginning of a massive, ongoing process,” says Warmack. “This is much more than a tick-box exercise.”

Taking the Prioritised Approach

The Prioritised Approach devised by KPMG provides six security milestones that will help merchants and other organisations incrementally protect against the highest risk factors while on the road to PCIDSS compliance. This approach aims to deliver ‘quick wins’, support financial and operational planning and help organisations address its risks in priority order, rather than tackling everything at once. The steps are:

  • Remove sensitive authentication data and limit data retention
  • Protect the perimeter, internal and wireless networks
  • Secure payment card applications
  • Monitor and control access to your systems
  • Protect stored card holder data
  • Finalise remaining compliance efforts, and ensure that all controls are in place

Source: KPMG