Regulatory Flexibility Can Mean
Headaches"> The biggest PCI issue is the question of "compensating controls." The original rationale for compensating controls is that retailers have very different environments and that some requirements may not make sense for some companies. Therefore, the theory goes, PCI will permit a retailer to use some alternative method if the retailer can prove that its as secure as the one the PCI spec dictates. Protegritys Rapkin said he sees compensating controls today being used as a way for some retailers to get out of abiding by the rules because its too expensive or too difficult. "Its a Get out of Jail Free card. Compensating controls today are at the whim of the successor," he said.Another argument for compensating controls is that they are a viable compromise. An analogy would be to the U.S. "food pyramid." Nutritionists working on the latest government pyramid wanted to push beef products into the same category as candy, and to move whole grain products into their own category, away from white bread and white rice. But the government argued that such an extreme pyramid would likely be ignored by many Americans, supporting the position that a compromised but adhered to pyramid would improve diets better than an ideal but ignored one. (OK, so cattle lobbyists also played a role, but lets not go there. It ruins the analogy.) Similarly, the rationale behind compensating controls is that a strict adherence to the rules would cause a lot of retailers to stop trying. So, in theory, a compromised but realistic security plan would make systems safer than an ideal plan that wasnt often followed. The inconsistency involved wreaks havoc on the plans of retailers. One CIO said his PCI auditor just resigned and they are begging the audit firm to force the new auditor to stick with the decisions made by the old auditor, rather than force the retailer to start over. One requirement that was mentioned by two CIOs that is not explicitly referred to in the rules is for closed-circuit video cameras to be installed for every point-of-sale terminal in the chain. The intent is to make it more difficult for intruders to install devices on the POS readers to steal credit card data. The only reference in PCI is a vague requirement in 9.1.1 to "use cameras to monitor sensitive areas." The CIO of one chain calculated that such a move alone would "vaporize north of $10 million, $15 million easily. And then theres an ongoing $2 million to $3 million a year to maintain it. Thats $2 million to $3 million for life and its only going to go up. And then theres inflation. What about storing the images? You have to have someone to monitor those. No one possibly afford that. This is ridiculous. We cant do business like that. Then [auditors] ask, Do you want to take credit cards or not? Absolutely asinine." What was behind that demand? A concern about a POS system encryption procedure. "As soon as a credit card is swiped, we immediately encrypt it. But theres a fleeting moment, a micronanosecond, between when the swipe has occurred and when its encrypted, between the POS and the magnetic swipe reader." The alternative to the cameras was a higher-end POS system that the auditors firm happened to sell. Another common criticism of the PCI program is that it leads to retailer confusion. Mostly, that confusion involves whether or not the retailer is compliant. There are several reasons for this confusion. Some larger chains have separate compliance efforts for different groups, so the CIO for one chain may not be certain which parts of his chain are compliant. But a more common issue is timing. Lets say that a retailer eventually gets a compliance letter on Oct. 1, declaring his chain PCI-compliant. That letter doesnt say the chain is PCI-compliant for one year, as a drivers license might. Indeed, it doesnt even technically say the chain was compliant as of Oct. 1, but more likely means that the chain was compliant as of the date of the last completed full audit, which was likely several months earlier. The retailers CIO is then asked, "Are you PCI-compliant?" He or she knows that some auditors looking at systems now have different expectations than at the time of the audit, and he or she also knows that some systems have changed. Several CIOs interviewed for this piece were honestly not sure whether or not they were truly compliant, which is frustrating. "We are deep into quite a number of different initiatives in order to become compliant right now," said one Fortune 500 retail CIO. "But its a changing landscape, a changing process. No matter what happens, were going to be doing a lot of positioning and then negotiating back and forth with the auditor or whoever will ultimately be certifying it." Walker, from Dicks Sporting Goods, added that one problem with PCI historically has been "finger-pointing. Visa did not want to take responsibility to tell the merchant that theyre compliant and the acquiring banks did not want to take the responsibility to do it," Walker said. "You dont want vague assurances of compliance or likely compliance. I want the letter for the wall. A letter from somebody saying Im compliant or not compliant." One CIO described how his chain suffered under the whims of different auditors. This chain had an audit in October 2005 and was given a compliance confirmation in February 2006. "Then the rules started changing." For example, the PCI rules required an incident response plan. "The first year, just having a plan in writing was sufficient. The second year, the plan was scrutinized for content and we were told much more content was required," the CIO said. "For example, they wanted phone numbers for contacts such as the banks and law enforcement agencies. The criteria of how you get graded kind of shifted and things changed from auditor to auditor even in the same company, and certainly from auditing company to auditing company." The same CIO cited another example: encryption. The chain segmented sensitive transaction data using strict network controls. "In 2005, this was accepted. In 2006, it was not. We are now implementing encryption. Despite an official PCI position that compensating controls are permitted, it seems as though our auditors now will no longer accept any compensating controls for encryption." Another issue that chain experienced involved something called an ROC (Report on Compliance), which is a form filled out by a retailer that is trying to get a compliance certification. "In 2005, if you were far enough along in a requirement and had a reasonable plan acceptable to the bank, you were considered compliant. They were then going to monitor your progress to the plan. Now you would be considered not in compliance if the plan is not completed." The retail also had problems with Web logging, where one auditor found logs acceptable and the next auditor insisted on much more extensivemonthly, weekly and dailylogs. Some retailers that are not Tier 1 merchants are filing self-audits, where the retailers own personnel fill out the forms. Walker, of Dicks Sporting Goods, said she has a real problem with PCI self-audits. "I wouldnt ever be comfortable with a self-audit at Dicks. All companies in all tiers should have an external audit performed," Walker said. "Smaller companies dont even have the in-house expertise to do a self-audit." This is not to say that PCI hasnt indeed improved retail security. There are very few in retail who doubt that it has. One CIO for a large retail chain said the requirements of PCI helped him purchase pieces of equipment, such as high-end routers, that also helped modernize non-security-related operations. "To give Visa some credit, they did shake things up and its definitely improved retail security," the IT exec said. "I cant imagine what would have happened had I asked for $4 million dollars for security two years ago without the hammer of compliance. They would have looked at me like I had two heads." Retail Center Editor Evan Schuman can be reached at Evan_Schuman@ziffdavis.com. Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.
Rapkin admitted that his dislike for compensating controls is because they are often used to avoid encryption, which his company sells.