Vague guidelines and conflicting audit firm interpretations—coupled with retailers that fall into multiple PCI categories—are making for some unhappy retailers.
The rules for the Payment Card Industry Data Security Standard are designed to keep credit card payments secure as retailers transmit cardholder data.
The Retail Industry Leaders Association, or RILA, held a retail meeting in March and is preparing for another in September, all on the topic of PCI deployment problems.
"When the credit card industry specified requirements for retailers, the retail industry seemed to lose momentum on its own data assurance work," said an invitation to attend the meeting of what RILA is calling the PCI Project. "Some PCI requirements are vague. Some are unattainable. Retail companies that participated in the March 16 meeting cited numerous examples of low-result PCI requirements, one-size-fits-all rules that dont work for various kinds of retail formats," and they also reported "potentially crippling costs."
Cathy Hotka, a RILA senior vice president, said there is universal retail industry support for the goals and objectives of PCI and its efforts at making payment systems more secure. The problem, she said, are the rules rigidity or, more accurately, the rigid way they are often being interpreted.
"What does it mean to implement PCI in the real world? Some of the requirements that came out of the original PCI rules were kind of One Size Fits All, which was difficult for some of the retailers to get around," Hotka said. "There has been some difficulty in making the rules work and getting common answers from the audit firms that provide advice to retailers."
Hotkas favorite examples are rules that impose unrealistic hardships on smaller retailers and that dont appreciate the practical staffing flexibility that retailers need.
"Take, for example, a very small store where certain kinds of information is being kept in the register during the day. In theory, under PCI rules, all customers have to be escorted into the store with an escort wearing a badge because the store is of a certain size and thats the way the rule is written. Thats the kind of thing were addressing," she said.
Hotka was discussing PCI during an audiocast at a retail technology blog called StorefrontBacktalk. The PCI discussion also cited a staffing PCI frustration from a larger company: "A great big hotel chain expressed some frustration with one of the rules that said that it was not possible for people to serve more than one operation. A resort might have a spa and a golf course and five restaurants and a pool. Various people from the larger site could not go elsewhere. Somebody from the spa could not be a substitute at the pool because that would be against regulations."
Security consultant—and former federal prosecutor—Mark Rasch was also on the audiocast panel that discussed PCI. Rasch said the problem is less one of how the PCI guidelines are phrased and more a matter of how they are being interpreted, particularly by audit firms the retailers are hiring to prove compliance.
"The guidelines are written fairly broadly and you sit there and say, How do we apply them? One audit firm will tell you, No, you cant do this. Its prohibited by the guidelines and another audit firm will say, This is perfectly fine," he said. "Never let regulatory compliance be the enemy of doing the right thing. You need to do the right and appropriate thing."
Rasch said that the PCI rules are running into several deployment challenges, but that similar hurdles have confronted just about major security guideline effort.
"This happens in every area of security, whether its HIPAA [Health Insurance Portability and Accountability Act], Sarbanes-Oxley or the PCI standards. What makes PCI much more difficult is that many companies dont even know where they fit in the chain of PCI. They dont know if they are issuers, if theyre processors, if theyre merchants," Rasch said, adding that many retailers today fall into multiple categories, making strict compliance much more difficult.
The retailer "may serve several different functions within that chain. In terms of aggregating the volume of transactions that they do, they may be a very large issuer and a very small processor. That happens as companies start going into new business areas."
He cited as an example the $9 billion 26,000-restaurant Subway chain, which is deploying a POS/loyalty/CRM (customer relationship management) card.
"A good example is Subway. Subway is thought to be a merchant. You go in and you buy a sub and you give your credit card and thats it. But, with their stored value cards, theyve become an issuer as well, so theyve been taken from one regulatory scheme to another regulatory scheme within the PCI standards," Rasch said. "New business opportunities and new ventures take you into new areas of PCI and you need to be aware of them."