But behind PCI is an alarming patchwork of contradictory enforcement, auditors selling the same services theyre critiquing and frustrated retailers who say they cant jump through infinite hoops forever.
PCI was designed to formalize what retailers considered to be the best security practices and procedures and to provide a precise, consistent way to get merchants to comply. In practice, however, it has slightly improved security while sharply increasing retailer frustration.
In general, the sensitive nature of security procedures causes most IT executives to be hesitant to publicly discuss their operations and plans. But the reluctance of many such executives to talk openly about PCI is caused more by industry politics and the fact that these merchants are constantly negotiating with the companies that decide whether or not they will be PCI-compliant.
For this column, several IT executives, auditors and others have agreed to speak without attribution, or occasionally on the record, about the state of PCI enforcement today. In instances where accusations have been made, they have been confirmed by at least three independent sources.
Its been said many times that being PCI-compliant can be quite far removed from being secure. But the hoops that retailers have to jump through to gain that compliance have very little to do with security and very much to do with business purchases and relationships with the overseers.
PCI is officially managed by a group of retailers, banks and credit card associations, but in practical terms, its strongly managed by one company: Visa.
"Visa is definitely leading the charge," said David King, CIO of Regal Entertainment Groups Regal Cinemas, the nations largest theater chain with 529 theaters and $2.6 billion in annual revenue, headquartered in Knoxville, Tenn. "Its Visa calling people. Its Visa people setting regulations, dictating enforcement."
Said the CIO of another multibillion-dollar retailer, "PCI is nothing but a shell company for Visa."
Below Visa is an army of auditors. But unlike the way publicly held companies must deal with accountants for financial audits in the era of Sarbanes-Oxley, the auditors here work for private companies that invariably sell security software and hardware.
In other words, the auditors who will decide, with remarkable discretion, whether or not a retailer is given the green light for compliance are also selling to that retailer services and products that they can decide will make them compliant. Consider an auditor saying, "Based on what I see here, I cant support your accreditation effort, but if you buy this list of $9 million of our products and services, that would almost certainly change my mind."
One PCI consultant who asked that his name not be used said its a very straightforward business deal. "Assessments are low-profit activities and rather repetitive. For an assessor to make a higher margin, they need to do other things. Since there is no requirement that prevents this, the assessors are going to use the knowledge gained from learning about the problems to solve the problems," the consultant said. "I dont have any evidence that assessors are deliberately manipulating findings to favor the products or services they resell, but the temptation is pretty great. Without clearer rules, its logical that some companies will cross the line."
"Some assessors are also selling products for compliance purposes," the PCI consultant said. "Providing assessment isnt nearly as high margin as providing compliance."
Regals King said hes seen this before. "This used to be the climate that we all lived with before Enron. [Accounting firms] not only did the audits, they also did taxes and evaluated risks. One division created revenue for another division," King said. "The whole PCI compliance industry is like it used to be before all of that occurred."
Linda Walker is the vice president of IT Infrastructure and Security for Dicks Sporting Goods, a chain of more than 300 stores and about $3.1 billion in annual revenue, headquartered in Pittsburgh. Walker said she is also taken aback by how far PCI regulation has gone astray today.
"It amazes me that these auditors are even allowed to sell remediation services," Walker said. "If Visa wants to do the audit, then Visa ought to do the audit."
Gordon Rapkin, CEO of security services firm Protegrity, based in Stamford, Conn., agreed that there are striking parallels to what the financial accounting world looked like 10 years ago.
"Didnt we learn anything from Enron? Here we have a bunch of assessors who have a catalogue of products to sell," Rapkin said. "Youve got an assessor whose job is to tell you whats broken. This conflict of interest is the real issue. Its the big one. [The auditor could say] I can fix this and it will pass. This is just a total conflict. We need assessors who will assess."
Rapkin described a mid-May meeting he had in Europe with a group of representatives from Visa, MasterCard and American Express, plus a few others. When he complained about the conflict of interest, he said, their reaction was, "Yeah, thats true. Thats right. And one said, We have lots and lots and lots of merchants that need to be assessed and not a lot of people who know how to do it or are willing to do it" for the low fees that pure assessment can generate.
Rapkin said the credit card executive then said, "I know that it doesnt sound right, but it gets us what we need" if auditors are allowed to also sell their security products. "It was quite Machiavellian. The end will justify the means."
That conflict of interest wouldnt be as much of a concern were these auditors not given such broad latitude in interpreting the PCI requirements.
The PCI auditing procedure enforcement guide is some 50 pages long and is full of very specific rules that could be interpreted in very different ways, said David Taylor, an auditor who is president of the PCI Security Vendor Alliance, based in Fremont, Calif. "I could pick 10 items and could tell you two or three different ways you can legitimately interpret the testing details."
However, Taylor said the fact that many rules are subject to varying interpretation is not what what he finds so troubling: Its the attitude many auditors have that the rules are explicit, when they are often anything but. "Theres going to be some variation in interpretation. That I consider inevitable. What is surprising is how adamant people are about their interpretation of things," he said.
Consider PCI requirement 2.2.4: "Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems and unnecessary Web servers." Taylor pointed out, "When it says all, thats an absolute thing. But a few words later, think about the very concept of unnecessary. Who determines what is necessary? Thats a value judgment. Even though the word all is an absolute, the word necessary forces a judgment."
Or consider requirement 3.6: "Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data." Again, that sounds explicit and specific, but what precisely constitutes full documentation? "Guidance could be a couple of lines or 20 pages," Taylor said.