Credit Card Rules Reflect Industry Changes

Broader PCI membership and a new understanding of payments and security challenges lead to tighter wireless controls and lighter encryption requirements.

Recent changes to credit card security requirements reflect a maturing of the payment standards, with wireless monitoring rules made more stringent while file software integrity monitoring frequency and the encryption demand have both been softened.

"This is a bow to reality," Mark Rasch, a former federal prosecutor who now specializes in retail security issues, in Bethesda, Md., told "The first version was more of a Utopian [vision] of what Visa and MasterCard thought were workable standards based on what people should do. This is a minor tweaking based upon what people are doing."

Although there are several factors influencing the changes to the PCI (Payment Card Industry) data security standard rules, the makeup of the governing body is a critical one. Last week, the PCI data security group was officially expanded beyond just Visa International Service Association and MasterCard to also include American Express, Discover Bank and Japans JCB International Credit Card Co.

David King is the CIO of the $2.7 billion Regal Entertainment Group, the nations largest movie theater chain, headquartered in Knoxville, Tenn. He applauded many of the new PCI requirements, but especially the new makeup of the PCI standards group.

"We have been having to deal separately with Visa, MasterCard, American Express and now Discover, who are all clamoring for compliance audits and meeting with their people and being reviewed," King said. "Im glad that well be dealing with a single body and maybe a single set of criteria. Thatll be good."

The rules were updated in PCIs Data Security Standard Version 1.1 partially to address criticism that the rules did not factor in the practical considerations of running retail chains. For example, a requirement for file integrity monitoring software to watch for unauthorized modification of critical system files had mandated that file comparisons be done daily. Its now been softened to weekly.

"In thinking about the new changes, we asked, How do you apply it in a real-world scenario?" said Seana Pitt, chairwoman of the PCI Security Standards Council and Vice President of global merchant policy and data quality for American Express. "If you look at the information on a daily basis, its just a lot of data to work through. This approach is more applicable to the day-to-day running of an IT organization. It did not erode the security."

Michele Borovac, director of marketing at Decru, a storage vendor based in Redwood City, Calif., and a company that has been closely watching the PCI process, agreed. "Its overkill to try and run it daily. Its a burden and the data simply doesnt change that often," Borovac said.

However, more stringent requirement was added as well, that wireless analyzers need to be used periodically. In the previous version of the rules, such analysis was only required when a wireless application was being used, but the new rule requires that the testing be done "even if wireless is not currently deployed" so as to find any rogue wireless networks surreptitiously installed.

Todays larger retailers "have very complex networks" and its "very easy to plug in something in the heat of the moment," Pitt said. Its not that difficult for wireless access to be accidentally enabled given the large number of hardware, software and networking devices today with wireless capabilities.

Regals King said he was not comfortable with the new wireless requirement. "I feel that its a little bit of an overkill," he said, because the complexity of a typical large retailer does not fit neatly into the new rule.

"Even if one does detect the presence of wireless activity inside ones firewall, [further questions include] whether or not that wireless activity is secure or whether credit card activity is flowing across that wireless component, whether or not one can enter through that wireless port and get through to encrypted data," King said. "The complexity of an environment that a Level One merchant is going to have needs to be looked at more from an engineering standpoint than Lets take a wireless analyzer and lets put it inside your stores and see if I can detect any wireless activity."

Part of the reason for that is the nature of many of Regals movie theater locations. The fact that many movie theaters are located inside malls and are immediately proximate to tons of smaller merchants—many of which may have their own wireless access—makes for some challenging tests.

"So theyre going to turn on a Wi-Fi finder and theyre going to find lots of wireless connections. Some secure, some not secure," Rasch said. "They cant just say, Well, those arent ours because they have no idea whether this is a rogue part of their network that somebody has put up. How do you validate—in a place that may have 20 or 30 Wi-Fi connections—that none of them are yours? Its a difficult task."

Another change was prohibiting cardholder data from being stored or copied during remote access. The earlier version had demanded that all such access be disabled. "In the past, they said, You cant access it. Period," Borovac said. "Retailers said, Thats not plausible. We need to give people who are working remotely access."

The potentially most significant change involved compensating controls, which can be used instead of encryption. Before, encryption was considered mandatory.

The change was mostly a concession to issues of costs and logistics, because many retailers argued that it was not practical for them to encrypt all cardholder data, and they proposed alternative—and more complicated—ways of protecting the data. Many older retailers with substantial legacy systems had been especially concerned, Pitt said. "To think about encrypting data on that mainframe is costly and it takes a long time," she said.

However, Decrus Borovac argued that the PCI committee—whether consciously or subconsciously—is discouraging retailers from using compensating controls by putting in place a much more onerous certification process for that method. "It comes down to the ease … [with which] people will want to pass their audits," Borovac said.

/zimages/5/28571.gifClick here to read about a grocery chain that is separating item scanning from payment.

Regals King agreed, saying his chain has aggressively embraced encryption, even though it sharply limits its CRM (customer relationship management) abilities to learn about its customers and market to them.

"I think that investing in encryption is going to be so [much] less onerous and so [much] less expensive as opposed to going with a whole variety of compensating controls. Things change, situations change, technologies change. And to manage all of the different compensating controls that one would need to have if one doesnt have encryption is going to require huge overhead, and it will be a huge distraction," he said.

"We encrypt from the moment that the credit card number is electronically digitized, from the point of scanning through our systems. The credit card information is all encrypted, flowing from POS to the provider and back and thats it. Its not in back-office systems. Its not in corporate systems. Its not transmitted around. Its not in databases. We have lost some of the identifying mechanisms that we could use for things like loyalty and some of our buying patterns and stuff. Thats [had far less of an impact] … and far easier to manage."

One change that has already been announced was a PCI reclassification of retailers based on an ostensibly better model of how transactions are being handled today.

The reclassification is "recognizing the way the threat environment is changing. Brick and mortar merchants are getting hacked at, if anything, a greater rate than e-commerce merchants. The reclass at the merchant level reflected that," said Chris Noell, executive analyst with TruComply, a security consulting firm in Austin, Texas. "Before, you could process as many as 6 million transactions in a brick-and-mortar context before you had any validation requirements at all. Now that threshold has dropped to a million, which I think is a more appropriate risk management stance for the industry to take."

Rasch urged retailers to carefully check to see whether their classification has changed, because the new criteria is unpredictable. "Theres no consistent theme here. Some people get classified up. Some people get classified down," Rasch said. "If you thought you were a Level One, you might now be a Level Two and if you thought were a Level Two, you might now be a Level One."

Retail Center Editor Evan Schuman can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.