Vague guidelines and conflicting audit firm interpretations—coupled with retailers that fall into multiple PCI categories—are making for some unhappy retailers.
The rules for the Payment Card Industry Data Security Standard are designed to keep credit card payments secure as retailers transmit cardholder data.
The Retail Industry Leaders Association, or RILA, held a retail meeting in March and is preparing for another in September, all on the topic of PCI deployment problems.
“When the credit card industry specified requirements for retailers, the retail industry seemed to lose momentum on its own data assurance work,” said an invitation to attend the meeting of what RILA is calling the PCI Project. “Some PCI requirements are vague. Some are unattainable. Retail companies that participated in the March 16 meeting cited numerous examples of low-result PCI requirements, one-size-fits-all rules that dont work for various kinds of retail formats,” and they also reported “potentially crippling costs.”
Cathy Hotka, a RILA senior vice president, said there is universal retail industry support for the goals and objectives of PCI and its efforts at making payment systems more secure. The problem, she said, are the rules rigidity or, more accurately, the rigid way they are often being interpreted.
“What does it mean to implement PCI in the real world? Some of the requirements that came out of the original PCI rules were kind of One Size Fits All, which was difficult for some of the retailers to get around,” Hotka said. “There has been some difficulty in making the rules work and getting common answers from the audit firms that provide advice to retailers.”
Hotkas favorite examples are rules that impose unrealistic hardships on smaller retailers and that dont appreciate the practical staffing flexibility that retailers need.
“Take, for example, a very small store where certain kinds of information is being kept in the register during the day. In theory, under PCI rules, all customers have to be escorted into the store with an escort wearing a badge because the store is of a certain size and thats the way the rule is written. Thats the kind of thing were addressing,” she said.
Hotka was discussing PCI during an audiocast at a retail technology blog called StorefrontBacktalk. The PCI discussion also cited a staffing PCI frustration from a larger company: “A great big hotel chain expressed some frustration with one of the rules that said that it was not possible for people to serve more than one operation. A resort might have a spa and a golf course and five restaurants and a pool. Various people from the larger site could not go elsewhere. Somebody from the spa could not be a substitute at the pool because that would be against regulations.”
Security consultant—and former federal prosecutor—Mark Rasch was also on the audiocast panel that discussed PCI. Rasch said the problem is less one of how the PCI guidelines are phrased and more a matter of how they are being interpreted, particularly by audit firms the retailers are hiring to prove compliance.
“The guidelines are written fairly broadly and you sit there and say, How do we apply them? One audit firm will tell you, No, you cant do this. Its prohibited by the guidelines and another audit firm will say, This is perfectly fine,” he said. “Never let regulatory compliance be the enemy of doing the right thing. You need to do the right and appropriate thing.”
Rasch said that the PCI rules are running into several deployment challenges, but that similar hurdles have confronted just about major security guideline effort.
“This happens in every area of security, whether its HIPAA [Health Insurance Portability and Accountability Act], Sarbanes-Oxley or the PCI standards. What makes PCI much more difficult is that many companies dont even know where they fit in the chain of PCI. They dont know if they are issuers, if theyre processors, if theyre merchants,” Rasch said, adding that many retailers today fall into multiple categories, making strict compliance much more difficult.
The retailer “may serve several different functions within that chain. In terms of aggregating the volume of transactions that they do, they may be a very large issuer and a very small processor. That happens as companies start going into new business areas.”
He cited as an example the $9 billion 26,000-restaurant Subway chain, which is deploying a POS/loyalty/CRM (customer relationship management) card.
“A good example is Subway. Subway is thought to be a merchant. You go in and you buy a sub and you give your credit card and thats it. But, with their stored value cards, theyve become an issuer as well, so theyve been taken from one regulatory scheme to another regulatory scheme within the PCI standards,” Rasch said. “New business opportunities and new ventures take you into new areas of PCI and you need to be aware of them.”
Whos in charge
Another PCI deployment hurdle is the “Whos in charge?” debate. Hotka said that issue came up repeatedly as her organization tried to identify the proper people to meet with.
It was very difficult “to locate the correct people within each company. I think we found a total of four people (within retail) who had the title of chief information security officer,” Hotka said. “Many people had the CIOs in charge, there were VPs of architecture, directors of application development, there were compliance folk. In some cases, the right person to talk to was the loss prevention person.”
For many retailers, executives do a knee-jerk point to the CIOs station. “Some companies will point, just by default, at the CIO and say, Oh, the buck stops there,” Hotka said. “But the CIO in fact may not know anything about this and is the person who just signs something periodically.”
Rasch commented that the responsibility confusion is especially ironic, given that its one of the few areas where PCI guidelines are unusually explicit. “One of the things that PCI requires is that you have an individual responsible for information security,” he said.
Rasch argues that the way PCI guidelines are written are not the problem and that significant wording changes could easily make the situation worse.
“If you were to write them even more explicitly, that would create even more problems. The PCI standards are intended to be just that: standards and guidelines of good behavior. If you get to too much of a level of granularity, then youre going to get into some really difficult problems where they just dont work in the real world,” Rasch said. “So theyre intended to be fairly high-level reasonable standards of things to do. The problem is that if theyre too broad and too general, you cant audit against them and you cant certify compliance. If theyre too detailed, they dont work so there has to be a balance between them.”
How, then, do the problems crop up? “What happens is the auditing firms and the people who do assessments against PCI standards come in and theres a certain amount of interpretation that they have to do to say, This is a good program and this is a bad program,” Rasch said, adding that the only response is for a retailer to prove that adequate compensating controls are in place so credit card transactions are, in reality, not in danger.
What is a retailer to do if an audit firm says a reasonable legitimate business practice is against the guidelines? “What you do is you go find another audit firm and you demonstrate to that audit firm that you have adequate compensating controls,” Rasch said. “And if it really becomes a violation of PCI, then youve got to go back to Visa and MasterCard and say, Listen, we either need an exception or we need the rule changed because this is not a genuine threat. Its not a real threat to payment information and we should be allowed to do this.”
Another panelist at the audiocast was Jupiter Research analyst Patti Freeman Evans, who has worked extensively with retailers on PCI issues.
“It was very hard to understand what the compliance really meant and what it meant to our systems and procedures,” Evans said. “And then, once we got a grasp on that, then we had to understand how long it would take us to comply, what the costs were going to be and then how we could make a case for it. Well, heres the reporting. At least were reporting that were not doing it right. At least we know that were not doing it right and were making some reasonable effort to actually get there.”
Evans then asked fellow panelist Rasch whether that was how most retailers were handling PCI issues.
“Oh, if only they were up to that standard,” Rasch said. “Right now, people are circling and dancing around PCI. The large retailers are starting to do assessments to see where they are and put plans in place to become more compliant. The smaller merchants are saying, PCI? What does that stand for?” “
Retail Center Editor Evan Schuman can be reached at [email protected].
Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.