With concern growing over major retail data breaches, pressure is increasing for retailers to become compliant with the retail industrys security standards, formally called the Payment Card Industry Data Security Standard. Several states are trying to make such compliance legally required.
But behind PCI is an alarming patchwork of contradictory enforcement, auditors selling the same services theyre critiquing and frustrated retailers who say they cant jump through infinite hoops forever.
PCI was designed to formalize what retailers considered to be the best security practices and procedures and to provide a precise, consistent way to get merchants to comply. In practice, however, it has slightly improved security while sharply increasing retailer frustration.
In general, the sensitive nature of security procedures causes most IT executives to be hesitant to publicly discuss their operations and plans. But the reluctance of many such executives to talk openly about PCI is caused more by industry politics and the fact that these merchants are constantly negotiating with the companies that decide whether or not they will be PCI-compliant.
For this column, several IT executives, auditors and others have agreed to speak without attribution, or occasionally on the record, about the state of PCI enforcement today. In instances where accusations have been made, they have been confirmed by at least three independent sources.
Its been said many times that being PCI-compliant can be quite far removed from being secure. But the hoops that retailers have to jump through to gain that compliance have very little to do with security and very much to do with business purchases and relationships with the overseers.
PCI is officially managed by a group of retailers, banks and credit card associations, but in practical terms, its strongly managed by one company: Visa.
“Visa is definitely leading the charge,” said David King, CIO of Regal Entertainment Groups Regal Cinemas, the nations largest theater chain with 529 theaters and $2.6 billion in annual revenue, headquartered in Knoxville, Tenn. “Its Visa calling people. Its Visa people setting regulations, dictating enforcement.”
Said the CIO of another multibillion-dollar retailer, “PCI is nothing but a shell company for Visa.”
Below Visa is an army of auditors. But unlike the way publicly held companies must deal with accountants for financial audits in the era of Sarbanes-Oxley, the auditors here work for private companies that invariably sell security software and hardware.
In other words, the auditors who will decide, with remarkable discretion, whether or not a retailer is given the green light for compliance are also selling to that retailer services and products that they can decide will make them compliant. Consider an auditor saying, “Based on what I see here, I cant support your accreditation effort, but if you buy this list of $9 million of our products and services, that would almost certainly change my mind.”
One PCI consultant who asked that his name not be used said its a very straightforward business deal. “Assessments are low-profit activities and rather repetitive. For an assessor to make a higher margin, they need to do other things. Since there is no requirement that prevents this, the assessors are going to use the knowledge gained from learning about the problems to solve the problems,” the consultant said. “I dont have any evidence that assessors are deliberately manipulating findings to favor the products or services they resell, but the temptation is pretty great. Without clearer rules, its logical that some companies will cross the line.”
“Some assessors are also selling products for compliance purposes,” the PCI consultant said. “Providing assessment isnt nearly as high margin as providing compliance.”
Regals King said hes seen this before. “This used to be the climate that we all lived with before Enron. [Accounting firms] not only did the audits, they also did taxes and evaluated risks. One division created revenue for another division,” King said. “The whole PCI compliance industry is like it used to be before all of that occurred.”
Linda Walker is the vice president of IT Infrastructure and Security for Dicks Sporting Goods, a chain of more than 300 stores and about $3.1 billion in annual revenue, headquartered in Pittsburgh. Walker said she is also taken aback by how far PCI regulation has gone astray today.
“It amazes me that these auditors are even allowed to sell remediation services,” Walker said. “If Visa wants to do the audit, then Visa ought to do the audit.”
Gordon Rapkin, CEO of security services firm Protegrity, based in Stamford, Conn., agreed that there are striking parallels to what the financial accounting world looked like 10 years ago.
“Didnt we learn anything from Enron? Here we have a bunch of assessors who have a catalogue of products to sell,” Rapkin said. “Youve got an assessor whose job is to tell you whats broken. This conflict of interest is the real issue. Its the big one. [The auditor could say] I can fix this and it will pass. This is just a total conflict. We need assessors who will assess.”
Rapkin described a mid-May meeting he had in Europe with a group of representatives from Visa, MasterCard and American Express, plus a few others. When he complained about the conflict of interest, he said, their reaction was, “Yeah, thats true. Thats right. And one said, We have lots and lots and lots of merchants that need to be assessed and not a lot of people who know how to do it or are willing to do it” for the low fees that pure assessment can generate.
Rapkin said the credit card executive then said, “I know that it doesnt sound right, but it gets us what we need” if auditors are allowed to also sell their security products. “It was quite Machiavellian. The end will justify the means.”
That conflict of interest wouldnt be as much of a concern were these auditors not given such broad latitude in interpreting the PCI requirements.
The PCI auditing procedure enforcement guide is some 50 pages long and is full of very specific rules that could be interpreted in very different ways, said David Taylor, an auditor who is president of the PCI Security Vendor Alliance, based in Fremont, Calif. “I could pick 10 items and could tell you two or three different ways you can legitimately interpret the testing details.”
However, Taylor said the fact that many rules are subject to varying interpretation is not what what he finds so troubling: Its the attitude many auditors have that the rules are explicit, when they are often anything but. “Theres going to be some variation in interpretation. That I consider inevitable. What is surprising is how adamant people are about their interpretation of things,” he said.
Consider PCI requirement 2.2.4: “Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems and unnecessary Web servers.” Taylor pointed out, “When it says all, thats an absolute thing. But a few words later, think about the very concept of unnecessary. Who determines what is necessary? Thats a value judgment. Even though the word all is an absolute, the word necessary forces a judgment.”
Or consider requirement 3.6: “Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data.” Again, that sounds explicit and specific, but what precisely constitutes full documentation? “Guidance could be a couple of lines or 20 pages,” Taylor said.
Regulatory Flexibility Can Mean
The biggest PCI issue is the question of “compensating controls.” The original rationale for compensating controls is that retailers have very different environments and that some requirements may not make sense for some companies. Therefore, the theory goes, PCI will permit a retailer to use some alternative method if the retailer can prove that its as secure as the one the PCI spec dictates.
Protegritys Rapkin said he sees compensating controls today being used as a way for some retailers to get out of abiding by the rules because its too expensive or too difficult. “Its a Get out of Jail Free card. Compensating controls today are at the whim of the successor,” he said.
Rapkin admitted that his dislike for compensating controls is because they are often used to avoid encryption, which his company sells.
Another argument for compensating controls is that they are a viable compromise. An analogy would be to the U.S. “food pyramid.” Nutritionists working on the latest government pyramid wanted to push beef products into the same category as candy, and to move whole grain products into their own category, away from white bread and white rice. But the government argued that such an extreme pyramid would likely be ignored by many Americans, supporting the position that a compromised but adhered to pyramid would improve diets better than an ideal but ignored one. (OK, so cattle lobbyists also played a role, but lets not go there. It ruins the analogy.)
Similarly, the rationale behind compensating controls is that a strict adherence to the rules would cause a lot of retailers to stop trying. So, in theory, a compromised but realistic security plan would make systems safer than an ideal plan that wasnt often followed.
The inconsistency involved wreaks havoc on the plans of retailers. One CIO said his PCI auditor just resigned and they are begging the audit firm to force the new auditor to stick with the decisions made by the old auditor, rather than force the retailer to start over.
One requirement that was mentioned by two CIOs that is not explicitly referred to in the rules is for closed-circuit video cameras to be installed for every point-of-sale terminal in the chain. The intent is to make it more difficult for intruders to install devices on the POS readers to steal credit card data. The only reference in PCI is a vague requirement in 9.1.1 to “use cameras to monitor sensitive areas.”
The CIO of one chain calculated that such a move alone would “vaporize north of $10 million, $15 million easily. And then theres an ongoing $2 million to $3 million a year to maintain it. Thats $2 million to $3 million for life and its only going to go up. And then theres inflation. What about storing the images? You have to have someone to monitor those. No one possibly afford that. This is ridiculous. We cant do business like that. Then [auditors] ask, Do you want to take credit cards or not? Absolutely asinine.”
What was behind that demand? A concern about a POS system encryption procedure. “As soon as a credit card is swiped, we immediately encrypt it. But theres a fleeting moment, a micronanosecond, between when the swipe has occurred and when its encrypted, between the POS and the magnetic swipe reader.” The alternative to the cameras was a higher-end POS system that the auditors firm happened to sell.
Another common criticism of the PCI program is that it leads to retailer confusion. Mostly, that confusion involves whether or not the retailer is compliant. There are several reasons for this confusion. Some larger chains have separate compliance efforts for different groups, so the CIO for one chain may not be certain which parts of his chain are compliant. But a more common issue is timing.
Lets say that a retailer eventually gets a compliance letter on Oct. 1, declaring his chain PCI-compliant. That letter doesnt say the chain is PCI-compliant for one year, as a drivers license might. Indeed, it doesnt even technically say the chain was compliant as of Oct. 1, but more likely means that the chain was compliant as of the date of the last completed full audit, which was likely several months earlier.
The retailers CIO is then asked, “Are you PCI-compliant?” He or she knows that some auditors looking at systems now have different expectations than at the time of the audit, and he or she also knows that some systems have changed. Several CIOs interviewed for this piece were honestly not sure whether or not they were truly compliant, which is frustrating.
“We are deep into quite a number of different initiatives in order to become compliant right now,” said one Fortune 500 retail CIO. “But its a changing landscape, a changing process. No matter what happens, were going to be doing a lot of positioning and then negotiating back and forth with the auditor or whoever will ultimately be certifying it.”
Walker, from Dicks Sporting Goods, added that one problem with PCI historically has been “finger-pointing. Visa did not want to take responsibility to tell the merchant that theyre compliant and the acquiring banks did not want to take the responsibility to do it,” Walker said. “You dont want vague assurances of compliance or likely compliance. I want the letter for the wall. A letter from somebody saying Im compliant or not compliant.”
One CIO described how his chain suffered under the whims of different auditors. This chain had an audit in October 2005 and was given a compliance confirmation in February 2006. “Then the rules started changing.” For example, the PCI rules required an incident response plan.
“The first year, just having a plan in writing was sufficient. The second year, the plan was scrutinized for content and we were told much more content was required,” the CIO said. “For example, they wanted phone numbers for contacts such as the banks and law enforcement agencies. The criteria of how you get graded kind of shifted and things changed from auditor to auditor even in the same company, and certainly from auditing company to auditing company.”
The same CIO cited another example: encryption. The chain segmented sensitive transaction data using strict network controls. “In 2005, this was accepted. In 2006, it was not. We are now implementing encryption. Despite an official PCI position that compensating controls are permitted, it seems as though our auditors now will no longer accept any compensating controls for encryption.”
Another issue that chain experienced involved something called an ROC (Report on Compliance), which is a form filled out by a retailer that is trying to get a compliance certification. “In 2005, if you were far enough along in a requirement and had a reasonable plan acceptable to the bank, you were considered compliant. They were then going to monitor your progress to the plan. Now you would be considered not in compliance if the plan is not completed.”
The retail also had problems with Web logging, where one auditor found logs acceptable and the next auditor insisted on much more extensive—monthly, weekly and daily—logs.
Some retailers that are not Tier 1 merchants are filing self-audits, where the retailers own personnel fill out the forms. Walker, of Dicks Sporting Goods, said she has a real problem with PCI self-audits. “I wouldnt ever be comfortable with a self-audit at Dicks. All companies in all tiers should have an external audit performed,” Walker said. “Smaller companies dont even have the in-house expertise to do a self-audit.”
This is not to say that PCI hasnt indeed improved retail security. There are very few in retail who doubt that it has.
One CIO for a large retail chain said the requirements of PCI helped him purchase pieces of equipment, such as high-end routers, that also helped modernize non-security-related operations.
“To give Visa some credit, they did shake things up and its definitely improved retail security,” the IT exec said. “I cant imagine what would have happened had I asked for $4 million dollars for security two years ago without the hammer of compliance. They would have looked at me like I had two heads.”
Retail Center Editor Evan Schuman can be reached at [email protected]
Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.