A reporter from the Green Sheet, a magazine devoted to the payment card industry, made the following comments. Many of these comments are based on common misunderstandings. It is important to address and respond to each of these because without fully understanding PCI or the compliance process it is easy for someone to criticize the process.

In a recent American Banker article, Visa U.S.A. Chief Executive Officer John Philip Coghlan predicted that by the end of this year, more than 60% of the merchants accepting Visa bankcards will have adopted the Payment Card Industry (PCI) Data Security Standard.

I risk spoiling my brand neutrality, but if 60% of Visa’s merchants are PCI compliant by year’s end, I’ll get a Visa tattoo, embed a radio frequency identification device in the back of my right hand and become the first human payment product. “Talk to the hand” will become my preferred payment parlance. Fun as this seems, I feel secure that by year’s end I will remain ink and chip free: I doubt that 60% of merchants will even know what PCI stands for by that time.

I can empathize with the writer in that changing an industry can sometimes feel like parallel parking a large truck. It may be slow and take careful attention to detail but it can be done. Visa has stated at ETA and CEO John Coghlan have both given statistics that put compliance somewhere in the neighborhood of 60% by the end of the year.

Statistics are funny things in that they can be slanted in many ways. The magic percentage number may apply to merchants, service providers, or both for that matter. I would imagine that the merchant population is always increasing so the percentage would have to be based on the number of identified merchants and service providers in a certain year. According to InfoMerchant.net there were over 1.5 million terminals shipped in the US in 2005 (some to replace old terminals and some new.) The percentage compliant only shows a point in time but shows that the industry is slowly moving towards improving security.

The article explains that the “overlooked Level 4″ merchants are such a large risk to the industry because they are using integrated point-of-sale (IPOS) units.

Additionally, several IPOS systems can inappropriately store magnetic-stripe data, often due to merchant misuse or ignorance. Many IPOS systems connect to a processor via high-speed Internet connections, leaving them vulnerable to hackers.

… Our industry is most exposed within the Level 4 merchant category. …

First, Level 4 merchants are not the only ones using IPOS systems; in fact most merchants use them. One web site documents the difference as such:

A point-of-sale (POS) system can refer to many things depending on whom you ask. To some, it is a simple cash register or a standalone card swipe terminal that is connected to a phone line or store controller. To others, it is a PC-based system that integrates a cash drawer and a card reader that runs sophisticated software applications. This report analyzes the PC-based POS system market.

Second, there is nothing super technical about an IPOS other than it uses specific software that ties the credit card reader into a PC. What most people do not realize about the Level 4 definition is that it is not based on acceptance channel. This means that unlike Level 2 and 3, which are based on “e-commerce transactions”, Level 4 is based on either e-commerce or brick-and-mortar transactions.

Does this mean there’s a loop-hole in the level definitions? Maybe. Most Level 4 merchants are small mom-n-pop shops but some are large retailers that do less than 6 million transactions per year (or 500,000 per month average) but do not have an e-commerce presence. This means there are many small merchants and some very large merchants in the Level 4 definition.

The statement that hackers look for IPOS systems is partially correct, but the article makes it sound as if they are primarily used at Level 4 merchants. The story should have explained that hackers are targeting retail stores more than e-commerce stores. This would more clearly explain that Level 2 and/or Level 3 should not be based on acceptance channel (i.e. e-commerce vs brick-and-mortar).

The article provides the following recommendations:

I urge Visa and MasterCard to focus their efforts on this cross section of merchants, and I encourage all acquirers to register all known third parties that represent this merchant group. And I hope everyone in the industry seriously addresses this demographic. The PCI requirements for Level 4 merchants are to pass a self-assessment questionnaire and to pass a quarterly network scan from a qualified independent vendor.

This is exactly what Visa and MasterCard have been doing. CISP, the precursor to PCI, was introduced in 2000 and has been slowly expanding, based on changing risk, from e-commerce systems to the back-end systems down to the POS itself. In December of 2004, Visa posted to its web site the Payment Application Best Practices (PABP), which it plans to make a required part of PCI by the end of this year. The PABP applies to all types of payment applications and their compliance with data security standards will directly impact all merchants regardless of level definition (in fact, most Level 4 merchants only store credit card data in their POS systems so a PABP validated POS may make them compliant right away.) But this too will take time, because even once the secure version of the application is available the merchant will have to implement it in their environment.

Visa and the acquirers are registering third-party service providers all the time and have been since 2000. One of the required items on the report on compliance (ROC) is that the assessor or auditor provide a list of any third party vendors and what access they have to cardholder data.

The acquirers are addressing compliance using a risk model. Level 1 merchants are a higher risk than Level 4 merchants. The retort to that is that many Level 4 merchants add up to much more than the few Level 1 merchants and thus are a higher risk. This is not true.

Yes, Level 4 merchants are compromised more often than Level 1 merchants. Yes, there are more Level 4 merchants, but individually they store fewer credit card numbers. What people do not know is that it takes a whole lot of Level 4 merchants being compromised to equal one Level 1 merchant or service provider hack that results in 10-20 million credit card numbers being compromised. Also, part of the risk equation is consumer confidence, which is affected much more by a Level 1 compromise than by several Level 4 compromises.

The article makes the following recommendations that are already in place.

• Require merchants with dial-up, stand-alone terminals and no other connectivity or card number storage capacity to verify accordingly with an attestation statement. Then exempt them from further compliance-related activity.
• Impose a due date for compliance on merchants processing more than 20,000 transactions yearly, regardless of processing method.
• Provide an Association certification for all acquirers engaged in enterprise-wide cardholder security programs. Advertise these acquirers’ compliance and significance.

Merchants with terminals that dial directly to the acquirer and do not store credit card data have only one compliance requirement to meet: securely storing the paper receipts that print the full credit card number. If their copy has a truncated card number then there is no other compliance requirements.

Due dates have already been set and passed. Every merchant should have been compliant by September 30, 2004. The due date was extended for some merchants, but currently all merchants and service providers need to be compliant.

Qualified information security companies are already working with the top acquirers and processors, and have been for some time, rolling out “enterprise-wide cardholder security programs”. They are working with their entire merchant base to get them compliant. Also, the acquirers have to send reports to the card associations on a regular basis to report the compliance status of their merchant population.

Bookmark to:
          

This entry was posted Sunday, July 9th, 2006 at 5:32 pm and is filed under PCI DSS. You can leave a response, or trackback from your own site.