Evan Schuman's StorefrontBacktalk

Over the last few weeks, one of the most common questions we’re hearing discussed is “Is PCI really worth it?” These are multi-billion-dollar retail chains asking this question. But there’s a lot more behind the question than it might initially seem.

In a marked contrast to the same kinds of questions two years ago, the intent is not to ignore security. Indeed, many of the chains considering such a heretical question are already putting in place security procedures that go well beyond current PCI requirements. This isn’t a safety or security issue. It’s a simple CFO’s ROI balance sheet, contrasting the bureaucratic and paperwork costs of dealing with the very formal PCI procedure with the limited fines and other bad things that will happen if a chain suddenly stops pursuing PCI compliance. A report released this month from Ponemon tried to quantify the cost of breaches today, but its conclusions are rather underwhelming.

For your overflowing folder marked “Ludicrous PCI Scare Tactics That Too Many People Believe” comes a renewed effort from some security vendors to say that out-of-date operating systems this year will cause instant PCI non-compliance. The cure: Give the vendor a lot more money. (Funny how that “cure” seems to treat so many ills in these letters. It’s the Penicillin of PCI.)

A letter from a POS vendor making the rounds warns retailers—under the headline “Information Security Advisory”—that an out-of-date OS will cause lack of compliance with PCI. The warning isn’t true, but the popularity of this and related PCI claims is moving beyond annoying. Are these vendors lying or is marketing being allowed to make the claims without anyone checking? A recession drives marketers to desperate measures. (OK, so does prosperity, but let’s not go there.)

PCI Columnist Walter Conway argues that it may sound like heresy coming from a QSA, but he sees some merchants over-emphasizing their PCI annual assessment. The main event for them is a clean Report on Compliance (ROC) for Level 1 (and soon Level 2) merchants or a Self-Assessment Questionnaire (SAQ) for everybody else. They believe that once the ROC is signed, they can relax until the next year.

But PCI is not like that. PCI has requirements that demand regular attention if merchants are to remain compliant the other 364 days in a year. CIOs and merchants who focus only on their annual PCI validation may actually find that they unintentionally make themselves more vulnerable to a costly data breach. They also make their PCI revalidation the following year more difficult, and possibly more expensive, than it has to be.

For retail CIOs, this is the worst of times and it is the best of times. It may be the worst of times because the emergence of smartphones at the POS, the increase in the amount and availability of customer data, and the growing tokenization and end-to-end (E2E) encryption options may have CIOs (and their QSAs) reaching for the aspirin bottle. On the other hand, it may be the best of times because the CIOs who can address these challenges will be rock stars in their companies.

At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside – or even outside – their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. PCI Columnist Walt Conway can think of several merchants he works with that will be looking at these devices very seriously. But, he argues, the PCI implications are complicated.

PCI Columnist Walt Conway sees PCI 2.0 mandating the use of automated cardholder data discovery tools, will impose rules that will literally overrun the council’s PCI training program and will likely not alienate Level 2s enough to make a difference. (That’s the secret to a happy marriage, knowing the precise moment that an aggravation level will overtake apathy and stopping nanoseconds short of it.)

But Conway sees the data discovery prediction the most significant. “If you have a lot of locations, you have work to do setting up and scanning all those databases, workstations and servers. Especially watch to see if the Council decides to implement data discovery like it did wireless scanning (Requirement 11.1). If this happens, merchants will not be able to sample locations and will have to search each one. The good news is that you can conduct these searches internally and there are good open source products available. Your QSA likely would only need to verify the results of your automated discovery and to review the scope of your search.”

When it comes to franchise-based retailers, Franchisee Columnist Todd Michaud opines, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.

It boggles his mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies–my firm included–are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.

Do cybercriminals concern you? Are you afraid that you might lose cardholder data? Are you worried that your internal users are downloading malware from the Web? If so, PCI Columnist Walt Conway has a question for you: Why are you more afraid of your QSA than you are of a cyberthief?

Consider this example: A merchant shows its QSA its Web application firewall (WAF) and asks the QSA to mark it compliant with PCI Requirement 6.6. But the QSA probes deeper, and he finds that the WAF is in “learning” mode, which means it is letting everything through. Indeed, the WAF has been in learning mode since it was installed after the last assessment a year ago, meaning it is pretty useless from a security point of view and definitely not meeting the intent of the requirement.

When PCI Columnist Walter Conway played high school football, the coach once said to him, “Son, there are three ways you can do things: the right way; the wrong way; and the coach’s way. Which way are you going to do things?” To which he replied, “the coach’s way, sir.” PCI can sometimes get like that when the card brands can’t agree among themselves as to whether something is in-scope or out-of-scope.

Most companies issue their employee road warriors with corporate travel cards. Companies also issue purchasing or procurement cards that their staff use to buy everything from office supplies to store fixtures. Most of these cards are American Express, MasterCard or Visa branded. Companies store the PANs in databases that are accessible to travelers and others who use the data for expense reporting and tracking. In my experience, the PANs get printed on hardcopy reports. The question for IT execs is, do you need to include these cards in your (merchant) PCI scope? The surprise answer is that it depends on where you store the cardholder data and, interestingly, on which brand of card you choose.

Now that a PCI lawsuit brought by four restaurants against a POS vendor and a systems integrator has been given class-action status, the case will survive and force a very interesting debate about exactly where a retailer’s PCI liability should start.

The case involves four Louisiana restaurant groups—doing business as Crawfish Town USA, Don’s Seafood and Steakhouse, Picante’s Mexican Restaurant, Mel’s Diner Part II and Sammy’s Grill—suing their POS vendor, Radiant Systems (which owns the Aloha POS systems used by these chains), along with systems integrator Computer World (not to be confused with the publication Computerworld). But when you drill into the details of the lawsuit, it gets more interesting. One of the key accusations against Computer World is that it used vendor default passwords for systems with many of these restaurants, for easier remote administration. The lawsuit correctly points out that PCI bans retailers from using such vendor default passwords. But that’s the key. It’s the retailers that are not permitted to use these defaults. Was integrator Computer World, in this scenario, acting as an agent of the POS manufacturer—as a reseller—or as an agent of the retailer–as an integrator?

Many Level 2 merchants are just now realizing that their PCI world has changed. Under rules announced this summer, Level 2 MasterCard merchants—like their Level 1 brethren—will require an onsite assessment by a QSA starting in 2010. But how big a difference, asks PCI Columnist Walter Conway, is there really between self-assessing and an onsite review? Actually, there are 525 differences.

Conway’s concern is the almost inevitable fourth quarter 2010 PCI train wreck as the new rules collide with human frailty and the calendar. The result may be that even some Level 1 merchants and processors don’t get their assessments (and ROCs) completed on schedule.

This week marks the debut of StorefrontBacktalk’s new PCI columnist, Walter Conway, and Conway debuts by trying to decipher encrypted tea leaves of the PCI Council’s position on out-of-scope data. what does “the means to decrypt” include? We need, as always, to look at the Council’s intention and not just dissect its words. Although this sentence was followed by a discussion of who manages the encryption keys, I believe the Council intends “decrypt” to mean any way to get from encrypted or tokenized data (i.e., out of scope) to plain text data (i.e., in scope).

That includes gaining access to the keys, but it also includes access to token lookup tables or any other way to get back to the original data. That means you need to be just as concerned with social engineering attacks, malicious insiders and phishing as you do with hackers stealing encryption keys.

After some serious retail pushback—particularly in the gas station sector—Visa has relented and agreed to back off an earlier PIN pad compliance deadline originally set for July 1, 2010, some 7-and-a-half months away. The new policy isn’t threatening fines until Aug. 1, 2012.

But the changes were mostly fueled by strong retail lobbying efforts. Beyond the convenience retailers that NACS represents, several of the nation’s largest chains—including at least one major department store—were threatening to abruptly cut off PIN debit at the deadline, possibly switching to signature debit to temporarily sidestep the issue. The tactic is not dissimilar from what Best Buy did this summer when it threatened Visa over contactless payment debit charges.

IT execs want to know how the implementation of an end-to-end encryption approach can be integrated with their million-dollar-plus investments in enterprise encryption and key management systems. The last thing anyone wants to hear is that they spent tons of money to meet PCI DSS 3.4 and 3.6 (encryption and key management), only to be told that they wasted their money.

PCI Columnist David Taylor heard from one retail leader who was especially upset about Visa’s reference to ANS X9.24 as the key management best practice, mainly because it’s so focused on encrypting PINs and is not meant to be a general-purpose key management system. He suspects this concern will mushroom into a real battle unless technology vendors can make it clear how investments in enterprise key management systems will be preserved while still meeting ANS X9.24. These standards were, after all, designed for the financial services industry.

As the lawsuits involving Heartland’s massive data breach move through the court system, an unusual claim was inserted into a court filing. The September 23 filing in the U.S. District Court for the Southern District of Texas was trying to raise questions about Heartland’s post-breach conduct. It then shared the following anecdote without further explanation.

“On the day after the data breach, Heartland conducted a Webinar about the data breach for its high-level employees, sales representatives and/or relationship managers. Upon information and belief, Heartland relationship managers were told that PCI compliance was not a big deal. One of Heartland’s relationship managers resigned on or around April 23, 2009, in part because of Heartland’s statements regarding its PCI compliance. A Referee’s Decision in a Delaware Department of Labor proceeding reached the conclusion that this relationship manager had ‘good cause’ to leave her position at Heartland based, in part, on Heartland’s conduct.” That might prove quite significant, or it could be an irrelevant red herring. Either way, it’s not the kind of detail we see very often.

Visa’s just announced best practices are designed to provide guidance and give tacit endorsement to existing end-to-end encryption and, to some extent, tokenization. Merchants are likely to see it as “something else to do” and as further evidence that the card brands will continue to go their own way relative to data security despite the PCI DSS industry standards.

But PCI Columnist David Taylor sees something else interesting here. “For the last four to five years, companies have been told that achieving PCI compliance is much easier if they segment their network. Otherwise, all their corporate systems are in PCI scope. But network segmentation is not a PCI standard, per se. If an organization wants to keep their entire network and the connected systems in scope, it’s up to the company’s management.”

Visa on Monday (Oct. 5) issued a document to ostensibly help retailers figure out how best to navigate the new encryption and tokenization landscape. But as a practical matter, the document did little beyond rehash conventional wisdom and long-standing Visa and PCI best practices. It felt more like a quintessential psychologist’s advice session: “Dr. Visa, what should we do about tokenization?” “That’s an excellent question, Mr. CIO. What do you think you should do?” The document danced around the key issues about which retailers would truly love strong guidance from Visa, ranging from whether tokens could ever conceivably be considered out of PCI scope to whether retailers are actually encouraged to retain such tokens on their own servers.

But other issues are emerging about tokens. For example, the risk of storing convenient metadata in the tokens, info such as SKUs and exact time/place of purchase and CRM info. Although tempting, such convenience could prove disastrous if a retailer starts holding the data internally and then outsources without remembering to do an intense data cleanse.

Just because Danielle wears an apron and makes sandwiches all day, doesn’t mean she can’t solve your most challenging IT problems. If you really want to unlock the potential in your POS system, you need to give up control, argues Franchisee Columnist Todd Michaud.

You need to turn to the collective knowledge and experience of the people who use the system every day and empower them to “create a better mousetrap.” Sure, there are some things that are non-negotiable, like PCI compliance. But when it comes to things like POS menu design, leverage the hundreds or thousands of great ideas in your system to produce the best system possible.

At the PCI SSC Community Meeting last week, the biggest highlight was the presentation of a report the group sought from PricewaterhouseCoopers (PWC). The first presentation of the PWC report of PCI Emerging Technologies made it clear that by expanding the technological scope of PCI DSS, companies will be able to reduce the scope of their PCI compliance efforts. High priorities over the next year will be end-to-end encryption, tokenization and virtual terminals. But, asks PCI Columnist David Taylor, is it safe to act now?

It’s clear that Fortune 1000 merchants still enjoy their distaste for PCI DSS and their distrust of the process. And it’s fair to say that many merchants actually hate the PCI standards and their purveyors. Still, at last week’s meeting, the Standards Council and the card brands attempted to embrace their detractors via the oft-repeated “we want your feedback” refrain. The response? The merchants in attendance were generally well behaved in public (perhaps they fear reprisals), and there were no reported fistfights, as much fun as that would have been. And one of the reasons for this less-than-hostile response was the PWC report itself, which made it clear that the SSC (and, presumably, the card brands) were open to making some much-needed changes to the standards.

“I understand that your cousin Gino might be one of the best technology service providers in central New Jersey, but I’m just not sure if we can use him as part of this program.” One of the classic battles between franchisees and their chain’s CIO, argues Franchisee Columnist Todd Michaud, is the use of local support resources. When it comes to technology providers, most franchisees “have a guy that can do this better, faster, cheaper” than anything that is designed at a national level.

It’s a compelling argument. There is a lot to be said for smaller companies that are hungry and constantly go the extra mile. But there’s a reason why national chain CIOs do—and must—often resist.

Depending on your perspective, the upcoming Community Meeting of the PCI SSC members is a “chance to provide feedback” or a place to “share ideas” regarding the standards or “Whinefest 2009.” PCI Columnist David Taylor is taking a perspective that dates back to the founding fathers and preparing a “List of Grievances.”

Among the complaints: No guidance, the standards are designed for a bygone era of technology, the standards are anything but standardized, why should banks have to not comply with PCI?, compliance gamemanship and “We Don’t Need No Stinkin’ Credit Card Data.”

For decades, major retail chains have always used payment card data for various purposes beyond processing transactions, often as a practical customer identification means, typically for CRM and purchase history purposes. Although it has never been considered ideal, retailers did it as a matter of pragmatism, in the same way that universities and many businesses have historically used Social Security numbers to identify customers, even though they were never supposed to.

But in recent years, PCI advocates—especially the card brand executives—have discouraged the practice, arguing that the safest process is to use payment card numbers to process a payment and to then delete it as quickly as possible. Having those numbers lying around—especially spread into marketing and sales departments—was simply increasing the chance that someone unauthorized could access the data. But the guidance is vague and subject to economic considerations.

PCI Columnist David Taylor writes that he “actually believes” that the PCI DSS controls, implemented in an “above average” way, could have stopped the Gonzalez-led criminal masterminds from breaking into a company. Not all companies, but a company with above average security.

“Let’s say a group of retailers is being chased through the jungle by a tiger named, say, Gonzalez. To avoid being eaten by the tiger, it’s not necessary that each retailer run the fastest, but merely that each retailer should run faster than the slowest retailer,” he writes.

PCI Columnist David Taylor has, for years, counseled retailers to hire quality QSAs and avoid the low-cost easy graders, who will pass for cash. But the latest comments by the PCI Council and MasterCard and making Taylor rethink that advice. Said one retail IT exec: “Why should we bother doing PCI ‘right?’ We’ve always stayed away from the low-ball QSAs that would just rubber stamp our compliance. We paid premium prices to get the best assessment. But, if we get breached, it probably won’t matter. The card brands will just bring in an ‘A List’ forensic team and all they have to find is one little thing (out of 200+ controls) and suddenly we’re not compliant, regardless of how much money, time and effort we put in. We should just hire an ‘easy grader’ QSA and get compliant at minimal cost as fast as possible.”

If a retailer will invariably be declared non-compliant after a breach, what’s the point of doing the assessment right? Turns out, there are quite a few points.

Albert Gonzalez, the Miami resident who was indicted last summer with stealing credit card data from TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW can now add Heartland, Hannaford and 7-Eleven to the lengthy list of retailers that the federal government says he penetrated. In case you feel left out, there are two to three additional major retail chains that the feds have accused him of attacking, although those chains have yet to disclose that they were breached.

But the indictment revealed several key contradictions with 7-Eleven and Heartland and one major retailer’s security executive found the government’s specifics to be a convincing indictment against PCI.

People don’t seem to “get” MasterCard. For most of the last 4 years, MasterCard has been criticized for their apparent willingness to let Visa play the “bad guy” who issues fines to acquiring banks (and, through them, to merchants), who extends the PCI standards to application vendors (through PABP, now PA-DSS) and who generally takes the heat for PCI.

Now MasterCard is taking what can only be called a “get tough” policy, issuing larger fines and, most significantly, forcing both Level 1 and Level 2 merchants to use assessors rather than take on the task of self-assessment. But still, opines PCI Columnist David Taylor, merchants, banks, processors and service providers aren’t happy with MasterCard. They just can’t seem to get a break. After numerous conversations with companies on the receiving end of MasterCard’s “get tough” efforts, Taylor thinks it’s all a difference of philosophy.

When the National Retail Federation released a report on Monday (Aug. 10) that said smaller retailers—Level 4s—now said they were “familiar” with PCI, it was hailed as a major step forward. That’s setting the bar mighty low, even for the smallest of retailers.

But the more important question raised in the report is whether those merchants have an unrealistic sense of how vulnerable they are to data breaches. The problem is that the report didn’t sufficiently track who said what, making it impossible to determine whether any one merchant’s appraisal was legitimate or not.

When the National Retail Federation published a report this week about a survey of Level 4 merchants and PCI concerns, it presented an optimistic—but potentially misleading—picture, points out PCI Columnist David Taylor, who had been actively involved in the report’s research. “One of the problems with multiple choice surveys is that it’s hard to present realistic tradeoffs to the respondents. You rarely see a question: ‘Which is more important? Spending $500 on a new network firewall or spending $500 to fix the delivery van?’ But that’s the real issue.”

That’s because data security may be a high priority in the abstract, but compared to “keeping the business running” types of concerns, it typically drops off the bottom of the list of things to spend money on. Why? Because small businesses do not believe they are going to have a data breach.

MasterCard has become the first card brand to publish its PCI fines and related requirements, a move that could be the latest signal that MasterCard wants to step out of the PCI shadow of its larger rival, Visa. The dollars themselves do not reflect a radical change, although they do include some healthy increases.

“The noncompliance assessment structure now contains escalating assessments per violation within a calendar year,” said the document sent to members earlier this summer. “Maximum assessments for initial noncompliance for Level 2 and Level 3 merchants have increased to $25,000 and $10,000, respectively. Furthermore, the $500,000 annual aggregate maximum for acquirer noncompliance assessments related to program noncompliance has been discontinued.”

As more people start paying for goods and services using their phone, rather than a credit card, they are venturing into that ethereal netherworld that is “beyond PCI” – in this case, literally, as their daring actions challenge the Payment Card Industry to drop “card” from their name.

But there’s more to the challenge than semantics, argues PCI Columnist David Taylor. A lot more.

Mobile payments are exciting, no question about it, writes PCI Columnist David Taylor. The very idea of allowing consumers to buy stuff anywhere, at any time, with the touch of a button, gets retail, banking and communications executives to the point where you almost have to hose them down. So, what better way to ruin the party than to bring up security and compliance issues

Actually, the need for this emerging payment “channel” and the specific payment platforms, software and services to be PCI compliant should be obvious, Taylor said. After all, the PCI standards have been around for about 5 years, so one would assume that PCI compliance would be “built in” to mobile payment products and services.

An intriguing blog discussion over at the Verisign security site, with the suggestion made that MasterCard has rapidly started upping its fines for PCI compliance issues. As the post asks, “Who poked MasterCard hard enough to wake them from hibernation?”

“MasterCard traditionally fined post-breach and, in some cases, we learned that MasterCard would fine merchants small, but consistent amounts to get the attention of accountants and finance gurus inside the company,” the post said, adding that times have now changed. ” So Level 1 merchants are being fined, at most, $25K more from MasterCard than from Visa, and Level 2 merchants are being fined a whopping $315K more from MasterCard. If your company is actually made up of multiple Level 2 retailers, this potentially means that you could owe double, triple, or more. MasterCard rolled out another change to acquirers as well and will require newly boarded Level 1 & 2 merchants to provide a compliant ROC from a QSA before they are allowed into the network. So those Level 2 merchants that have been changing processors every year, it finally caught up to ya.”

An E-Commerce software company that, as part of its service for small retailers accepted payment card data and then sent it to various processors, has found itself on the wrong end of a breached company news release, confirming that payment data from some 574,000 customers—processed through 4,343 of its small retail clients—had been accessed. The stolen data included transaction specifics, card account numbers, names and consumer addresses. The vendor—Network Solutions—had been certified PCI compliant (you just knew that was coming, no?)

The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.

Tesco, Europe’s second-largest retailer, is counting on an army of outside programmers to create applications that will enable easy shopping on its Web site via mobile devices and other interfaces, following a similar move by Best Buy to release its APIs to the developer community. An official with the $85 billion Tesco, the world’s third-largest retailer behind Wal-Mart and France’s Carrefour, detailed the move this week in some Web and blob entries.

“Our customers tell us that to differentiate ourselves we must be proactive, we must inspire them and we must make grocery shopping easier and faster,” wrote Nick Lansley, Tesco’s head of research and development. “Perhaps this new immersive experience needs to be a great mobile phone application or perhaps a 3D virtual store or shopping through the TV set-top box or a third party recipe site where ingredients can be added straight to your basket.”

The new PCI wireless guidelines are helpful, but it could have—should have—gone a few steps farther, opines PCI Columnist David Taylor. For example, one of the technical controls that was introduced with PCI DSS 1.2 is the wireless IDS/IPS. It’s listed as an option, with the other option being to manually carry a laptop around corporate and stores running wireless networks on a quarterly (or more frequent) basis and see whether any networks appear that the security person (if any) does not recognize.

Although it’s certainly understandable that, for SMEs, the cost of a wireless IDS/IPS can be prohibitive, this is the sort of technology that should be mandatory for larger (i.e., Level 1 and 2) companies. That is not only because of the time and effort that it saves, but also because it can be extremely difficult to spot “rogue” or malicious networks in dense urban areas, shopping malls and large multi-company facilities.

Small business owners may be too ignorant to ever be PCI compliant. PCI Columnist David Taylor recently participated in a webinar, a live seminar and a survey all aimed at small business, and all part of separate efforts aimed at building awareness about the importance of PCI compliance to small to medium size enterprises (SMEs). In each case, the presenters were struggling, trying to figure out just how “basic” to be when explaining PCI compliance.

Pretty darn basic, actually. For example, at the live SME-oriented seminar, after listening to three different speakers discuss why PCI compliance is so important to data security and minimizing brand damage and the risk of a security breach, Taylor had two, not one, but two separate people come up to me and ask “What is PCI?” Both persons apologized for their “dumb” question, but it got Taylor thinking about other dumb questions that illustrate why we have a long way to go before we will be able to impress upon the SMEs of this world that PCI is worth paying attention to. A few examples….

Quite a lot has been written recently about the difficulty of quantifying ROI from PCI programs. In fairness, while those concerns are quite legitimate, it doesn’t mean that PCI compliance does not (or cannot) help reduce fraud.

It just means, writes PCI Columnist David Taylor, that the nature of the standard, current metrics, software tools, reporting and established business procedures haven’t been adapted to incorporate the types of controls and reporting that PCI enables. In short, merchants have focused most of their effort (and spending) on getting compliant, but hardly any effort has been focused on the “business by-products” of compliance, such as fraud reduction.

Nevada is making PCI the law and a group of state attorneys general plagiarized it liberally while trying to figure out what to force TJX to do. Like it or hate it, PCI Columnist David Taylor argues, the PCI DSS is the only set of data security standards out there that actually comes with an effective, ongoing validation and enforcement process.

That is not true of HIPAA or the vast majority of state or national data privacy or breach disclosure laws. Enacting PCI into law may help, but actually allocating government funds to review compliance on a regular basis does not seem likely, so these laws (like the breach disclosure laws) will be ignored by all except compliance officers, vendors, consultants and security geeks.

When it comes to regulating retailers, what could be worse than an over-zealous Washington? How about fifty over-zealous “Washingtons”? Discussions about “Big Brother” and onerous regulation of business usually center around the federal government. Not that Uncle Sam isn’t evil at times, but these days it’s the states that are causing the big headaches for retailers, especially those that operate on a multi-state or national level.

Every couple of weeks, it seems, another state makes news for attempting to regulate, tax or otherwise control retailers and retail technology. The toughest part, for merchants, is that states usually tackle the issues with little regard to being aligned with the efforts of their colleagues in other states or for the hardships their one-of-a-kind provisions impose on retailers. The laws just keep on coming. Nevada, for example, passed a data protection law last month that goes into effect Jan. 1, 2010. In addition to forcing businesses to use encryption when data storage devices containing personal information are moved outside the company’s physical or logical control, the new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.

MasterCard has changed its PCI rules and is now insisting that all Level 2 merchants have on-site assessments. There’s no dispute that this is a significant move, but whether it will truly have any lasting—and meaningful—impact is unclear. That’s because of a few issues, especially the confusing rules surrounding self-assessments.

It was late in 2007 when Visa started allowing Level 1s to self-assess. Even that was not so dramatic because it could only happen when there was agreement between the retailer’s execs, the acquiring bank as well as the card brand. Heck, if a retailer can get agreement among all three of those groups, there’s no PCI rule that can’t be changed or waived. That’s akin to saying that an American consumer can do something as long as the Senate, House, White House and Supreme Court signs off.

One of the most persuasive ROI arguments used to justify spending thousands (even millions) of dollars on PCI compliance was that implementing all those PCI-mandated security controls would help reduce fraud, as well as security breaches. Merchants have been encouraged to balance their spending costs against the savings due to having fewer breaches and less fraud. In the end, PCI compliance would translate into profits for the merchant due to fewer chargebacks, less internal fraud and a lower risk of security breaches.

It’s a great theory. But as PCI Columnist David Taylor reports, things haven’t quite worked out that way.

Representatives of six of the largest retailer organizations sent a strongly-worded letter to the PCI Council on Tuesday (June 9), asking officially for several major changes to PCI to make compliance an easier goal. The PCI council issued a response, which pretty much amounted to “we like feedback. Have a nice day.”

The letter to the council supported an end-to-end-encryption standard, seek more input from retailers at an earlier stage, give larger chains more time to implement new PCI requirements, let there be a list of the most important elements that really need to be done (rather than insisting on compliance with every one of the “more than two hundred detailed requirements of the PCI DSS”) and allowing retailers to store fewer pieces of sensitive data.

The other day at a security conference on retail and PCI security issues, I was in a group of retailers and saw one retailer ask the other a deliciously revealing question: “Are you still using a QSA?” The entire question is nice, but it’s the emphasis on the word “still” that makes it art. That’s the killer word, as it was designed to make this other retailer feel small.

About a week earlier, at a different conference hundreds of miles away, GuestView PCI Columnist David Taylor witnessed a similar exchange, with a group of about eight retailers and only one said he was using a QSA. And that guy was clearly on the defensive, half-blaming his management for forcing him to still use one.

Is it justifiable to implement a less secure technology if employees’ jobs are preserved in the process? GuestView PCI Columnist David Taylor has noticed a “protectionism” trend when it comes to the outsourcing of payment management for the purpose of reducing PCI compliance scope.

“We’re talking about companies opting to store and manage more credit card and other confidential data than necessary, and we suspect protecting jobs in technology, compliance and finance is the main reason for this,” Taylor writes. “But is this necessarily bad?”

As merchants work to reduce the scope of PCI compliance and the risk due to having credit card data in their environment, some companies are actually taking access to this data away from people who need it to do their job, including the managers who are charged with investigating fraudulent credit card transactions. Instead of PCI controls helping reduce fraud, for some companies, they are making fraud detection more difficult.

“We all know that PCI compliance creates dividing lines,” said GuestView PCI Columnist David Taylor. “Flat networks must be segmented. The number of databases that store—and applications that use—cardholder data needs to be reduced and the number of persons with full card number access needs to be reduced as well. The whole process of separating the “haves” from the “have nots” often leads to arguments and requires extensive justification on the part of those who maintain they must have the ability to see unencrypted card data in order to do their job.”

Retailers need to carefully examine any new “beyond PCI” technical approaches being offered by their processors, as well as other service providers. They need to think about what will be required of them to take advantage of such “end-to-end” security and whether the investment in technology and labor will be transferrable, should they decide to switch to a competitor.

Beyond focusing on avoiding “Beyond PCI Lock-in,” pens GuestView PCI Columnist David Taylor, retailers also need to focus on ensuring that these new security efforts don’t break their existing applications. Some of the tokenization and end-to-end encryption approaches currently (or soon to be) on the market don’t always play nice with existing ERP, CRM and other enterprise applications.

The back-and-forth compliance dance that is being forced upon Heartland Payment Systems took its latest journey through the PCI Looking Glass Friday (May 1), with Heartland declaring that it has now returned to Visa’s list of PCI DSS validated service providers (aka the list of providers that Visa heartily recommends today but will deny ever having heard if they’re breached tomorrow).

The journey began when Heartland was certified PCI compliant April 2008. A few months later, Heartland was severely breached and Visa began its revisionist history dance. Given a public stance that no PCI-compliant merchant or processor had ever been breached, Visa determined that Heartland therefore could not have been truly compliant in April 2008. On March 12, 2009, Visa removed Heartland from the compliant list. But just in case someone might mistake this move as Visa actually caring about security, Visa stressed to retailers that everything was OK and that they were completely safe using Heartland anyway.

For months, retailers and Congress have been attacking retail security standards, but few realize that the problem is not in the standard itself. The problem is a grading system that causes most retailers to be out of compliance most of the time because the rules require 100 percent compliance. How often in school did you score 100 percent?

The system is oriented to forcing retailers to fail, argues GuestView PCI Columnist David Taylor, and it does this by being utterly insensitive to risk, which is surprising because the financial services industry runs on risk management. So if big finance runs on risk management, why are retail payment security rules running away from it?

The reason that so many PCI self-assessments are wrong is that they focus on the mainstream business processes of the company. They often ignore a lot of “back-channel” or “just-in-case” practices that result in card data coming into the company not protected by the various PCI and other data security measures to protect more mainstream applications, data repositories and processes.

GuestView PCI Columnist David Taylor said the problems crop up in easy-to-miss ways and he rattles off three of his favorites.

In its annual report of retail data breach statistics, the forensic analysis group at Verizon Business detail a series of stats that essentially verify what most retail IT execs already knew. This year is no exception, with evidence of breaches that are discovered by accident when they’re discovered at all, successful attacks that used remarkably little sophistication and PCI holes galore.

But there’s something about seeing these conventional wisdoms substantiated with statistics that is comforting, along the lines of “Hey! We were right. But we’re also royally screwed.” With that in mind, some of the more delicious details from this new report, which was published Wednesday (April 15).

In a land “Beyond PCI,” there’s trouble brewing. Issues involving everything from tokenization to end-to-end encryption are being debated and the PCI SSC is hiring a consulting firm to look into the implications of these (and other) technologies and processes.

This all raises the issue of “should retailers wait for the PCI SSC to ‘bless’ or integrate so called ‘beyond PCI’ technologies into the standards?” GuestView PCI Columnist David Taylor’s answer is a profound “no.”