Why Merchants Struggle with PCIPCI Council: 'It's a Matter of Resources'
Not so, says Bob Russo, general manager of the PCI Security Standards Council, responding to a critical new study from Verizon, which this week released an update to its Payment Card Industry Compliance Report.
"I don't think they are ignoring them," Russo says. "It is a matter of resources. What we do know is that PCI-DSS is the foundation, the floor, not the ceiling, for security efforts. If you build layered security on top of that, you are in a better position to protect your data."
According to Verizon's new report, a majority of businesses have made little progress toward improving their payment security practices over the last 12 months. For the second consecutive year, small businesses in the U.S., Europe and Asia continued to fall short when it came to ongoing compliance
"Are more breaches possible? Honestly, I think it's a real possibility, unless these organizations get serious," says Jen Mack, director of PCI Consulting Services for Verizon.
But Russo says it's not just the merchants or businesses that accept payments cards that need to be held accountable. It's the role of every player along the payments chain, from the card issuer to the processor. "Everyone plays a role in protecting card data," he says. "I think we see a growing effort by all these groups to develop awareness programs to help merchants adopt the PCI Standards."
PCI ProgressRusso also is quick to point out that PCI-DSS compliance has come a long way over the last five to six years, especially among high-volume merchants, those that fall in levels 1 and 2, a ranking based on the number of card transactions they conduct.
"The next logical area is the levels 3 and 4 merchants," he says. "Our ultimate goal is to try to investigate and educate on ways to reduce the scope of the card-data environment these guys have to protect, making their PCI compliance efforts easier to deploy and more effective. And SMB [small business] security is a topic our stakeholders have told us is important to them - one of the key focus areas proposed by them to be explored as a special interest group in the coming year."
Mack says partnership among merchants and vendors, core processors and sponsoring banks, is a crucial piece of the PCI puzzle. It's one reason the PCI Council's push to regularly issue supplemental guidance about emerging technologies will play key roles in getting smaller merchants and businesses compliant.
"Small merchants don't really need to understand PCI," she says. "What they need are solutions and technologies that remove the cardholder data from the environment." But they need assistance from vendors in order for that to happen.
"All of these emerging technologies coming on the market are good," Mack says. "But not all of these solutions have been proven or tested. That's where the guidance from the PCI Council helps offer some baselines for compliance."
Education is KeyThrough special interest groups, which Russo calls SIGs, the council is striving to demystify some security concerns surrounding emerging technologies. "Technology and security are complementary, and must go hand-in-hand. Our most recent guidance on P2PE [peer-to-peer payments] that defines the necessary criteria for using this type of solution to protect payment card data is a great example of how merchants can make use of these technologies to simplify their PCI-DSS compliance efforts. ... We are trying to make security simpler and more effective."
Layered security is a necessity, but so is strategy. "One of the most significant moves we've made in the last year has been to introduce the Internal Security Assessor program," Russo says. "These folks work in-house in an organization and receive the same training as a QSA. Our hope is that by having these internal PCI experts, we are better positioning organizations to not only get secure, but stay secure on an ongoing basis."
But Mack says banks need to do more to partner and educate the merchants they work with, as well. Merchants cannot be expected to do it all on their own, and Russo agrees.
"Education is one of our primary focus areas, and we'll continue to expand our outreach globally," he says. "We are seeing awareness and adoption increasing globally."
The Risk of BreachThe PCI Prioritized Approach to PCI-DSS, a document the council has put together to help organizations approach security gaps and breach risk, can assist out-of-compliance companies improve security.
But Russo has his own concerns. Improvements are needed. The threat of breaches that expose cardholder data is real. Non-compliance with the PCI-DSS has proven time and again to be the No. 1 reason card data is exposed during a breach. "Small merchants, particularly franchised hotels and restaurants, continue to be the most vulnerable and targeted by hackers," Russo says. "As such, we must remain vigilant as a community in helping small merchants address common and often relatively simple security gaps."
That truth played out over the summer, when a database breach linked to a Mexican restaurant in Texas led to the exposure of at least 200 cards. In Margarita's case, the compromise resulted from a network hack at a third-party vendor that handled credit and debit transactions for the restaurant. Gaps in PCI compliance were blamed for the breach.
"PCI-compliant organizations are less likely to suffer data breaches, and this study bears that out," Russo says. "While the council doesn't have anything to do with compliance, we have made a strong effort to build relationships with associations within those industries most affected by breaches to help them understand how to better protect their data. We are definitely working with more verticals to spread the PCI gospel."
And some of the efforts are working. Despite continued struggles among smaller merchants, card-data breaches are declining. "Breaches happen. Advanced attacks are increasing. But, overall, we are seeing fewer large-scale card data breaches in the marketplace," Russo says. "I think we are actually making headway, especially when we look at this in the context of where we were five years ago."