Most merchants prefer the idea of the credit card industry policing itself, versus lawmakers getting involved. PCI Security Standards Council is the industry’s attempt to do just that. But how ecommerce merchants become compliant and meet PCI standards is confusing to many, and the penalty for not being compliant is hard to understand, too. We spoke with Bob Russo, general manager of the PCI Security Standards Council, to help sort out these and other questions.
Practical eCommerce: What does the PCI Security Standards Council do?
Bob Russo: “The PCI Security Standards Council is a body that creates the standards for protecting credit cards globally. This is done through a number of different ways, not the least of which is through constituents that we call ‘participating organizations’ that give us their feedback.
“Since these are global standards, the participating organizations are located throughout the world. And there are things that are specific only in different verticals, but also in different locations globally. All that is taken into consideration as these standards are updated. We go through a life cycle process on each one of these standards and our sole goal is to protect credit card data however and wherever it is accepted. The mantra is, if you store, process or transmit credit card data, you must be compliant with these standards to protect that data.”
PEC: Where does the Council get its funding?
Russo: “The Council is self-funded at this point. There are fees associated with becoming a member of the Council listed on our website. So, if any of your listeners is interested in becoming participants within the Council in helping us evolve these standards and moving forward, I would encourage them to go to the website and have a look at that.
“There are fees for becoming an assessor. We not only vet all of the assessor companies, we train them on a yearly basis. We also do training for anyone who wants to learn about PCI, anything from high level overview training of what the standards are and how they affect you and why you should be complying with them, all the way down to the technical aspects of becoming an assessor and staying up to date with your credentials.”
PEC: Is it fair to say that the major credit card companies — Visa, American Express, MasterCard, and Discover — created this organization to self-police the integrity of credit card data?
Russo: “That is a pretty good description. The PCI Security Standards Council is a perfect example of industry doing a very, very good job of policing itself.”
PEC: Can you explain what it means for an ecommerce merchant to be PCI compliant?
Russo: “Well, first of all, compliance is something that is dictated by each of the credit card brands. They all have separate compliance programs, and they all use these standards as the foundation for each one of those compliance programs. The [credit card companies] require compliance. [The Council] doesn’t require compliance and you don’t report your compliance to us. You report it either to your acquiring bank or to the brands directly.
“We are just responsible for putting together the standards. And, basically, these standards are a series of best practices in the industry. The standards are more related to security than compliance.
“A good way to think of compliance is that we are the people who say you should put deadbolt locks on all of your doors. Once you’ve done that, yes, you are compliant; however, it then becomes your responsibility to lock those deadbolt locks everyday. And that’s really what this is about, security, as opposed to compliance.
“So, if you think of it in the security vein, and you do things that are basically best practices and commonsense, compliance comes along as a byproduct.”
PEC: Do all ecommerce merchants that accept credit cards need to be PCI compliant?
Russo: “The rules that the credit card brands put out in terms of compliance are, if you store, process or transmit credit card data, you must be compliant. Regardless of whether that’s one credit card or one million credit cards, you must be compliant with the standards.”
PEC: By a recent Practical eCommerce estimate, there are more than 600 online shopping carts, but only about ten percent are officially listed as PCI approved. What do you make of that?
Russo: “I think that should put a caution flag up for ecommerce merchants. One of the first things that they should do is ask their service provider or shopping cart developer if they are compliant with PCI. If they say no, as an ecommerce merchant, I would want to know why not. And I would seriously consider not using something that is in fact not compliant with the standard.
“I mean you’re really taking a big chance with your business at that point. There is the specter of remediation that has to take place. There is the specter of a fine. The biggest issue is your reputation. If you suffer a breach, you may have a lot of customers who will tend not to come back and shop with you. That’s absolutely the worst thing that could happen to any merchant.”
PEC: Even some cart providers seem to be confused about PCI compliance. Is there a way for merchants find out whether their cart providers are approved, besides asking their cart providers?
Russo: “A good rule of thumb is if you don’t see it on our list, chances are they haven’t started anything. I would liken it to buying a car and saying, ‘Okay, where are the airbags in this car?’ and your salesman says, ‘We are putting airbags in this car and when we deliver the car to you. It should be there anytime, but right now I can’t show you a model with airbags in it.’ I would run for the hills. I would want to see proof that these people are PCI compliant.
“We’re talking about my [the merchant’s] business now. The application vendor is not the one that’s going to get a fine or lose the customer, it’s going to be me [the merchant]. So, ultimately, I have to take the responsibility for my own business.”
PEC: There is a list on a separate website for approved hosted carts or service providers, and then approved licensed carts — “payment applications,” to use PCI’s term — are found on your site. Where should a merchant go first?
Russo: “Probably the easiest is to go to the PCI Security Standards Council website. These listings are all there. Our website has just recently been redesigned so it’s easily navigable, especially for smaller merchants.
“If they don’t find what they’re looking for, they can send an email to anyone at the Council, including just inquiries at the Council. There is an FAQ available on the website. If you begin to type a question and it has an answer, it will bring it to you. If it doesn’t have an answer, it will throw you into a question queue and allow you to ask that question.
“But if you don’t want to go through that, send me an email at: firstname.lastname@example.org. I can let you know if something is in the queue, or going through the process of being assessed and information has been submitted to the Council, or if you are on a particular application. I can give you information on where to find what you’re looking for, to cut through all of the sales pitches and get down to the real brass tacks of protecting your credit card data.”
PEC: Although there is a lot of talk about having to comply with PCI standards, there don’t seem to have been any real ramifications for non-compliant merchants to date.
Russo: “I totally disagree. You’re playing Russian roulette here with your business. While there might not be a validation requirement (which is to say that you may not have to prove to anyone that you are PCI compliant), if in fact you suffer a breach and you are found not to be compliant at the time of this breach, then there are tremendous ramifications.
“There are fines, and for a small business, a fine could literally put them out of business. There is the specter of customers walking away because they’ve either figured out, or — with our breach notification laws — someone has told them that the breach occurred at the merchant’s site. There’s the specter that they will not shop with the merchant anymore because they feel like you [the merchant] are not keeping their information safe, whether it be credit card information or personal information. It’s a really big issue. Are your readers willing to play Russian roulette? They’re the only ones who can answer that question.”
PEC: Have there been breaches where a merchant is not compliant with the PCI standards and that noncompliance has caused a merchant to incur additional penalties?
Russo: “Absolutely. Hundreds and hundreds of merchants have had breaches and been found to have not been compliant at the breach and have suffered losses. And not just the big ones, but also the small mom-and-pop shops that are doing business online.
“There is the specter of going out of business. I mean it is that serious. Last year I think there were 600 or so reported breaches. There are breach surveys that are done, that are put out by [forensic companies]. Verizon, as an example, puts out a breach survey based on all of the breaches that they have investigated in the past year. There are a number of forensic companies out there that are investigating these breaches; and not just the big ones, the small ones as well.
“You’re talking literally hundreds, if not thousands, of breaches that occur because people are not doing the very simple, basic things that they need to do in order to protect this data. You should really think about these standards as a baseline and not the ceiling. I mean this is the bare minimum that you should be doing, just as good business practice is to protect this data.
“There are breach statistics that are put out by a number of forensics companies. [I mentioned] Verizon. Another is Trustwave, one of our QSAs that put these out.
“[You can have] some kind of a bot on your system that’s looking for breaches, or go to Google and key in ‘credit card breaches for 2010’. It will bring up a huge list of what’s there.
“YouTube has got videos put out by a number of different organizations talking about smaller merchants. One video put out by an organization called RSPA (Retail Solutions Providers Association) is about a poor provider who owns a restaurant. He got breached and suffered fines and costs in the six-figure range. For a small restaurant, it almost literally put them out of business. So, this is serious stuff.”
PEC: That video you mentioned is a industry-produced, correct?
Russo: “Yes, it is produced by resellers.”
PEC: We understand there are some open seats on the governing board of the PCI Security Standards Council. Please tell us about that.
Russo: “We are about to open a culmination period for our board of advisors. Our board consists of 21 advisors globally, because it’s a global standard that represents all different vertical industries as well as all global sectors, so we cover the entire world.
“You can nominate yourself if you are one of those participating organizations within the Council. We currently number over 600 of these participations in the Council. Any one of your readers can join. It’s not expensive at all. There are a myriad of benefits that you will reap by being a member of the PCI Security Standards Council. There is more information on our website.
“Once we have gone through this nomination process for about a month, those 600 or more participating organizations begin voting online, and the advisors are elected for a two-year term.
“To give you an example of some of the people that currently sit on our board right now, we’ve got Bank of America, Barclaycard, Chase Paymentech, Citrix, Exxon Mobil, First Data, JPMorgan Chase, Lufthansa, McDonald’s, MICROS, PayPal, TSYS Acquiring Solutions, VeriFone, Walmart, Bank of Scotland. It is a very diverse group of people and we rely on them heavily to give us information on how to update these standards throughout the years.”