Editor’s note: Payment Card Industry compliance is a requirement for virtually all ecommerce merchants. But it’s also a complicated and confusing topic. With that in mind, Practical eCommerce is publishing a series of articles aimed at answering merchants’ questions on the issue.
In today’s article, we get answers from the chief technology officer of the PCI Security Standards Council, Troy Leach. In his role with the Council, Leach has developed and implemented a comprehensive quality assurance program. Prior to joining the Council, he led the incident response program at American Express. In that position, he reviewed more than 300 cases in which account data had been compromised. Over the past 15 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.
If you have a PCI compliance question, email Kevin Patrick Allen, contributing editor, at firstname.lastname@example.org and we’ll attempt to address it.
Practical eCommerce: There seems to be some confusion among merchants we talk with about who’s really at the head of the whole PCI compliance issue. So, why don’t we begin by talking about the council? How did it come about, who created it, and what is its role?
Troy Leach: “PCI Council was formed back in 2006 by the five major payment brands, that being American Express, Discover Financial, JCB, MasterCard International, and Visa
Inc. The Council’s objective is to create a standard body and security framework for how cardholder data needs to be protected, whether it’s being processed, whether it’s being stored, or whether it’s just being transmitted over a network. Over the last 10 to 15 years, we’ve had more and more sophistication with attacks against cardholder data. And the card brands independently developed their own security programs to protect that cardholder data.
“In 2006, they decided to come together to ease that effort of compliance on the part of the merchant by having an industry-accepted best practices and requirements for how that data should be protected.
“So, while each of the individual payment brands still maintains a compliance program, now the merchant has an opportunity to have a clear voice as to what those requirements should be and how they can demonstrate that compliance to its merchant bank or the payment banks directly.”
PeC: Merchants we’ve spoken to and received comments from are confused about what they need to do. Is there a general list of compliance standards that merchants can just kind of check off? Is there a relatively simple checklist they could go through?
Leach: “It depends on their business model. For some merchants, that process is very simple and for others that have a more complex network or complex business structure, then the requirements may become a little more difficult to at least validate. So, I’ll walk through a couple of examples if I could.
“First, if I were a merchant that outsourced all of my processing to a third party and that third party could demonstrate to me that they had some form of PCI compliance validation already, my effort to demonstrate PCI compliance to my merchant banks would be very simple. I would have a limited subset of activities that I would have to do.
“On the other hand, if I were developing my own applications to process credit card information, if I was managing my own network that transferred the sensitive information, my obligations would be higher and I would be obligated to what we call the PCI Data Security Standard and that is a standard that is intended for merchants and service providers. Anyone that processes cardholder information has to adhere to the Data Security Standard. There are a few other standards that the Council also manages that may help a merchant in that process. The Payment Application Data Security Standard is intended for payment vendors that develop these commercial products. So, if I’m a merchant purchasing a commercial product [to process or store credit card information] and I’m looking to reduce my PCI compliance efforts in data security standard, I could go to the Council’s website, for example, and look at those applications that have gone through that process, have been validated against the Payment Application Data Security Standard, and that will reduce my overall effort to become PCI compliant [if I use one of these approved vendors].”
PeC: One thing that we hear from merchants is anger and frustration that they have to jump through hoops for an issuer, such as Visa, or a merchant account provider, such as Bank of America. And they resent the looming threat of fines. The other side of it is that we hear people say, “Well, something had to change. There needed to be some kind of regulation in the industry. Otherwise, the customer is at risk of a data breach.” You’ve dealt with all the parties here. How do you try to find some middle ground?
Leach: “That’s a great question because merchants–especially when they first hear about some form of requirement that they have to demonstrate–have frustration. We call it ‘the five stages of grief’ within the Council because there’s probably a lack of understanding why this is so critical for the industry. What we hope to accomplish over the next few years is more understanding and education with merchants that this doesn’t necessarily have to be a large consumption of time on their part if they take the appropriate steps to secure cardholder data.
“I’m seeing a trend, especially among the smaller merchants. They’re recognizing they don’t have a dedicated IT shop in house. They don’t have dedicated security staff that can support ongoing security. What they need to do is to outsource to a service provider that has that security skill set that has that fundamental understanding of just how a payment process works.
“Most merchants are apathetic to how the process works, right? They want to receive the customer’s card information, they want to process it, and they want that money to show up in their bank. The details of how that process works and the security for that process, they hope are in place, but really it’s not their core business. And so, what I’m starting to see is the smaller merchants’ interest in finding ways to reduce their footprint and cardholder data. We see smaller merchants just asking a very good basic question, ‘Do I need this cardholder information?’ And very often the answer is ‘no.’ And so there are opportunities to restructure their processing model so that even the effort to become PCI compliant is very easy.
“I see a movement in the industry that smaller merchants are going to depend on those in the industry that have the security know-how, have that payment processing knowledge, and can leverage that for a larger group of smaller merchants.”