|
According to a survey by Visa, some 38 per cent of medium-sized retailers and 23 per cent of large retailers are falling short. All of them have to comply with the standard as it has the backing of the credit card companies’ standard-setting body, the Payment Card Industry (PCI). But retailers can find it difficult to comply with PCI DSS because the credit card companies keep changing the standard, according to Matthew Tyler, PCI practice manager at Evolution Security Systems.
The standards-setting body changed the self-assessment questionnaire (SAQ) that medium-sized retailers use to discover whether they are compliant on 6 February this year. The new questionnaire has different processes for each different retail channel. Since the new SAQ was published, retailers have to follow up to five different processes before they can prove that they are DSS compliant across every channel. “PCI standards are developing and changing all the time. However, most retailers are not aware of the changes to the SAQ. If they don’t get up to speed, they run the risk of wasted effort, extra compliance costs and, potentially, not meeting PCI standards,” says Tyler. Retailers have been working towards compliance with the standard since September 2006 when PCI DSS was first published by the standards-setting body, notes Jeremy Pizzala, direct at Verizon Business. “Speculating as to whether merchants are more or less compliant is somewhat of a redundant exercise. When it comes down to it, PCI compliance is more like an exam in which a pass is required, rather than one where A-F grades count. Many credit card providers are taking a carrot and stick approach to motivating retailers to comply with the requirements of the PCI DSS in the form of programmes and incentives to have their systems assessed and the threat of heavy fines and the potential imposition of deadlines.”
To comply with the standard, retailers are tasked with meeting 12 requirements, all of which involve extensive work to their computer systems. They must make their networks secure, set their own security parameters, such as system passwords, protect cardholder data, and encrypt the transmission of cardholder data as it travels across networks. They also have to use anti-virus software, develop secure systems, and maintain an information security policy. The credit card companies have been criticised for making it harder for medium-sized retailers to comply with the standard. The PCI Security Council should start publishing compliance status reports and frequently asked questions every quarter, according to Avivah Litan, an analyst at Gartner. “The PCI Security Council’s communications processes remain poor, and retailers still have far too many unanswered questions about PCI DSS requirements. For example, there is considerable confusion about the implications of outsourcing arrangements on the scope of PCI compliance efforts and how to adequately segment networks to reduce the scope of compliance activities,” says Litan.
Retailers that outsource the storage of cardholder data do not need to encrypt data or monitor access to data because all the information covered by the standard is stored outside the retailer’s computer systems. “The PCI DSS remains unworkable for smaller merchants with limited payment card-related infrastructure. There is a concern that many merchants have had to deal with compliance processes and questionnaires that do not apply to their environments.” The standard could, meanwhile, help some retailers to rationalise their systems by forcing them to separate applications containing cardholder data from applications used for different business purposes, says Gareth Leggett, a programme manager at Verizon Business.
“The intent of PCI DSS is not only to protect the data that is being stored, but to reduce the amount of data that is being stored. By removing cardholder data from a system, you remove it from the scope of PCI DSS,” he observes.
|
