StorefrontBacktalk

PCI Compliance: An Updated Version Of The Newlywed Game

Written by Todd L. Michaud

July 21st, 2010

Franchisee Columnist Todd Michaud has a little game he likes to play when meeting QSAs. It's called "Is It Compliant?" In this game he provides the QSAs with a fairly common situation in his restaurants and asks them to tell him if they think it is compliant or not. It doesn't matter if these QSAs are under contract (paid) or if he just bumped into them at an industry event. They could be doing a full audit or an assessment, providing paid-for advice or shooting the bull over a beer.

To date, Michaud has not received three answers in a row that match.He encourages StorefrontBacktalk readers to play his game at home. Find a few different QSAs and ask them some tough questions. Here are some fun ones to get you started.

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Already a Subscriber? Login Here

Username
Password
Login
Forgot Your Password? \| Site License

Pages: 1 2

Posted in E-Commerce, In-Store, IT Strategy/Industry, Payment Systems, Premium Content, Security/Fraud

4 Comments | Read PCI Compliance: An Updated Version Of The Newlywed Game

Walt Conway Says:
July 21st, 2010 at 6:16 pm
As StorefrontBacktalk’s resident QSA, I thought I’d be the first to take Todd’s bait.

Let’s remember that PCI or any standard cannot and should not explicitly address every possible configuration or situation explicitly. And by the way, you should not want it to.

QSAs are taught during our training that there is room for interpretation. We need to use our best judgment. There are business requirements to consider. There is new technology or changed configurations that may make yesterday’s “yes” be a “no” today, or vice versa.

I don’t think you or any merchant would be happy with a DSS that spelled out every single situation, stipulated every technology, or was similarly cast in stone. We would not have compensating controls, for example, and almost all large retailers and processors have at least one of these. And how many standards admit that the world changes, so they actually publish a lifecycle and give advance notice before merchants have to implement changes?

Lawyers can interpret laws differently; highly trained and educated doctors can disagree with the diagnosis of other equally trained and educated doctors. Is it surprising that every QSA might not have the same conclusion when faced with a complicated situation? I know my colleagues and I have regular assessor meetings where we ask each other for opinions or interpretation of particular situations. Does this make us incompetent? I don’t think so. I think this reflects the complexity of the payment environment and the weird brew of new, old, and downright obsolete technology we encounter daily.

If you are frustrated by the room for interpretation in PCI today, you would be even more frustrated if it were a straightjacket. Heaven knows – and every QSA does, too – PCI is not perfect, but it is pretty good and it’s the best we’ve got.
Todd Michaud Says:
July 22nd, 2010 at 3:23 pm
Hey Walt!

I want to clarify a few points that I was trying to make.

First, with your analogy about laws and lawyers, you have to understand that most laws are negative enforcement. Meaning, they tell you want you “can’t” do. That is not true of the PCI-DSS. In many cases, this policy states the things you “must” do. While subtle, this changes the impact of a judgement call quite a bit. Being specific about what is bad, and having everything else as good, is much easier to enforce. Sure there are different people who interpret laws differently, but they are all working to see if someone was “too bad”, and not were they “good enough.”

And I think that you would be surprised by the fact that I would want a much higher level of specificity in the standards. Unlike many of my retail brethren who are faced with this issue, I am not a large retailer, I am a loosely tied-together band of small retailers. Each one of these retailers has their own systems and their own processes.

Most of these merchants do not have their own IT staff. Without specificity and without local IT resources, the result is likely to be poor, and you force a restaurateur to interpret policy they do not understand and implement technology/policy without a lot of understanding of how it works or why it works.

And since many of my franchise agreements were written before the time of electronic payments, I do not have any contractual relationship with them in the area of PCI compliance. I can educate, suggest and recommend, but that is about it. I rely heavily on the rest of the payment ecosystem (largely the Acquirer) to lay down the law.

I would benefit greatly, not from specific technologies called out, but from things like: “Do not use your POS for non-POS and payment activities.” That isn’t saying you have to use a certain technology stack, it’s a deeper level standard without going overboard.

Also, please don’t take my column as an rant about the QSA industry, it was not intended to be so. I think that QSAs do the best job that they can, working within a flawed system. We would all benefit if the system were more clearly defined.

Thanks for jumping in!
PCIJeff Says:
July 22nd, 2010 at 3:54 pm
I think your legal analogy is a good way to look at this situation and ask yourself this question – would go into court represented by a lawyer with only a few days of training? Of courses the answer is no but when you hire a QSA you are getting a security consultant that has only 3 to maybe 6 to 8 days of training from the PCI Council (Initial training is now 3 days and recertification is 1 day). Yes the PCI Council says that a person must have a minimum number of years’ experience but I know of many QSAs that are actually sales people and have never implemented any security products and never performed a security assessment.

Now don’t get me wrong, I know of many very good information security consultants that are QSAs but even these people do not get any support from the PCI Council when they have questions. I would suggest you send the question you ask QSAs to the PCI Council and see what the answer is you get back. I would also like to suggest Walt send the same question and then compare answers.

Based on my past experience your answers should read something like “because of your complex environment we suggest you contact a QSA for assistance”. Walt’s answer should look something like “we empower you as a QSA to review your client’s environment and make the determination yourself”. Also understand that these responses from the PCI Council usually take 6 to 8 weeks to come back to you.

The problem clearly is with the PCI Council and their ineffective standard, lack of training for the QSAs and lack of support to people that have questions on how to interpret the standard. The QSAs are merely trying to do the best they can for their clients with the limited amount of support they receive and an ineffective standard. My suggestion is that you find a good QSA and partner with them to address the inconsistencies in the PCI standard and reach an agreement on the best interpretation for your environment.
Chris J Says:
July 22nd, 2010 at 5:21 pm
Part of the issue here seems to revolve around the mentality of “compliance as a requirement” rather than “security as an initiative.”

While I am new to the world of compliance, it is clear to me that compliance is the minimum of what a company should do to protect their business and customers. So just because you ‘can’ do something and be compliant, does not mean that you ‘should’ do that. To go back to Todd’s first question – Is a retailer allowed to run other applications on the POS server if that server processes integrated credit card transactions with PA-DSS certified software? The answer might be ‘Yes, they are allowed.’ However, the more important question that I feel merchants should be asking QSAs is “Am I more secure running other applications on the POS server, or restricting usage to POS/payment applications?”

The PCI DSS needs to be flexible to account for the vast number and variety of businesses that fall under its umbrella. It is up to the merchants themselves to take responsibility and enact some common sense to decide just how secure they want their business to be.

Analogy Corner:
The law says you cannot drive drunk -
If you go to a bar and you’re worried about compliance you say, “Tell me how many drinks I am allowed to have before driving.”
If you go to a bar and you’re worried about security you don’t drink.

PCI DSS gives businesses guidance and a baseline for security but allows a merchant the freedom to choose just how secure they want to be.

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.