Retail group takes a swipe at PCI, puts card companies 'on
notice'
Jaikrishna Vijayan
October 04, 2007 (Computerworld) Simmering discontent within
the retail
industry over the payment card industry (PCI) data security
standards
erupted into the open this week with the National Retail
Federation
(NRF) asking credit card companies to stop forcing retailers
to store
payment card data.
In a tersely worded letter to the PCI Security Standards
Council, which
oversees implementation of the standard, NRF CIO David Hogan
asked
credit card companies to stop making retailers "jump
through hoops to
create an impenetrable fortress" to protect card data.
Instead,
"retailers want to eliminate the incentive for hackers
to break into
their systems in the first place."
"With this letter, we are officially putting the credit
card industry on
notice," Hogan said in a statement. The NRF, a trade
association whose
membership includes most of the major retailers in the U.S.,
is the
national voice for about 1.4 million U.S retail
establishments.
In an interview with Computerworld this morning, Hogan said
the letter
was provoked by a "lot of frustration" in the
industry about PCI
guidelines and the deadlines associated with implementing
them. If the
goal of PCI is to protect credit card data, the easiest and
most common
sense approach is to stop requiring merchants to store the
data in the
first place, he said.
PCI is a data security standard mandated by Visa
International Inc.,
MasterCard International Inc., American Express Co.,
Discover and the
Japan Credit Bureau. It requires companies to implement a
set of
prescribed security controls for protecting cardholder data.
Though the
requirements went into affect more than two years ago, a
large number of
big retailers are still noncompliant because of a variety of
issues that
include legacy system challenges, rules interpretation
issues and
continuously evolving guidelines.
According to Hogan, credit card companies require retailers
and others
accepting payment card transactions to store certain card
data sometimes
for up to 18 months so that it can be retrieved in the event
of
chargebacks and other disputes.
But rather than have thousands of retailers store the data,
credit card
companies and their banks should do so, Hogan said.
Retailers only need
an authorization code provided at the time of a sale to
validate a
charge, and a receipt with truncated credit card information
to handle
returns and refunds. If that were done, he said, most
retailers probably
wouldn't store any cardholder data.
According to Hogan, under the current process, credit card
companies and
their banks already have the information needed for
retrieval purposes
and it should be their responsibility to store and protect
the data. "It
is a very fundamental shift. But if you think about it, it
is a very
common-sense approach."
PCI mandates are challenging retailers to build fortresses
around credit
card data, he said. "We build these higher walls and
the hackers bring
in taller ladders and this kind of keeps scaling up all the
time."
Gartner Inc. analyst Avivah Litan said that the NRF letter
makes a
"sound argument.
"It's totally reasonable to tell the banking system and
payment system
that 'we don't want to store this data anymore,'" she
said. "If they
aren't storing this data, many of these [PCI] requirements
go away and
the scope of the compliance effort is much more restricted.
In an e-mailed comment, Bob Russo, general manager of the
PCI security
standards council, said the body received the NRF letter
yesterday and
will respond after reviewing it further. "However, it
must be recognized
that the payment brands -- and not the Council -- operate
the systems
underlying the payments process, as well as the compliance
programs. Because of this, Mr. Hogan should be directing his
concerns to
those individual brands."
Jon Hurst, president of the Retailers Association of
Massachusetts,
backed the NRF's position. With all of the attention paid to
PCI, what's
gone unnoticed is the fact that card companies themselves
require
certain amounts of data to be stored because of disputed
transactions,
he said. If not for that requirement, many retailers --
especially the
large ones -- would probably not keep data and therefore
wouldn't be
pressed to secure it, he said.
Prat Moghe, founder and CTO of Tizor Systems Inc., a
Maynard,
Mass.-based security firm, called the NRF's demand political
posturing
and said it would do little to improve retail security
anytime soon.
"I think a lot of this is about moving culpability back
to the credit
card companies and saying don't make this my problem
alone," Moghe
said. "They seem to have realized that going on the
defense as an
industry doesn't help. There is just more and more they have
to do." By
speaking out aggressively at a time when retail industry
information
security practices are under scrutiny by consumers and
lawmakers, the
NRF is hoping to spread the liability for card data
protection, he said.
Even if the NRF's demands were immediately met, it would
take several
years before retailers could purge their systems and
applications of
credit card data, he said. Over the years, retailers have
collected and
stored credit card data in myriad systems and places --
including
relatively old legacy environments -- and they are just now
realizing
the data can be a challenge, he said. Purging it can be a
bigger
headache because the data is often inextricably linked to
and used by a
variety of customer and marketing applications; simply
removing it could
cause huge disruptions.
"We are not talking about one isolated system that
stores all this
data," he said.
Until retailers can get rid of the data, they will need to
continue to
implement PCI controls, whether they like it or not, Moghe
said.
Under PCI, credit card companies have also already been
pushing
retailers to purge their systems of some customer data,
including the
card verification codes and PIN block data that is stored on
magnetic
stripes on the back of payment cards.
According to Gartner Inc., Visa last year levied more than
$4.5 million
in PCI noncompliance-related fines. At least some of that
was aimed at
companies that were storing prohibited card data on their
systems.
The NRF letter comes just days after the passage of a major
Sept. 30 PCI
deadline after which merchants face fines ranging from
$5,000 to $25,000
for noncompliance. Up to now, most of the fines levied have
been on
breached entities or on companies that kept prohibited card
data.
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomo metzdowd.com
|
On Thu, Oct 04, 2007 at 06:48:49PM -0400, Leichter, Jerry
wrote:
> Prat Moghe, founder and CTO of Tizor Systems Inc., a
Maynard,
> Mass.-based security firm, called the NRF's demand
political posturing
> and said it would do little to improve retail security
anytime soon.
>
> "I think a lot of this is about moving culpability
back to the credit
> card companies and saying don't make this my problem
alone," Moghe
> said. "They seem to have realized that going on
the defense as an
> industry doesn't help. There is just more and more they
have to do."
Amazingly, Tizor Systems does PCI reviews (actually they
entirely seem
to do C&A work), and I'm sure Prat would prefer to see
the PCI gravy
train stay around. (I don't know the current state of the
industry,
but when I was working in a consulting group 2004-2005, PCI
reviews
were our most profitable engagement type by a large margin -
and
non-technical enough that you can put a person with a few
months of
security training on them and they'll do fine).
-Jack
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com
|
