August 01, 2007

Standards - Retailers Not Exactly Where Visa Wants Them?

Nice article on status of PCI compliance and how retailers and Visa stand in relation. This situation is beginning to be compounded in complexity by the issuing of stored value cards (Subway noted in sub-article). Storing full data from the magnetic stripe card is still considered the most dangerous offense.

Retailers Not Exactly Where Visa Wants Them to Be
By Evan Schuman, Ziff Davis Internet
July 31, 2007

When Visa on July 30 released its latest PCI compliance statistics, it showed small but steady progress, with slight increases in most areas. But it also showed that there is still a small handful of major retailers who are still retaining prohibited credit card information.

Visa stressed in its statement that the vast majority (96 percent) of Level 1 and Level 2 merchants—a category including virtually all of the nation's largest retailers—have written to Visa that "they are not storing sensitive account data" including credit card security codes and PINs.

But given that Visa has said that there are 1,057 retailers in that group (327 Level 1 U.S. retailers and 730 Level 2 retailers), that four percent suggests that about 42 major retail chains aren't even claiming that they've stopped retaining that data. Visa estimates that the 96 percent relates roughly equally to both groups, suggesting about 13 retailers in the Level 1 group (with the very largest retailers) and about 29 in the Level 2 group.

Click here to read more about PCI confusion aggravating retailers.

Gartner security analyst Avivah Litan expressed particular concern about the Level 1 retailers who are still retaining the prohibited data. "Even if it's just 13, that's way too many," Litan said, adding that if 13 are saying that they still retain the prohibited data, the actual number of retailers who are doing so is likely much higher.

Of all of the PCI security areas (including encryption, wireless detection methods, not retaining old transaction data, etc.), Litan argues that Visa considers retention of prohibited data to be the most serious. "That’s the data the banks really care about," Litan said. "If the crook steals the data from the [magnetic] stripe, they can make a perfect card."

Litan said that when she met with Visa officials in October 2006, they reported that only three retailers were then saying they were still storing the data, which is less than one third the number apparently reporting that today.

“We know that merchants that store full magnetic-stripe data expose themselves to risk exponentially,” said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA, in the Visa statement. “By removing prohibited data from their payment systems, large and small businesses alike are denying hackers the data they covet for use in counterfeiting payment cards and are thus making their businesses and the payments system more secure.”

Why are some major retailers still holding onto this information, which likely is of little to no marketing or analytical value to them? "In the merchants' defense, it's very costly to change their systems," Litan said. "For a Level 1 retailer with 500—and sometimes 10,000—store locations, it's not that simple to change POS systems."

Eduardo Perez, vice president, payment systems risk, Visa USA, agreed that cost can be a key factor. "It can require notable resources to change or upgrade payment applications," Perez said. "It can pose some notable challenges."

But he saw the usage of some non-compliant payment applications as a much bigger culprit, which is why Visa has distributed names of those ISVs to key retailers. Visa has refused to identify those ISVs because they fear that doing so might help cyber thieves zero in on those customers.

"It's the payment application that is causing the merchant to store track data," Perez said.

There's also the distinct possibility the numbers might be far worse. The Visa statement suggested that the percents referenced came from retailer declarations to Visa, as opposed to audit results. If that's the case, the question isn't actually getting at whether the retailer stores the prohibited as much as whether the person filling out the form believes the data is being retained.

The complicated enterprise networks today allows many copies of these numbers to be scattered in various departments: store operations, marketing, IT, accounting, etc. This raises the question of whether copies of the prohibited data aren't floating around somewhere, well beyond the knowledge of the IT manager filling out the form.

"How do they know they’re not? If you were to ask me, 'Are your doors locked?', I'd say 'Of course they are.' That is, until I find one that isn't," said Mark Rasch, a legal security consultant with FTI Consulting and the former head of the U.S. Justice Department's high-tech crimes unit. "This is the equivalent of going out to the top 100 companies and asking, 'Are you violating any securities laws?'" Special Report: Protecting Data

Visa also released on Monday the latest compliance numbers for its Payment Card Industry Data Security Standard (PCI DSS), which showed slow but steady improvements in all areas. These results are based on audited results.

Level 1 includes any merchant processing more than 6 million Visa transactions per year, regardless of volume or acceptance channel. Level 2 includes any merchant that processes 1 million to 6 million Visa transactions per year, regardless of acceptance channel. Level 3 are retailers that process 20,000 to 1 million Visa e-commerce transactions per year and Level 4 includes any merchant processing fewer than 20,000 Visa e-commerce transactions per year as well as all other merchants processing as many as 1 million Visa transactions per year.

The figures for July showed that 40 percent of Level 1 retailers were compliant, that's up from the 35 percent compliance rate for that group that Visa reported in May 2007. In May 2006, the compliance rate for that group was 18 percent.

The new July 2007 figures for Level 1 retailers showed that an additional 50 percent have pledged to repair security holes, a process known as filing a ROC (Report On Compliance).

Back in May, Visa reported that 51 percent had been involved in the ROC stage, a slight one percent increase that is more than made up for by the increase in actually compliant Level 1 retailers. That July figure leaves 10 percent that are neither compliant nor pledging to be compliant, a sharp drop from the 14 percent Visa reported in May.

With the somewhat smaller Level 2 retailers, the July figures showed a 33 percent compliance rate—up from 26 percent in May—and the smaller Level 3 retailers showed 52 percent compliance, just slightly up from the 51 percent that Visa reported for that group in May.

Visa didn't release any figures for its Level 4 retailers, but Visa's Perez said, "We know that compliance is low." Visa is expecting to have more specific numbers for that group soon.

Rest of article

Posted by staff at August 1, 2007 07:18 AM