PCI DSS: An Acquirers guide for PCI Compliance Best Practices
As deadline dates for PCI compliance looms for Level 1 and 2 merchants, the number of questions surrounding guidelines and methods of achieving that compliance keeps growing. Though the broad outline of compliance areas are clearly defined, not only on the credit card association side, but from acquirers as well, the intricate steps-within-steps of the outlined areas are proving to be bothersome for some.
When visiting most acquirer and Independent Sales Organization (ISO) Web sites, a whole web page is dedicated to PCI compliance steps, but, from the standpoint of merchants working with a qualified security assessors (QSA) and approved scanning vendor (ASV), when the drilldown begins on the 12 steps, the areas of security issues becomes painstakingly specific. For many, it's what makes PCI DSS a more through standard for protection like it's cousins HIPPAA, FISMA, but for others, it proves to be a no-win situation for gaining compliance.
Recently, in a PCI compliance seminar hosted by Visa, the most common security holes that are leading merchants to flunk their audits are as follows:
Adding to this, In a recent blog article, entitled "PCI Compliance: The Dog Chasing the Tail," it's author Software Security Consultant, Robert Rachwald, discussed the challenges for merchants trying to avoid a non-compliant status with their auditor and ultimately with their acquirer.
- Un-patched systems
- Poor password policies and enforcement
- Insecure services on servers
- Insecure default settings, such as unencrypting wireless connections
- Poorly coded, web-facing applications which cause SQL injections
- Storage and location of prohibited data such as account numbers, CVV2 and PINs
"First, 'Poorly coded web-facing applications resulting in SQL injections and other vulnerabilities'. PCI mandates pen testing--yet try to find any pen test who can confidently say, 'Yep, my test or pen testing tool was 100% thorough.'" Pen testing will always fail to miss issues. So when a PCI auditor comes around and finds a flaw then--poof--you're on the PCI black list," he wrote.
He continued, "Second: 'finding and the storage of prohibited data (such as account numbers, CVV2, PINs)"… Sniffing out all of the potential places, such as log files, is not easy in complex environments. Yet PCI only requires manual code audits to sift through the code…I don't mean to knock PCI. On the contrary, it's a good idea and I'm always in favor of industry self-regulation. PCI has several components that help stop cyber fraud. But PCI technology prescriptions should be designed to help merchants pass their audits."
Depending on what side of the PCI fence you sit on-acquirer, auditor, card association, and merchant-will determine how the following statistics are interpreted.
According to Visa, as of July 2007:
40 percent is modest but not stellar for Level 1 merchant compliance, and as the original deadline of September 30 gets closer and closer, it's evident-at least to Visa-that there are going to be more merchants that are not compliant, than those who are compliant by the date.
- 40 percent of Level 1 merchants were PCI compliant.
- 33 percent of Level 2 merchants were PCI compliant
- 52 percent of Level 3 merchants were PCI compliant
Even with Visa's Compliance Acceleration program (CAP), introduced in December 2006, with it's discounted credit card transaction fees, designed to reward merchants who jump the hurdles to PCI compliance by the original date of September 30, the numbers are obviously not what was hoped for by August 2007.
This may be good news for merchants and acquirers alike, as Visa is toning down some of the talk of high fines and total non-compliance status for merchants who have not met the standard by September 30.
Instead of non-compliant merchants not being eligible for reduced Visa transaction fee programs, now Visa says the following concerning interchange rates for non-compliant merchants:
"Effective October 1, 2007 acquirers whose Level 1 or 2 merchant are not compliant with PCI Data Security Standard ("DSS") compliant will no longer receive the best available interchange rate, being downgraded one tier. Additionally, acquirer's of non-compliant Level 1 merchants will be fined monthly starting in October and Level 2 merchants in January 2008. Visa considers merchants that do not make these deadlines to be delinquent in meeting their obligations to properly secure cardholder data," said Rosetta Jones, vice president, Visa USA.
Since the PCI DSS policy and procedures were introduced, an early and obvious compliance emphasis was placed on documentation for merchants and s ISOs.
Implicitly, Level 1 and 2 merchants have had the spotlight shining brightly on them, because of the mammoth breaches occurring that garner the media's attention, but they don't represent the majority of merchants and ISOs, both in the US and globally.
Based on transaction volume alone, Level 4 merchants far outweigh Level 1 and 2 merchants, but the rules for attaining compliance for Level 1 and Level 2 merchants are clearly defined, though the number of merchants actually complying varies, depending on who is providing the research.
For Level 4 merchants-brick and mortar or e-commerce sites with Less than 20,000 V/MC e-commerce transactions annually, and all merchants across channels up to 1,000,000 VISA transactions annually-understanding and following the rules of PCI compliance has been murky journey at best.
Despite the copious documentation available at the PCI Security Standards Web site, for many merchants, especially Level 4 merchants, knowing how to introduce and maintain a PCI compliance program is proving to be a puzzling endeavor.
It's critical that acquirers maintain active and open communication of all policies and procedures with merchants, member banks and the card associations.
Acquirers are the new gatekeepers for PCI compliance information for merchants, but they also serve as information convergence points for card issuers and for third party vendors like ASVs.
It's up to the acquirers, according to PCI Standards and Security Council, Visa and MasterCard, to ensure that their merchants follow the procedures for compliance.
For acquirers who are not vigilant about merchant compliance, the fines for non-compliance will be steep. Acquirers, whose Level 1 and 2 merchants are not compliant, will be fined between $5,000 and $25,000 a month.
Whether they wish to take on the gate-keeper role or not, Acquirers must step up to the plate, answer and clarify questions that merchants have, concerning the PCI process, or they face the consequences.
According to some merchants, and those working for merchants, how much involvement an acquirer has with the merchant, or the information that is given to the merchant by that acquirer, depends on the acquirer.
The acquirer's information is directly linked to the particular credit card brand's rules, as well as PCI DSS guidelines. If there is little or no communication between the merchant, acquirer and the card brand, problems begin to accrue.
"The fact that the five major brands have agreed on a single standard is good. Unfortunately, due to federal laws, they do not have full freedom to agree on implementation standards," said Ron Greenberg, COO of merchant acquirer, PowerPay, LLC.
Based in Portland, ME, PowerPay works with merchants across the US, from retailers, restaurants to convenience stores, all through it's 'member bank' HSBC, and whose business partners include companies like Time Warner Cable, and The California ISP Association.
According to Greenberg, the different credit card brands introduce a whole new level of confusion for merchants and acquirers alike, when it comes to PCI compliance.
"For instance, Visa has defined four levels of compliance for merchants along with a set of fines and penalties," he explained.
"MasterCard has a different set of rules as well as reporting requirements. Multiply this by five and it creates a mess of rules and compliance issues we need to track."
When asked, bluntly, whether he felt PCI DSS was going to help or hinder acquirers, his answer was just as blunt.
"They [PCI guidelines] are a necessary evil. Any time you add more procedures it is a headache. Will it help? In the long run it should. But everyone must realize it will not solve the problem."
Some merchants and employees of merchants, who are charged with facilitating the merchant acquirer relationship, seem to add credence to Greenberg's assertions.
"I have the feeling, although I can not substantiate it to any degree, that the requirements a merchant is under (particularly absolute compliance dates) varies depending on which Acquirer you are going through," posted Information Security Manager Andrew
Mason, on a PCI Compliance Web forum, recently.
Mason, who works for a merchant company in Spain, is paired with an acquirer based in the United Kingdom; an acquirer that isn't offering the kind of support he thinks is needed. As well, the answers he's receiving from the credit cards, themselves, have been nebulous, at best.
"Visa seems happy as long as you can prove 'progress' in your PCI Compliance project," commented Mason. "MasterCard appears to be less clear on the various aspects of compliance, particularly the dates."
He continued, "I asked a question in a webinar recently which was joint hosted by MasterCard. The question was directed to the MasterCard rep. who was VP of something or other to do with PCI / Compliance. The question was, 'when is the absolute deadline date for compliance?' "
"The answer? Any guesses? 'Speak to your Acquirer'"
Print this page
Send this page to a friend
Who is the acquirer?
Step 1: Engage all internal resources
Step 2: Acquirers and ISOs-Identify and partner with a qualified ASV and/or QSA
Step 3: Engage all external resources to make your merchants aware of PCI Compliance
Step 4: Supply the tools that the merchant needs for PCI compliance
Step 5: Implement and maintain a proper tracking and reporting system
Other considerations for acquirer and third-party provider back-end best practices