Retailers handling credit card data are contractually obliged to comply with a security standard. Among smaller businesses, this is not happening. As David Reed finds out, knowing what the standard is may be the problem, rather than any challenge of actually meeting it.
It is not often we think of ourselves being seen as the big bad wolf. We are the good guys trying to protect credit card data.” So says Jeremy King, European director of the Payment Card Industry Security Standards Council.
This perception of the PCI as the bad guys emerged in a survey recently carried out among 125 small and medium-sized retailers into their awareness of and compliance with the PCI Data Security Standard and debriefed in London in mid-October. It uncovered not just gaps in knowledge about the standard, but also a lot of pushback against the time and cost of becoming compliant. PCI DSS was perceived as placing yet another burden on struggling small businesses and the council itself as generating revenues from fines.
“We are not responsible for compliance and issuing fines, we don’t receive any money from fines. We set the standards of what retailers need to do,” stressed King. It is a key point when legal actions are being launched against the card issuers, which do levy fines for non-compliance, arguing that financial penalties are not part of the contract which merchants have with acquirers.
What worries the industry is the migration of criminal interest towards smaller retailers which have much lower levels of data security. In the survey, 80 per cent admitted carrying out no training of their staff on the issue and the same number do not have a diagram of their IT network and therefore an idea of where data may be travelling to and from.
As King points out, the entry points for criminals can often be fairly simple ones, even in the largest businesses. “When TK Maxx was breached in 2007, it was done from a car park opposite using a laptop via weak Wi-Fi security,” he says. Among small retailers, it is not uncommon for credit card data to be transmitted via home Internet hubs. “A lot are using their BT or Sky box and relying on its anti-virus as their security, without using any special measures. That creates a way in via any connected devices.”
A levelling of the playing field by the Internet has also increased the dangers. “We are seeing problems because of the success of eBay. SMEs are realising they can sell more via that e-commerce site, but it creates challenges and risks. Who has set up their security system? It is a minefield and potentially easy for a criminal to break,” says King.
Small businesses often rely on friends of the family or local service providers who may not be aware of PCI DSS or qualified to ensure systems are compliant. They could even be suborned by criminal elements into providing password details, assuming these have even been put in place.
That is one reason behind the introduction of the Qualified Reseller and Integrator programme. It is aiming to teach suppliers how to work securely, about removing default passwords, backdoors and trapdoors, and even remembering to switch security features back on once an integration is finished.
Some third parties already help to reduce risk. King emphasises the value of working with a third-party payment services provider. “It is a cost, but that is offset by lower fraud risk and not having credit card data in your system,” he says. A key point about this is that card acquirers ultimately level the cost of frauds on the retailer responsible for losing card data, even though the card holder does not have to pay up.
That is not what card issuers want to be doing. Instead, they are looking for ways to help merchants improve their security through education and awareness in order to prevent breaches in the first place. “There is a common perception among smaller merchants that PCI DSS is crushing, but that is often just based on anecdote,” notes Matt Martin, senior payment security risk manager at Barclaycard. “SMEs don’t like doing it and they tend to be one-man bands, so it is just another thing for them to worry about.”
Barclaycard has developed a suite of more accessible literature and even animations to try to make the subject more accessible and understandable. That is vital given the widespread view that the standard is written in language that is too technical and IT-oriented, a point recently made strongly to the PCI by the US Small Business Administration.
“Small retailers know of it, rather than having know-how about it. Half have been aware of the standard for two years,” points out Martin. This is important, as a tipping point tends to be reached after two to three years of awareness. At that point, 5 per cent more retailers have a written security policy, password policy and third party security policy.
For SMEs, this process can be done through self assessment questionnaires (SAQs), of which there are four levels - A being the simplest and D being the most difficult. The level should reflect the scale of card data being handled and complexity of the IT environment, yet 25 per cent of smaller merchants have been attempting the hardest SAQ D.
Martin believes that compliance could be a lot simpler than many of these businesses realise. “Why are they storing card data at all? Is there a need for this or could simple changes reduce their compliance effort? Among Barclaycard merchants enrolled on our Security Metrics compliance portal, 78 per cent have passed SAQ B. The help and advice we give makes life easier for them,” he says. With 100,000 merchants, of which 97 per cent are SMEs, improving compliance has significant benefits for the acquirer.
“Cost of compliance is a factor and is likely to be several thousand pounds,” he admits. “That is not huge, but it still matters. The consequences of not being compliant and getting breached is where SMEs could suffer. It could be curtains for many of them.”
When small retailers do suffer a breach, they are likely to go out of business in the wake of the penalties and direct costs of remediation, combined with the loss of customers which usually results. Few SMEs are sole providers of any product or service, meaning affected cardholders can simply go elsewhere.
Mathieu Gorge, CEO of security awareness and assessment specialists VigiTrust, says: “The technology is there which allows you to do what you need to. It is more an issue of policy and awareness among people. Education is at the heart of any good GRC programme.”
His company has spelled out a five-step process towards compliance which starts with education and awareness leading to a pre-assessment of compliance, followed by remediation of any problems, creation of policies and procedures, combined with the transfer of skills and introduction of IT and applications, with auditing and accreditation being the end point. Although Gorge stresses that, “it needs to be a continuous process that you loop.”
While PCI DSS compliance may have stalled among smaller retailers, it could get a kick start when new data protection laws are passed. “That will harmonise and impose new controls, like data breach notification - although doing it within 24 hours is not realistic and doesn’t add value because in the middle of a crisis, you don’t want to waste your time ringing the ICO, you want to contain the problem.”
According to the survey, 51 per cent rely on anti-virus and anti-spam applications, many of them provided by ISPs, to protect their data from breaches. As a result, 53 per cent have not managed to reduce the scope of their PCI DSS exposure, which can be achieved through the use of tokenisation or end-to-end encryption. If retailers do not store card data but simply transmit it via secure methods it lowers the risks they face and therefore increases their likelihood to be able to comply with the standard. “But you still need policies, procedures and validation,” stresses Gorge.
He also believes the survey has exposed a myth about PCI DSS that the primary obstacles are resourcing. “I expected the main issue to be cost and a lack of understanding of the technical controls. In reality, there is a lack of understanding of the standard itself, then time and cost issues. The myth that companies are not complying because somebody at the top doesn’t want to is not true,” says Gorge.
So why is this sector under-performing compared to bigger retailers? A counter-intuitive reason is that other card data security measures have worked too well, forcing criminals to look elsewhere for easy targets. In Verizon’s annual report on data breaches, 96 per cent were among companies which were not PCI DSS compliant and 92 per cent of compromises were simple. Remedies for these flaws tend to be simple, such as changing default passwords or having a firewall.
PCI activity elsewhere has also helped to change the risk profile, for example through chip and PIN significantly driving down fraud levels. “PIN doesn’t remove all of the risk and retailers don’t get the benefit of PIN online. Verified and use of CVV numbers are helping, but card data is generally being transferred in the clear which is why we are seeing card not present fraud of £200 million-plus per year,” says King. “The object of desire is cardholder data and it is a global threat.”