Despite well-publicized security breaches at dozens of companies this year, John Shaughnessy, Visa USA senior vice-president of risk and operations, is confident a data security standard pushed by Visa and other credit card associations is paying off in better protection of consumer data.
"Is the environment totally secure now? No. Is it better than it was a year or six months ago? Absolutely. Will it get better? It absolutely will," he says. "This whole security issue and the resolution of it is a process. It's going to take time."
The Payment Card Industry (PCI) Data Security Standard, and the 12 requirements it sets out, are effective, provided they are followed, says Shaughnessy. Security needs to become second nature.
"It has to be dealt with at a board level and not just [as] an IT issue," he stresses. "Security really is a board-level issue, because it has so many implications to your brand and your stock."
Created late last year when Visa and MasterCard [which declined to be interviewed] aligned their separate security programs, PCI includes rules for data encryption, firewalls and access controls. Other card companies, including American Express, support the standard.
Requirements for validating PCI compliance differ, depending on the type and number of card transactions. For example, merchants which process more than six million Visa transactions a year, whether online or not, must have an annual onsite security audit by an independent assessor or an internal audit signed by a company officer plus quarterly network scans. Some merchants need to conduct quarterly network scans and complete an annual self-assessment questionnaire, while others are only encouraged to complete a questionnaire.
Stamps.com, an online postal services firm, falls into the category with the most rigorous validation requirements.
"The IT team pretty much dropped everything to get this done," says Richard Buckingham, the company's manager of IT infrastructure. "It was a very lengthy and fairly intense process."
For compliance, Stamps.com bought Tripwire's software to ensure file integrity and Symantec managed services to monitor its intrusion detection system.
Compared to the regulatory requirements of Sarbanes-Oxley, which is more about documentation, PCI is specific, says Buckingham. And because non-compliance can result in thousands of dollars in fines or even being cut off by Visa, the standard gave IT staff leverage with management to make security the priority.
"They allowed us to spend a bunch of money to get it done," he recalls.
An executive at a national retailer, who spoke on condition of anonymity, says PCI is having a huge impact on her company and that compliance will cost millions and take years to implement. PCI is complex and daunting, especially for retail, behind the curve in infosec compared to other sectors, she explains.
"There are still so many things on our security to-do list this year, and never enough resources to get them all checked off that list," she says.
Yet retailers have a wealth of data that online thieves want, particularly those that have loyalty or frequent buyers' programs, which store personal information beyond credit card data, says Chris Noell, Solutionary's vice president of marketing.
Overall, security experts report a mixed response to PCI. Michael Petitti, senior vice-president of marketing at AmbironTrustWave, says his firm, a certified PCI assessor, saw a "tremendous amount of activity" on the part of merchants to meet the June 30 deadline for compliance. However, others say many retailers failed to meet the deadline.
"A lot of retailers are more or less behind. They're still scratching their heads and saying, 'are [card associations] serious?" says Michael Rasmussen, an analyst at Forrester Research.
A survey of 65 IT professionals that was conducted by security supplier Protegrity before the deadline showed that the majority did not believe their companies were clear on the PCI requirements.
"Most merchants didn't really understand that PCI had teeth – that Visa would actually do something and cause them pain," says Protegrity President and CEO Gordon Rapkin. "A lot of companies were doing duck and cover... What you would consider household names hadn't acted."
For his part, Shaughnessy refuses to disclose compliance data, describing it as confidential. But, he adds, "we're really encouraged with the level of adoption... we've seen on a very broad scale with major merchants and others."
Visa launched its Cardholder Information Security Program (CISP) in 2000 after executives, concerned about criminals exploiting the internet, decided to put together technology guidelines for Visa members to follow. CISP still exists, alongside the PCI standard.
Shaughnessy acknowledges that there is expense associated with implementing security, but says it is an investment that companies wanting to be entrusted with sensitive consumer information must make. And while he stresses that Visa is very serious about enforcing its requirements, Shaughnessy says penalties are a confidential matter between the firm and member banks, which it holds responsible for merchant compliance.
The company did publicize one of its enforcement efforts, however, when it announced in July that it was terminating CardSystems as an approved Visa processor as of October 31 because the company violated the data security rules.
Visa staffers work hard to help retailers understand the PCI rules, including meeting with individual merchants, insists Shaughnessy.
Visa also recently held a series of joint seminars with the U.S. Chamber of Commerce to help businesses across the country understand data security requirements.
Many small and midsize retailers are overwhelmed by what they have to do to comply, yet the standard has helped push a lot of companies to implement security, says Jennifer Mack, product manager at Cybertrust.
"Merchants who never would have done this are taking more security measures," she says. "If anything, it's raised awareness, and they are doing things they hadn't thought of before."
But breaches at Polo Ralph Lauren, retailer DSW and scores of others have done at least as much to drive companies to add protective layers. California's personal data law, for example, has led to more news about breaches.
"Increased disclosure is a major driver," says Barak Engel, president of consulting firm Engel & Associates. "[Executives are] afraid their company will be in the newspaper."
PCI wins praise from many in the industry for its practicality, but some say that it needs to be even more rigorous.
"These 12 [PCI] requirements are good standards that everyone should be meeting," says Brian Grayek, CTO at Preventsys. "But it falls short on the audit, the validation."
Many merchants fall into PCI's level 4 – those processing fewer than 20,000 online credit card transactions – and are not required to demonstrate compliance. AmbironTrustWave's Petitti says anecdotal evidence suggests that up to seven million merchants fall into that category.
Some say the self-assessment required for some merchants is far from a good measure of compliance, since it relies on honesty. But Forrester's Rasmussen notes that a company lying on the self-assessment could land in hot water.
"They might be able to get by on smoke and mirrors, [but] if they have an incident, it will come back to haunt them," he says.
Not only do companies face the threat of fines for non-compliance with PCI, they could also face lawsuits after a breach, adds Rasmussen, citing the class action suit filed against CardSystems.
Indeed, companies who experience a breach could suffer brand damage and loss of custom in addition to liability.
"There are lots of reasons you should button up the information, more so than you ever did in the past," says Shaughnessy.
Fundamentally, validation of PCI compliance is just a snapshot – Visa can never know whether every merchant and third party is constantly compliant, he says. It is incumbent on companies to step up to the responsibility.
"Security isn't a once a year thing," he says. "It's an ongoing way of life in today's environment."