Next year’s updates to the Payment Card Industry data security standards will provide retailers with better protection, but hackers will target the weaknesses of companies that don’t put in extra effort.

Too many businesses make the mistake of equating PCI compliance to “being secure,” said Joe Sturonas, chief technology officer with data security provider PKWare. “That was never the intent of the PCI Security Standards Council,” the organization that maintains the standards, he said.

While PCI establishes a solid roadmap for merchants to follow, it provides that same map to criminals, Sturonas said.

“If you are going to attack a company known to be PCI compliant, there are a number of attack vectors you are going to avoid,” he said. “Then there are all of these other ‘fair game’ vectors that go beyond compliance that you can focus on.”

Milwaukee-based PKWare provides data encryption services, which are designed to render data unreadable to hackers.

Security practitioners “clearly understand that PCI is just the minimum bar,” but they harbor a misconception about PCI data security, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.

Merchants often complain that PCI doesn’t work, highlighting examples such as Target, the mega-retailer that passed its quarterly PCI assessment just a few months before its 2013 data breach, Conroy said.

“PCI has a PR problem,” she said. “Too few people understand that it’s a minimum standard and is no panacea.”

PCI compliance has essentially developed three “camps” of merchants, said Al Pascual, senior analyst for Javelin Strategy & Research.

Those who already go beyond the minimum effort needed to comply generally appreciate the extra guidance of the 3.0 upgrade, Pascual said.

The new guidance will help those who use PCI compliance as “what they shoot for and the standard they follow” but rarely go much beyond that, Pascual said. “For them, these are timely upgrades and extra steps.”

Smaller merchants who “skirt the issue” and don’t care about PCI as much because they don’t handle much data or experience any serious breach threats will likely view PCI 3.0 as too daunting and too expensive.

“No matter what you do with standards moving forward, it is not going to matter to that merchant segment,” Pascual said. “Unless you make it ultra simple and super cheap, these folks are not going to implement correctly.”

Stephen Orfei, the new general manager of the PCI Council, has said that the council will work with acquirers to provide “PCI in a box” to make compliance easier while stressing risk assessment at the same time.

PCI DSS 3.0 expands the definition of scope and calls for deeper penetration testing to validate firewalls and other aspects of a network.

The new guidelines also put heavier emphasis on validating the credentials and work of third-party providers. Starting in July, PCI will require inspections of devices commonly targeted for tampering, such as gas station pumps, ATMs and PIN pads.

The 3.0 standard also requires merchants and service providers to document who is responsible for which PCI requirements and what those requirements entail. That requirement is meant to address companies trying to shift the blame after a data breach.

Companies should remain mindful of insider threats, PKWare’s Sturonas said. “The reality is at a large company you can do a good job of keeping the bad guys out, but you have 1,400 administrators that have access to all of the data,” he said. “It’s not necessarily that they would be malicious, but there are accidents, and you can’t trust everyone to do the right things all of the time.”

No matter how merchants approach PCI DSS 3.0 next year, the math behind data breaches won’t change. “Security has to be right 100% of the time. The bad guys just have to get it right once,” Sturonas said.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry