This article appears in the May 7, 2009, edition of ISO&Agent Weekly.
Maintaining compliance with industry standards continues to be challenging for many companies, especially retailers, says Dave Hogan, senior vice president and chief information officer at the National Retail Federation, a Washington, D.C.-based retail trade association.
"It could be something as simple as you might have missed a patch on
something that is totally unrelated to where a breach occurred, and you're not PCI-compliant," he says, adding merchants already have spent billions on data security and compliance.
Smaller retailers, which typically work with ISOs, tend to have the most difficulty adhering to security standards, and they also are among the most compromised entities, according to industry insiders.
ISOs that partner with their merchant clients can help them prevent potential data-security breaches.
Hogan believes there is no safe harbor for compliance even if merchants monitor their security daily. "It doesn't matter if [a company is] PCI-compliant. If [the brands] want to find you noncompliant on something, they will. It could be insignificant and obscure, but in the strictest letter it is not" compliant, he says.
While merchants may find regularly keeping up with the standards challenging, it is important for them to do so, regardless of their size, observers say.
"Most entities we see compromised are small merchants," says Eduardo Perez, Visa global head of security.
The level of concern among merchants regarding data security runs the gamut, says Josh Scheiner, a partner with Wholesale Merchant Group, a Weston, Fla.-based ISO and merchant processor. He has had merchant clients call to inquire about what they can do to comply with the industry's data-security standard. He also has had merchants call to ask why they need to take measures to secure data.
Erik Verryden, president of National Processing Solutions Inc., a Phoenix-based ISO, agrees. A small portion, 5%, of the ISO's merchant clients call to inquire about security, he estimates. "The other 95%, we have to call them," Verryden says.
Larger merchants generally pay more attention to data security, says Verryden.
Smaller merchants "are saying, 'if it isn't broken, don't fix it,'" he says, noting many times merchants respond negatively after his team suggests they update their software or terminals to compliant versions.
Some Level 4 merchants, which process less than 1 million Visa transactions annually, have never heard of the Payment Card Industry data-security standards, says Verryden. "A lot of them feel if they are not a client of ours yet, they think [talking about security] is just a sales pitch," he says. "The majority feel like we're pulling something over their eyes."
It is the industry's role to educate such merchants that it is in their best interests to comply. "At the end of the day, the merchant ultimately is responsible for their place of business," says Mike Passilla, executive vice president of global business development at Atlanta-based Elavon Inc., tells ISO&Agent Weekly.
Security Requires Vigilance
In the aftermath of recent data-security breaches at Princeton, N.J.-based Heartland Payment Systems Inc. and Atlanta-based RBS WorldPay, more industry organizations are beginning to understand that companies should update their data security more frequently than once or twice a year.
"What we're learning is, it's not just a matter of being PCI-compliant today," says Scheiner. "You can be compliant today and [be] breached tomorrow because something changed."
Visa's Perez agrees. "All breached entities have been found to be not compliant with the standard at the time of the breach," he says. A large part of Visa's security-related messaging now "focuses on the need for ongoing compliance" with the industry standards, Perez says.
RBS WorldPay is working on revalidating its compliance with the data-security standard using a qualified security assessor, according to Visa. Heartland on Friday announced it once again is compliant with the standard.
The idea of constant compliance and security awareness for the payments industry is not unlike how the restaurant industry has to handle health and safety, according to industry insiders.
For example, a restaurant may pass a health inspection one day but become invested with vermin the next. To maintain its health standards, restaurant managers must check for safety violations continually.
Merchants, processors and others can stay compliant by installing software patches as needed and by scanning for open holes in their networks regularly, says Bob Russo, general manager of the Wakefield, Mass.-based Payment Card Industry Security Standards Council.
The council is responsible for the development, management, education and awareness of the Payment Card Industry Data Security Standard, the Payment Application Data Security Standard, and PIN-Entry Device requirements. Each is designed to enhance payment-data security.