PCI, PCI and more PCIBy: Secureworks
There is a lot of information on PCI being published right now with the September 30 deadline for Level 1 merchant compliance looming. Yesterday, DarkReading posted a report with some information that definitely warrants attention. According to the article, many companies falling into the Level 1 merchant category (mostly large retailers) are not going to be compliant in time for the September 30 deadline. I can't say this was unexpected though. Granted, PCI DSS is more straightforward than other regulations. But by no means are the requirements easy to comply with, especially if information security wasn't a high priority for you in the past. From the article:
Despite the threats of fines and penalties, however, it looks as though many retailers are about to miss yet another PCI compliance deadline. Experts estimate that more than a third of Level 1 merchants the largest retailers will fall short. Smaller retailers generally are even further away.
The article also reports some interesting information from the PCI DSS Council's first community meeting, which was held in Toronto last week:
Computer forensics experts at the Council meeting testified that as many as 60 percent of the breaches they have investigated in PCI environments can be traced to flaws in five or six retail applications, Lindstrom reported. "They didn't want to give out the names of those apps, but they are mostly payment processing applications that are specific to the retail environment."
With PCI making security a more 'top of mind' issue for retailers, I wonder if we'll be seeing those applications become more secure. Will there be enough market pressure on the application vendors for them to make security a priority in their SDLC (Software Development Life Cycle)? How much pain does PCI have to inflict before a retailer says to their vendor "your application is great, but we're going with the other guy's because it has fewer security flaws?"
There is also some concern among credit card companies about smaller merchants who are far behind Level 1 merchants when it comes to security:
But while many large U.S. merchants and payment processors struggle with these technical issues, credit card companies are likely more worried about smaller retailers and non-U.S. regions that are not nearly as far along as their Level 1 counterparts. For many of these companies, the problem is not technology, but resources.
The forensics people we heard from said that more than 80 percent of the [credit card] compromises they see are coming from merchants who are at Level 4 the smallest retailers, said Lindstrom. This is where the least [PCI compliance] work has been done.
Will there be changes to the PCI validation requirements to prod Level 2-4 vendors into being more secure (and hopefully having fewer breaches)? It's always been assumed that one of the reasons for multiple merchant levels is so that validation requirements can be increased gradually from the top down. Right now, the validation requirements for Levels 2-4 are almost identical (the only difference being that Level 4 merchants depend on their acquirers to determine whether they need to do a quarterly PCI scan, the annual self-assessment or both). Don't be surprised if some of the changes to PCI in 2008 involve increasing validation requirements outside of the Level 1 merchants.