22% of the major retailers (approximately 290 in the United States) are PCI DSS compliant, and 78% on track to being compliant. This figure, as appropriately highlighted and restated several times on other news sties, is ignorant of the mid-tier merchants and the service providers. These two groups alone represent a far scarier multiple of sources of attacks. Unfortunately, there is still some hub-bub about Merchant CEOs, industry analysts, and certain VISA assessors that feel that the standard is not clear or is not being applied prudently to encourage complete adoption.
The trappings of forming a standard are numerous, and one is the inconsistent policing and monitoring. Anything that isn’t measured is not done, and in the IT Controls world this is no different. At present, assessors are pitching their services to companies that are responsible for meeting the mandates set forth by PCI DSS. Too much the assessors are screaming and shouting FUD (fear uncertainty and doubt) via marketing and sales tactics. This is a terrible means of communicating a standard that was designed to reduce the costs of fraud and injury to the payment card network (both the consumer and the providers). Unfortunately due to a lack of communication throughout the network many of those that should be PCI DSS compliant do not even know what it means. This was found to be true at this year’s Payment Card Industry Conference in Las Vegas, where less than 40% knew what PCI DSS represented. The positive side of this survey showed that the majority, greater than 70%, considered IT Controls & Security to be of paramount importance.
So, we know that the merchant-providers have the desire and will to put in place strong security and protect their clients, but seem to be unaware of the relevant standard of PCI DSS. (Relevant Standard – is an important distinction to how the rest of the world is managing IT Controls, because PCI DSS was made by those in the payment card industry for those in the payment card industry the standard speaks directly to the real risks and threats that exist. This is of course not the case when compared to SOX-COSO, HIPAA-it’s own arbitrary standard, ITIL- for everything else in the world.) The break in communication is not with the card companies (VISA, MASTERCARD, AMEX, etc…), as they have dedicated portions of the website, teams, training, roadshows, web casts, blogs, analysts, and a number of media outlets that are being paid to publish articles on this standard.
The break in communication is simply an economic one once we consider how liability and fines. If a break occurs at X merchant, VISA and Company will each issue fines. Their fines however are not to the merchant, but in fact are (this is an example and not absolute and there will certainly be variations) placed upon the institution that handles or issued that Merchants cards. It is up to the institution to then pass along the fine to the merchant. Now the institution is in quite the position – pass the fine along and risk losing their business at renewal, or absorb the fine as a cost of doing business with the merchant. This depends on the volume of business occurring from Merchant X. So, big merchants don’t pay fines? More importantly, if the institution feels there is greater value in absorbing the cost as part of business, was this risk calculation done for mid-tier merchants? Those that could not absorb such a fine without going out of business?
In reality – the institutions have the responsibility and know the merchants-providers that need to comply with PCI DSS. Unfortunately, it is contrary to the institutions business to fine or trouble their clients with fines that are not always delivered. In an interview a VISA spokesperson states that they had not issued as many fines as should have been – this is clearly true since 78% have not been compliant, and should be fined as much as a year and a half ago.
A bit of a rant, but looking into the confusion one can only imagine the state of those who are trying to commit change in their organization to meet PCI DSS and realize the amount of resistance they are hitting against.