By Brian Kilcourse, Managing Partner
November 10, 2009
At an event last week hosted by tekservePOS in Schaumberg, IL (near Chicago), Jeff Wakefield of VeriFone gave the assembled retail technologists an update on the state of PCI compliance. Wakefield is VP of Global Security Solutions at VeriFone, and he also represents his company on the PCI Security Standards Council Board of Advisors. As virtually every U.S. retailer that processes roughly $500,000 or more in payment card transactions a year knows, PCI is “the gift that keeps on giving,” as the standards continue to evolve. Next up: a looming deadline– that retailers must comply with PCI SSC PED Security Requirements by July 1, 2010. The standard related to pin entry devices, or in other words anything that can handle a debit card.
“What?” you ask, “How does ‘PCI SCC’ relate to what we’ve been trying to comply with since 2005?” Good question! According to the PCI Security Standards Council (SSC), “The PCI PED Security Requirements focus on protection of the cardholder’s PIN when used in connection with a financial transaction. PCI DSS focuses on the protection of other sensitive data elements such as the Primary Account Number (PAN), the cardholder’s name and the CVC2/CVV2/CID/CAV2, and addresses both the transmission and storage of that data.” Since a picture is worth a thousand words:
According to VeriFone, there are about ½ million “pre-VISA” PED devices in service in the U.S. now. A “pre-VISA” device is one that predates the VISA PED Standard (which went into effect in 2004), that in turn has been superseded by the PCI SSC PED Security Requirements (which goes into effect on July 1, 2010). The key component of this requirement is that pinpads must be PCI certified for TDES (“triple DES”) encryption for all debit transactions.
But if you’re wondering what that stuff in the middle of the picture is – “PCI PA DSS” – you’re not alone. VISA has quietly mandated that all application components of the payment ecosystem must be certified to be PA-DSS compliant, although according to Wakefield, no date has been firmly established for that. “Application certification” is a BIG deal, implying a level of bureaucracy that doesn’t even exist right now. It brings up all sorts of questions, such as “what about my proprietary home-grown app?,” “does this mean that we have to upgrade all of our store level hardware just to get onto a certified version of POS?,” etc. etc.
All of this follows a roadmap for the standards, to first eliminate risky duplication of sensitive data, then address breach prevention, then enable breach detection, and finally to implement end-to-end encryption of all sensitive data. But since the bad guys’ code is getting increasingly sophisticated and is extremely hard to detect, everyone should expect that the complexity of the deterrent will continue to grow, just as the complexity of the threat does.
All of which might cause one to muse, “if we could start all over again, what would it look like?” There was a study conducted by the U.S. Department of Defense in the early 1970’s that revealed that for every “bug” that was fixed in code, two more were introduced. That (as every IT’er knows) is why applications eventually “break” and have to be replaced. As RSR said in our recent report entitled Closing the Sale with the Connected Consumer- The Future of Retail Payments:
“Payment data security issues are both a symptom and a cause of payment technology challenges today. On the cause side, retailers are challenged to keep up with incremental changes to their payment infrastructure, responding to minor changes made over a long period of time. But those changes accumulate, pulling retailers away from the original, clean architecture of their payment systems. As one retail CIO noted, his payments infrastructure is 20 years old, but he theorized that very little of the original code is left, thanks to the incremental changes his company has made to keep up with VISA. This piecemeal approach results in a tangled web of supporting technology that requires a huge business case to unwind ] one that could be difficult to find in the current climate. Additionally, the pace of new demands to meet ever]emerging security threats continues to increase with no end in sight, and retailers must devote resources to their payments infrastructure for maintenance, rather than looking into innovations.”
In the industry’s struggle to secure non-cash payment forms, all solutions are relative to the last, greatest, threat. Perhaps it’s time for the players in the payment ecosystem to pull out a blank piece of paper, and brainstorm the question, “what’s the best way to ensure consumers’ security, no matter how they pay for goods and services?” But when having that conversation, all the participants should be represented (and given an equal voice) – and that means the consumer too.
|
