Carl Weinschenk spoke with Mandeep Khera, chief marketing officer, Cenzic.
Weinschenk: What is PCI?
Khera: PCI is the Payment Card Industry Data Security Standard. It was founded by five credit card companies: Visa, MasterCard, Discover, American Express and JCB. The whole process occurred a couple of years ago. They wanted to make sure merchants' card holder information was protected from hackers. It has evolved last couple of years. At first, it was not as mature. Last year, Visa and MasterCard started to charge a penalty for not being compliant with PCI.
Weinschenk: The PCI Council just made a move. Please describe it.
Khera: On October 1, they released PCI version 1.2, which has no major changes in the requirements themselves. It is mainly clarifications on the 12 requirements in the standards. It offers additional details on what the standards mean. They added more information around wireless security and expanded information on Web application security that was not in 1.1. They also offered changes. For example, they created new templates to follow in terms of process, such as how to submit compliance reports. That was not clear before. That tells people how to know if they are compliant or not and how to submit reports.
Weinschenk: You suggest that 1.2 goes beyond simply offering help with the paperwork and introduces some substantive changes. Can you explain?
Khera: What was happening before was Web application-level breaches were occurring even when the company was PCI-compliant. So that made the PCI standard only partially useful. You could meet all requirements and get certified, but still be vulnerable and open to hackers. What was embarrassing was that people were having breaches but saying, "Oh, but we are PCI compliant." It's really a good positive step forward.
Weinschenk: It seems that two areas where there are real changes are wireless and application security. Is that so?
Khera: In 1.1, there was not a whole lot specifically on wireless security. There were a couple of breaches in wireless during the last few months, so they created stricter security policies and gave the need to protect card holder data on wireless more emphasis. For example, encryption must be implemented according to best practices, which is 802.11x. The rules say that people must discontinue use of WEP after June 30, 2010, and new implementation can't use WEP after March 31, 2009.
Weinschenk: And app security?
Khera: For application security, section 6.6 used to be a guideline. It basically said for a retailer or merchant, doing a vulnerability scan was a guideline. Now it is a requirement. It is mandatory and there is a penalty if you don't. If you are not compliant, it's a major hassle. That's a major change from that perspective. It won't cause any significant hassles in cost or maintenance. It will lead to tighter enforcement. For example, some companies were not doing Web app security before. Now they have to do something. They have to do a manual or automatic scan.
Weinschenk: Has PCI been successful?
Khera: I would say it is partially successful. It is the first standard that addresses security in a very specific way. It calls out wireless, Web applications and network security on a case-by-case basis and separately and details what you need to do. If you look at other compliance standards, such as California 1950, Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley, the execution needs more work. A lot of retailers still haven't done anything. There is so much confusion. They don't know if they will fine anyone, so they are just waiting. Enforcement and execution is what we need.
Weinschenk: What should retailers do in order to comply?
Khera: Go through each requirement and create a list of what is in place, what needs to be in place, and start planning. My suspicion is reasonably sized networks have stuff in place. Everyone has firewalls, routers. I think they'll lack implementation expertise. Right now, the focus is on Web application security and wireless security. They must sit down and say how they move forward. They need to make a plan. We also are a PCI-approved scanning vendor by the PCI Council. We can also do it as a service.
Weinschenk: It sounds like it will cost money, which isn't a good thing in this environment. Is that so?
Khera: There are additional burdens on the retailers, especially the small ones. There are additional costs that were not planned for. Visa, MasterCard and others must figure out how to help them, perhaps by creating a financing plan for retailers who can't afford it. If the poorer retailers are not making money [it is tough for them to comply]. I haven't heard anything on that, but it may be an interesting approach.