Lora Bentley spoke with Mitchell Ashley, StillSecure CTO, and Rick Dakin, president of Coalfire Systems.

Bentley: Do you mind briefly outlining Payment Card Industry compliance best practices for a level-one merchant?
Ashley: What I like about the PCI requirements is they're a great definition of what best practices are. Any organization, whether it's being audited for PCI or not, can leverage the requirements. That said, you must have good security practices for standard technologies like firewalls and anti-virus already in place. PCI helps promote the use of things like network access control, vulnerability management and intrusion prevention, so for organizations mature in their security abilities, those are typically the areas that they take on next ... that way, they're more proactive about security.

Firewalls, anti-virus, encrypting data — those are all measures put in place that affect things in real time. The moment data is sent over the network, it's encrypted. If someone sends a virus, we're going to block the virus or prevent it from spreading. Things like network access control and vulnerability management add to that the ability to know where there are security issues in the network, which we can then proactively resolve before someone tries to attack the network and gain access to sensitive data.

Bentley: Why is it that only 25 percent of level-one merchants are PCI-compliant given that the standard specifically sets out what is required to achieve compliance, and especially in light of the fact that enforcement has been stepped up?
Dakin: The simple answer is because PCI compliance is new and difficult. As an industry requirement, rather than federal, the control environment for PCI is extremely meticulous. The PCI controls are more rigorous than any other requirement that Coalfire audits to, even more so than government audits to classified facilities. There is a false perception in the marketplace that these level-one merchants don’t care. All Coalfire level-one audit clients have PCI compliance as a very high priority and are making significant investments to deploy new or enhanced controls. For many enterprise programs, this process requires extensive support from a special breed of solution provider, like StillSecure, who can introduce and deploy the new control.

Bentley: We've read that Visa recently upped the compliance requirements for lower-level merchants. Can you speculate as to why the industry would do so and how those new requirements will be enforced?
Ashley: This is a recognition that attackers who want to gain access to customer card data will go to the point of least resistance. In anticipation of that, the PCI standard is now being applied to level-four merchants. While the greater volume of processing happens at the level-one merchants and processors, we also need to be proactive and make sure that someone can't gain access to that card information [via a merchant] that handles a lower volume of transactions. [The industry has] created this process where there's a self-assessment that a level-four merchant can do. Based on that, they can also move into having external scans performed. They can do that for themselves or they can use a service offering to do that. That will inform them where they have potential security issues. I think it's a very smart move on Visa's part to be proactive about this.