CNP Expo: Scope of the Problem

May 22, 2014

The PCI compliance panel began with an update on the current state of PCI standards from Bob Russo, general manager of the PCI Security Standards Council . Russo spent the first part of this year in Washington, DC, testifying in Congressional hearings about the recent data breaches at Target, Neiman-Marcus, and Michael’s. The question he got most often was, if these standards are so good, why are there still breaches? His response: “The standards tell you to lock the door every day, but they don’t lock the door for you.” He believes that while increased legislation enforcing compliance may not be a bad thing, no one in Washington will create better standards than the ones that already exist in the industry.

Ruston Miles, chief of product innovation for Bluefin Payment Systems broke it down for merchants: “What is in scope? Whatever stores, transmits, processes card data.” A complete PCI compliance strategy needs to address all three of these points. His advice to merchants is to take advantage of the coming terminal updates resulting from EMV compliance to get terminals that support EMV, tokenization and point-to-point encryption.

The larger the organization, of course, the more difficult it can be to gauge the PCI scope. Mark Johnston, product adoption manager for Infogix, said his company has been focused on “making sure merchants have an end-to-end view of what’s happening with customer data, especially in large organizations with lots of employees and vendors.” John Adams of the food and beverage service company HMS Host said he realized that “only 25-30 people out of 300 at the company actually need access to credit-card data.” They then found ways to isolate that data so that they come into contact with card data as little as possible. He mentioned that in addition to the firewalls they currently use, their organization is also looking into P2PE to further minimize their contact with customer card data.

Small organizations also face challenges with PCI compliance, one of which may be their own indifference. Small merchants shouldn’t think that because they are small, hackers won’t bother with them. Russo reminded the audience that “this ultimately isn’t about compliance, it’s about security.”

Moderator Giles Witherspoon-Boyd of SecurityMetrics summarized the keys to reducing scope for any business: “Make sure you have a partner, have a plan, and know your network. PCI compliance is not a ‘study-for-the-test-the-day-of’ kind of thing—it requires long term preparation. You need to read the standards and be aware of updates. Regardless of the size of your company, you can’t outsource responsibility.”