• As many as 65% of merchants are still not PCI compliant
• Fines can be just the beginning; service charges and market share price dilution for non-compliant merchants have already had substantial repercussions in the US and may soon reach other regions·
• Many retailers still don’t have a clear view of compliance, and cannot effectively identify gaps
• The first steps to PCI compliance are a thorough internal assessment and gap analysis – many merchants skip these steps and launch multiple costly projects
• PCI provides a regulatory and compliance framework to help prevent credit card fraud for organizations that process card payments
• The framework is comprehensive and effective but adherence to the specific standards is often challenging – primarily due to the complexities involved in both program design and implementation
• Any merchant that accepts or processes credit cards must maintain compliance with the PCI DSS.  Specific obligations vary based on transaction volumes.
• Focus right now is on the Level 4’s.
• TJX subject to 20 years of mandatory computer systems audits after massive breach

Challenges

• Providing adequate and clear program management for all of the entire spectrum of PCI remediation activities (60-70% give to “Compliance guy” and typically fail.  Should go to senior security guy)
• Accurately scoping requirements throughout the organization, including remote sites and international operations
• Evaluating and then implementing a wide variety of complex technologies – including encryption
• Redesigning or replacing internal applications and payment systems to adequately protect cardholder data
• Developing, implementing and enforcing new or revised policies and procedures across the entire organization
• Differing opinions with auditors regarding PCI compliance requirements, especially related to the concept of “Compensating Controls”
• Verifying PCI compliance for 3rd party partners that process data on behalf of the merchant

Differences from PCI DSS 1.1 to 1.2

• Active monitoring plans for all 3rd party PCI Service Providers (Requirement 12.8)
• Visits to offsite data storage locations at least annually
• Mandatory phase out of weak encryption for wireless networks
• Additional requirements for the use of “Compensating Controls” for specific PCI security requirements
• Assessor testing procedures changed from “Observe the use of…” to “Verify the use of”
• Quality assurance program for PCI assessors
• Process restricts or eliminates assessors from performing PCI work due to poor quality assessments
• Assessors must now go beyond cursory observation of security controls and provide statistical samples
• Assessors now going much deeper to include verifying individual system settings, requesting and analyzing configuration files, studying data flows, …

The Cost of Compliance and Non-Compliance

• According to a comprehensive Forrester Research report on PCI compliance, companies spend between 2%-10% of their IT budget on PCI compliance
• Credit card companies are levying fines on non-compliant merchants
  • Up to $25,000 per month for each month of non-compliance for L1’s ($5,000 for L4’s)
  • $10,000-$100,000 per month for prohibited storage of magnetic stripe data
  • Up to $500,000 per incident if a confirmed compromise occurs
  • Continued non-compliance may result in revocation of CC processing privileges
• Banks and acquirers may increase processing fees for non-complinat merchants.  In 2008, one retailer estimated an annual increase in operational costs of $18 million due to this increase in processing fees on VISA card transactions alone.
• Banks and acquirers can often pass on damages they incur to merchants
• Repeat or additional PCI assessments & internal audits

Corporate Compliance Framework

• Although PCI provides compliance requirements in most areas, it’s only a subset
• ISO 27002:2005 is what they used for PCI
• Good general requirements, but no explanation on how to do it
• PCI sets best practices
• For example, ISO 5.1.1 maps to PCI 12.1, 12.4, and 12.6.2

How to “Sell” PCI Compliance to Senior Management

• Gloom and Doom
  • Fines and sanctions will sink us
  • Probability of success 40-50%
• The PCI Umbrella
  • We need these 15 projects and ten new security products to be PCI compliant
  • Probability of success 40-50%
  • Who has done the gap assessment
• The Long Term Approach
  • If we achieve PCI compliance we will also be well on our way to other requirements
• PCI compliance is not a project or technology based solution – it is being able to demonstrate that an organization has the means in place to protect sensitive information
• Use as a building block to sell to senior management