Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

PCI And The Circle Of Blame: Page 2 of 11

This isn't to say that card brands and many merchants aren't serious about security. They are. There's broad consensus that the requirements outlined in PCI represent a sound--some would even say remedial--security architecture. But security is expensive and complex, and merchants operate on razor-thin profit margins. PCI creates a financial incentive to seek the least expensive path to compliance.

At the same time, Visa and other card brands have a vested interest in demonstrating the success of the initiative by touting a broad adoption of the standard, which means they may not look too hard at whether PCI is actually making credit card data more secure.

If a compliant merchant is subsequently breached --and more successful attacks are inevitable--the card brands have created enough ambiguity in the system that they can shuffle blame by saying the merchant failed to properly interpret PCI standards ... even if the merchant passed its audits.

RUN THE NUMBERS

PCI divides merchants into four levels based on their annual credit card transactions (see table, p. 32). A merchant's level determines the steps it must take to comply with PCI regulations. Level 1 merchants, the largest U.S. retailers, make at least 6 million transactions annually. Those on Level 1 undergo annual audits by Qualified Security Assessors trained by the PCI Security Standards Council, an entity created by the card brands to write the PCI standard. The assessor, or QSA, works with merchants to ensure that they meet all the requirements laid out in the PCI standard. QSAs report on merchant compliance to the institutions that process credit card transactions, called acquiring banks; banks then report on merchant compliance to the card brands (see diagram, p. 36).

Level 2, 3, and 4 merchants aren't subject to QSA audits. Instead, they fill out self-assessment questionnaires to measure their compliance with PCI and undergo quarterly vulnerability assessment scans by qualified scanning vendors.