Tuesday, October 7, 2008

Regulate for Profit – Part 2

Here are a few more random thoughts I would like to add to my previous posting “PCI SSC Show Their True Colors – Regulate for Profit!

PCI SSC’s Justification

Although not posted here, I had some feedback on a couple forums and second hand information from someone that attended the latest PCI Community Meeting in Orlando, Florida. PCI’s justification for the fee is that they want to be self sufficient and independent from the card brands. This is good in theory if you ignore two glaring obstacles:

  1. The card brands make up the entire executive committee

  2. A majority of the General Managers and Working Group Chairpersons (possibly all, some titles are missing) are people that represent the card brands

Independence cannot be achieved until these two obstacles are addressed.

Why List?

Reading some of the latest notifications from Visa, Visa is not requiring applications to be “listed.” Visa’s wording on their mandate notifications is “PA-DSS compliant applications,” with no mention of a listing requirement. I’ve also heard that QSA’s are being taught that they cannot rely on any PABP or PA-DSS list and instead should do their own assessment of applications used by merchants. This means that PCI SSC does not have any faith in the PA-DSS assessments or the list they are maintaining (for $1250 a pop!).

So if the card brands are not requiring any list and PA-DSS has no faith in the assessments on file or their list, what’s the point of the list? Oh yeah, I forgot – PCI SSC’s independence.

Make It Useful

Ok, I’ll pause from my slamming and throw out some ideas to make this list useful.

  1. PCI SSC should have faith in their own program. If there are areas of concern like assessments of varying degrees of quality, then fix the program to have more quality assurance – with all the SDLC requirements in PA-DSS for application vendors to promote some level of QA, why shouldn’t the QSA’s have some of the same checks?

  2. PCI SSC should allow and encourage QSA’s to refer to “the list” to streamline merchant assessments. QSA’s should give all applications a quick peek to make sure the applications are properly configured but they should not have to do a complete assessment of every application from scratch.

  3. The card brands should allow “safe-harbor” for fines in the event of a breach if a listed application was breached and was properly configured.

Parting Shot

PA-DSS list should provide benefit to merchants and various other parties involved. As it stands right now, the PA-DSS listing fee is nothing more than a revenue stream for PCI SSC with no benefit. I think if my “make it useful” suggestions were implimented, then the list becomes useful and the $1250 would not be considered simply a tax or tribute.

Friday, September 5, 2008

PCI SSC Show Their True Colors -- Regulate for Profit!

PCI compliance for merchants has always been costly. PABP compliance and certification for POS vendors has always been costly as well. Earlier this year, PCI DSS announced a deal with Visa to bring under PCI DSS's wing the Payment Applications Best Practices or PABP program. Now with PCI DSS taking over the PABP program, it is morphing into PA-DSS. So far, so good, no issues – same program, a different acronym – or so we thought.

In concert with this program transfer, Visa recently published a timetable forcing merchants to only use PA-DSS approved applications. This mandate included various deadlines based on different factors and 100% compliance by July 1, 2010. This means that by July 2010, every point-of-sale (POS) application that touches credit card data must be on the PA-DSS approved list. Well, now a little nervousness sets in but for the most part, no big deal – or so we thought (unless of course, you're a merchant using legacy POS applications).

Well, the other shoe dropped today when the PCI Security Standards Council notified payment application vendors that there will be an annual listing fee attached to being on the PA-DSS approved list. My company received the following notification today from PCI-DSS:

Dear Steve,

On April 15, 2008, the Payment Card Industry Security Standards Council (PCI SSC) launched the PA-DSS program (Payment Application Data Security Standard). This program was formerly under the supervision of Visa Inc. and known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, other sensitive authentication data or PIN data, and ensure their payment applications support compliance with the PCI DSS. PA-DSS requirements apply to payment applications that are sold, distributed or licensed to third parties.

Your application is currently listed on the Visa website as PABP approved. On October 1st, 2008, Visa's list will be transitioning over to the Council. Each individual application grandfathered over to the Council's list will be given an expiration date based on the version of PABP it was validated against. There will be an annual listing fee will be $1,250.00 for each application. Please see the attached chart for more information about this date. We have attached an invoice with all of your PABP applications. Please send the PA-DSS Program Manager, Nina Beardsley, an email at pa-dss@pcisecuritystandards.org if you do not want all or some of your applications on the new list or if you have any further questions about this transition.


Nina Beardsley
Nina Beardsley
PA-DSS Program Manager
401 Edgewater Place, Suite 600
Wakefield, MA 01880

Attached to this notification was an invoice demanding payment by 10/1/2008 or be removed from the list. The problem here is that Visa and MasterCard have mandated that merchants only use payment applications on the approved list so paying this fee is mandatory. My feeling is that this is nothing more than an extortion letter.

Upon reading this notification, I immediately responded to PCI DSS asking for a justification of the fee. So far, no response and I really don't expect one. I also called PCI SSC directly to verify the notification because it had such a scam smell. Much to my surprise and dismay, they confirmed it was legit. Now the program I have been promoting as “good for the industry” reeks of a scam. Let's do the math:

While Visa's current PABP list may only have a few hundred approved applications (under 1000), once the various deadlines approach, the PA-DSS approved list could easily exceed ten's of thousands of applications. If you conservatively estimate 5000 applications to be on the list by 2010, that's 5000 x $1250 = $6,250,000 in annual recurring fees! For what?
  • Maintaining a list of approved applications on a spreadsheet
  • Maintaining a security document that paying members debate about what gets added and changed in the requirements
  • Moderating these member forums
  • Setting up various “for fee” events to discuss changes among the paying members
  • Publishing this PA-DSS approved list and security document on a website
This revenue does not account for the fees PCI DSS receives from training and annual certification of the QSA's and ASV's – the people required to do the security assessments and security scans. This also ignores the revenue for the PCI-PED side of the PCI DSS house where all payment terminals are certified. Hmm, if it walks like a duck, swims like a duck and quacks like a duck, it must be a cash cow!

I would not be surprised if Bob Russo and several behind-the-scenes puppet masters will be getting a significant pay hike and bonuses over the next few years. I think the card brands need to scrutinize this entire relationship and program. At best, they have created a monopoly situation. At worst, they have enabled a scam.

As you can tell from my tone, I’m ticked. I now feel I have been promoting a scam. A program I thought was good for the industry now has to be scrutinized to determine the true intentions. This is going to stifle innovation. How many small and start-up software development companies are going to be able to afford the $5-50K for a PA-DSS audit of their application? Once approved, how many will be able to afford the $1250 annual listing fee? What is going to happen with many of the open source POS projects that are starting to gain traction in the industry? Who is going to pay these fees?

I welcome your thoughts especially if you are a POS vendor.

Since the original posting, this related story was published on StoreFrontBackTalk:

Saturday, May 3, 2008

PCI, the New Kid in the Block (not the only kid)

I just finished two days at a PCI conference in Delaware and I’m writing this as I fly back to Vegas – technology is great now-a-days. The Payment Card Industry Compliance in Hospitality Conference held at the University of Delaware Courtyard by Marriott Hotel – it’s a training hotel for students looking for careers in hospitality management. The University of Delaware were great hosts.

The conference was targeted toward hotel and restaurant merchants. I’ll be honest; I thought the conference was going to be just another “PCI is great, you must comply” event where speakers ramble off a bunch of FUD. I was pleasantly surprised to find my preconceptions were wrong – so much so that I’m suggesting to my company that we become a sponsor for a future conference.

I think what surprised me the most was the format. The format was closer to a round table discussion than a lecture like I’m used to seeing. Audience questions were encouraged, not just at the end of each session, but throughout each session. One interesting session was a real life experience from the eyes of a Director of a hotel merchant chain. He detailed the five stages of grief his organization went through when PCI compliance, actually DSOP (AMEX’s version of PCI) was brought to their attention and how they became compliant.

Another nice change was that there was a lot of focus on multiple security and privacy laws and programs, not just PCI. The theme was to create one set of goals to comply with all the laws and programs that might apply to a particular merchant: HIPAA, FACTA, SOX, GLBA, PCI, etc., etc., etc. The only real FUD was the fact that while parts of PCI overlap one or more of these laws, if you’re breached, the fines and consequences associated with PCI may be the least of your worries.

There was a couple product/service demos to round things out. I was impressed that tokenization was actually mentioned by a few of the speakers (including Bob Russo, General Manager of PCI SSC). I guess the word is getting out.

The one big thing I’ve come to realize is that many level 4 merchants are going to have a difficult, if not impossible time fully complying with PCI. Not directly because of a security weaknesses, but indirectly because of process management in the payment application environment. One big problem I noted was that PCI requires that all patches be tested prior to implementation. The literal interpretation of this, which forensic analysts are taking in the event of a breach, is that every O/S and third-party vendor application patch must be tested by the merchant in a testing environment prior to roll-out. Most level 4 merchants I know don’t have the money, time, or resources to fulfill this requirement. This requirement will be difficult for all merchants to comply with, but level 4’s just because of their smaller sizes, are going to feel the pain the most. I think something will need to be adjusted here because if a significant percentage of these merchants can’t or won’t comply, then what the point?

I always say focus on security and compliance will follow. I still firmly believe this but for level 4 merchants, my recommendation would be to be as secure as possible to prevent the breach. If you can accomplish this, then you won’t have to cross your fingers for the forensic interpretation of your processes.

I recommend this conference if and when it is held again. For information on the conference, try here: http://www.hospitalityitcompliance.org

Friday, April 18, 2008

2008 Annual ETA Meeting & Expo -- Been There, Done That, Got the T-Shirt

Another ETA annual meeting has come and gone. For at least the third year in a row, PCI is the buzzword – not “a” buzzword, “THE” buzzword. I find it strange that while the various payment security programs like CISP, PCI, PCI-DSS, PABP, PA-PED and now PA-DSS have been evolving for years, the confusion level among the attendees stays consistent. I’m not sure the reason. Some of my thoughts on possible reasons are (in no particular order):

  • Maybe new people are entering the industry faster than the industry can educate?
  • Possibly the initial confusion level was higher than it appeared and this confusion is being rationed over time?
  • Maybe this is normal when attempting to apply security terms and techniques to a mostly non-technical community?
  • Maybe the evolution process of these programs is happening at a faster pace than the education of the industry that must abide by the programs?
  • Maybe I’m just totally misreading the confusion level of the attendees and it’s the exhibitors that are confused?

Whether or not any of these are true or multiple factors are involved, a focus of the entire meeting was on education and in this regard the ETA hit a home run. Keep up the good work.

Exhibitor wise, this show goes in cycles – probably not unlike most industries. What is in today will be old tomorrow and what was old will be new again. Ignoring PCI (because that’s been a consistent vendor buzzword for years now), from what I remember, three years ago the buzz was Dynamic Currency Conversion or DCC. Two years ago terminals seemed like the hot item – terminal hardware manufacturers, terminal software developers, and terminal deployment & support vendors. Last year virtual gateways seemed to be in vogue – everyone and their brother had some form of a virtual terminal implementation and a few offered POS integration. This year terminals seemed to make a come back although due to industry “consolidation”, less terminal manufacturers but the terminal software developers picked up the slack. Will DCC be next year’s new thing? (GOD I hope not) I guess we’ll have to wait and see…

Friday, April 11, 2008

Ooo, look at my muscles – I’m So PCI Compliant

Big muscles

The big myth right now that many merchants face is that PCI compliance means security. Unfortunately for merchants that are spending thousands, and hundreds of thousands and sometimes millions of dollars upgrading their systems for compliance, this is not the case. Compliance does not equal security. In fact, even a successful PCI audit only reflects a point in time so technically a merchant is only “certified compliant” at that specific point in time.

Hannaford did everything they could to be PCI compliant. From what I have read, they did not cut corners or go the cheap route with compliance. IMHO the problem was too much, maybe exclusive, emphasis on compliance and possibly not enough emphasis on security. I’ve said it before and I’ll say it again, focus on security and compliance will be a byproduct.

One last point I would like to drive home about why security is so important. Over the years I have had the opportunity to speak with various people in the industry. One ex-MasterCard mucky-muck told me that the card associations view EVERY breach as a compliance failure by the merchant. In other words, if you are breached you will be found out-of-compliance and fined – period. If you are focusing on compliance to reduce your risk of a fine, give it up; focus on security instead.