Recently, while attending a national meeting, I overheard a rather heated argument about why the Payment Card Industry Data Security Standard (PCI DSS) is a bunch of ___. Well, you fill in the blank. I only wish it were true. The grocery industry has been the victim of many security compromises, most of which have been kept very quiet. It is public knowledge that Stop & Shop suffered breaches several months ago at a number of stores. What is not known is how many other grocery stores have experienced security breaches.
 
In our work we have become aware of numerous compromises in the industry, and a number of common threads have emerged that are instructive. The following are examples of actual occurrences. The Names, locations and other identifying characteristics have been masked.
 
Case No. 1: A grocer has a very poor password protection in place. A significant number of employees knew other employees’ passwords and regularly used other employees’ computers.
 
One or more passwords were compromised and a malicious code was inserted into the computer system, which allowed access to the system and caused the loss, disruption and corruption of vital data, including credit card numbers.
 
The grocer thought that it was compliant with PCI DSS because a penetration of vulnerability scan had been done.
 
Result: The cost to the grocer exceeded $30,000.
 
Case No. 2: A grocer failed to keep its virus protection up to date. An attack from the outside was done through an open port. The virus protection had not been updated in more than three years. Malicious code was introduced into the system, which caused the loss, disruption and corruption of vital data, including credit card numbers.
 
The grocer had thought it was not required to comply with PCI DSS because it did not do any Internet transactions. In fact, prior to the breach, the grocer was unaware of the existence of the standard or its requirements.
 
Result: The cost to the grower exceeded $35,000.
 
Case No. 3: A supermarket operator had no physical security surrounding the servers in either store locations or corporate headquarters. A disgruntled employee removed a hard drive from one of the servers that contained a significant amount of data, including credit card numbers. The grocer had contemplated PCI compliance but decided that the cost outweighed the benefits.
 
Result: The cost to the company exceeded $25,000.
 
In each of these examples, compliance with the data security standard would have prevented the loss. So why don’t grocers comply?
 
Here are five commonly held myths about PCI DSS:

1. I don’t need to comply.  False: All merchants that accept, store or transmit credit card data must comply.  It does not matter if all the transactions are face-to-face (card present) or non-face-to-face (card not present).
2. I had a penetration scan; therefore, I am in compliance.  False:  Penetration scans or vulnerability scans are required of all merchants.  However, this is only one component and does not account for the majority of what is necessary to do.
3. It can't happen here.  False:  Security breaches happen anywhere and everywhere.  No area is immune.  The majority of breaches occur because of employees.
4. I will never get caught if I don't comply.  False:  Significant and increasing effort is being placed on identifying merchants that have not complied.
5. It does not matter what I put on the required self-assessment questionnaire (SAQ).  False:  What you answer on the SAQ matters.  There are 75 questions, all of which must be answered "yes", with the exception of several that are not applicable if no wireless system is involved.  The SAQ is like a tax return:  Once it is submitted to your acquirer (processor) it will haunt you forever.  Fabrication on the SAQ will cause termination of card-accepting privileges.

The future is now, and it is only getting more complex.  After five years, there is simply no more tolerance for non-compliance.  In 2006 direct fines to merchants from Visa exceeded $5 million.  This does not include the penalties imposed by individual processors, the actual cost to remediate and repair breaches or the damages to a store's reputation when it is made public that a breach has occurred.

The requirements and penalties continue to increase. Merchants are subject to both civil fines and criminal-yes, criminal-penalties. An additional layer of requirements is scheduled to become effective in June 2008, and updates to the requirements are being issued almost monthly.

There is a light at the end of the tunnel for those that comply correctly and completely. As a part of the Leahy-Specter bill currently in Congress, known as the Personal Data Privacy and Security Act of 2007 (S-475) there will be safe harbors.

PCI DSS works. But it only works if it is applied correctly, completely and with the assistance of experienced hands