WAKEFIELD, Mass. — Addressing a key retailer concern, a payment card industry group has launched a program designed to bring greater consistency to the auditing process retailers must undergo to prove that they are adhering to a credit and debit card data security standard.
Based on feedback from retailers and others, the PCI Security Standards Council here developed a quality assurance program for the various companies — known as qualified security assessors (QSAs) and approved scanning vendors (ASVs) — who inspect retailers' store systems and networks for compliance to the Payment Card Industry Data Security Standard.
“We need to ensure that all QSAs and ASVs are doing things with the same amount of rigor, at the same level, making it a level playing field for everyone,” said Bob Russo, general manager, PCI Security Standards Council. “Merchants can then be assured they're getting the same amount of rigor regardless of which they choose [to check PCI compliance].”
Created jointly by the major credit card associations, the PCI standard contains a list of 12 requirements encompassing security management, network architecture, software design and other measures designed to protect cardholder data. The associations established the council in 2006 to oversee the PCI standard.
Retailers that fail to adhere to the PCI standard are subject to higher processing fees, fines and a suspension of card processing. But even compliance with PCI standards is no guarantee of data security; earlier this year, Hannaford Bros., Scarborough, Maine, suffered a major security breach despite its claim that it was PCI-certified.
Still, the quality assurance program could at least bring predictability to the PCI auditing process, which observers say is missing. “Retailers' No. 1 complaint about PCI is inconsistency,” said Tony van Seventer, vice president of marketing and products at Store Next Retail Technologies, Plano, Texas, a provider of retail technology. “If the QSA wakes up on the wrong side of the bed and says, ‘No, you can't do it that way,' there's nothing the retailer can do about it.”
In addition to providing inconsistent interpretations of what constitutes compliance to set PCI rules, QSAs also vary in their assessment of “compensating controls,” said van Seventer. These represent alternative security tactics that are “as good or better” than what is in the PCI standard, and can be accepted by assessors, he noted.
Moreover, some QSAs use their position as an auditor to promote their own technology as the answer to retailers' security needs, van Seventer said. “I've heard a retailer complain that a QSA told him if he buys [the QSA firm's] firewall, he'll pass the inspection.”
The quality assurance program could address these issues, said van Seventer. “If they do what they say, it will significantly reduce the uncertainty grocers have in spending money to meet the PCI standard.” It will also prevent food retailers from giving up entirely on PCI compliance, he added.
A Hannaford spokesman, Michael Norton, declined to comment on the quality assurance program.
Since its inception, the PCI Security Standards Council has vetted PCI assessors and listed approved companies on its website, www.pcisecuritystandards.org. Assessors need to undergo annual training and recertification to stay on the list, which currently includes 165 QSAs and 145 ASVs.
The quality assurance program takes that oversight further by requiring assessors to provide the council with their own internal quality assurance policies, as well as detailed reports on their compliance audits (without the names of retailers).
“We want to see that they are doing it correctly, and not simply asking questions and checking a box,” said Russo. In addition, the council will verify that assessors have stored information on each audit.
The dozen or so companies that handle 80% of PCI assessments will undergo an annual review under the quality assurance program, while other companies will be reviewed every three years, said Russo. Companies involved in a data breach or subject to merchant complaints would get faster attention, he added.
Assessors that don't pass muster under the program will “go into remediation” and be marked as such on the council's online list. They would have 30 to 90 days to correct their issues or be dropped from the list.