It's more than just PCI for Retail
In an article on infosecurity.com this week, there’s news that as of Oct 1, 2012 Visa is waiving the requirement for US merchants to annually validate their compliance with the PCI Data Security Standard (PCI DSS) – *if* 75% of the merchant’s Visa transactions come from chip-enabled terminals that support both contact and contactless chips.
Part of Visa’s plan to accelerate migration to the new chip technology is to eliminate the need to annually validate PCI compliance, which I think is a bit short sighted. Here’s some of the “small print” from Visa:
Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.
Ok that’s great, but who is enforcing this? In most cases, validation drives compliance, which drives security (or at least budgets). So what will happen when validation goes out the window? While achieving PCI compliance isn’t necessarily the “end-all” solution to security problems, it certainly pushes merchants in the right direction and adds structure to an already hectic environment (considering the frequency of card breaches popping up in the news). According to the 2011 Verizon Breach Report, 89% of organizations that suffered breaches were not validated PCI compliant.
With PCI compliance validation all but off the table, we have to trust that other security measures won’t fall short. How do merchants “ensure” (as Visa states) that they are not storing track data, security codes, PINs and so on? As Gartner’s John Pescatore recently pointed out, “There is a big difference between compliance and security.”
Even though Visa may not be requiring audits for qualifying merchants, it is important to consider the larger security picture beyond just collecting logs. Retailers and other third-party vendors have a responsibility to keep consumer data secure, and to do so, they need a fully featured security intelligence solution to correlate log data, network flows, asset configurations, device & network vulnerabilities, and (internal / external) threat data into one consolidated view, with a goal of exceeding PCI control objectives. Not just to meet Visa’s requirements, but to uphold their duty to protect consumer information. After all, it’s good for business.