When the FTC on Monday announced a probe into how PCI operates, it threatened to shine a light into how merchants deal with payments security. Even for merchants — who typically express bitter resentment about the paperwork-intensive and labor-expensive PCI process — it's an uncomfortable area to probe. And that is because, despite retail's long-term resistance to PCI, they know that it has sharply improved security.
In other words, retailers understand that PCI is far from perfect, but it's probably a lot better than the same process tweaked by FTC rules. The devil you know. The FTC probe will be examining, among other things, potentially excessive charges, inconsistency in enforcement, card brand influence and rampant conflicts of interest.
But as bad as those things sound, the complicated business realities of PCI make some of them more understandable. Let's start with conflicts of interest.
That conflict-of-interest issue is all about the ability of qualified security assessors (QSA) to also sell to clients the software/hardware/services that they recommend as PCI-compliant. That is a very real and very unmistakable conflict of interest. When I've talked with QSAs about this point, however, they candidly said that they couldn't afford to do those assessments if they didn't have the chance to make those sales.
The PCI Council doesn't pay for those QSAs. Indeed, the QSAs pay them, in that they pay a fee for the training courses and materials they need to be accredited. If QSAs couldn't make those sales, most, if not all, of those firms wouldn't financially be able to justify performing those assessments. And the council isn't in a position to pay for QSAs, so the whole system would collapse.
Now we go back to the FTC. Is there a true conflict of interest that might be hurting companies? Yes. But is trying to stop that conflict going to do more harm than good? Quite possibly. One way around that would be a huge change in the system. If Congress wanted to use federal dollars to pay for QSAs and to have them act as any other federal employee, that could get around the conflict.
It would, however, also likely lower the quality of the people willing to be QSAs. QSAs are technical roles, and the more experienced QSAs can make a lot more money in the private sector than as government employees.
Now let's look at enforcement inconsistencies. This comes from the fact that different QSAs — even ones working for the same company — can interpret the PCI rules differently. Secondly, there are some QSA firms that have the reputation of being more lenient than others. Given that companies choose which firm to hire to do their PCI compliance assessment, this is a bit of what is known in legal circles as judge-shopping.
I will defend most of those QSAs, in that they have honest differences about how the guidelines apply to different company situations. The guidelines are deliberately written vaguely, to give those QSAs — the people out in the field — flexibility in applying the rules to very different scenarios.
There is something that is behind the different interpretations, and this is a core reality of PCI. The PCI guidelines impact every business that accepts payment card payments. That means that ExxonMobile, Hilton Hotels and Walmart have to adhere to the identical security rules that impact the one-store Phil's House of Bait, a folding-card-table merchant at a flea market and a single-location dry cleaner.
Don't you think that's a tad bit unrealistic? By forcing PCI to create one set of rules that apply to such a ludicrously diverse group of merchants, the council has little choice but to write those rules vaguely. In short, the nature of PCI from the very beginning created the situation that has produced these inconsistencies. (PCI does have different levels, and smaller merchants have different options — such as self-reporting — but the core security rules are the same.)
As for card brand influence, that's easy. Yes, there is intense influence by the likes of Visa and MasterCard. But is that necessarily bad for the industry, for merchants, for consumers or for anyone? Influence on its own is not necessarily bad. It's how that influence is used that matters.
Excessive charges? There again, the PCI Council offers a lot of services. What might seem excessive may be barely break-even to a QSA.
None of this is news to the FTC, and it's part of the reason for the investigation, which the FTC is officially calling a study. "We have heard these issues," said David Lincicum, an FTC attorney in the division of privacy and identity protection, who is the lead attorney on the study and is also managing it. "We go into this looking to get information, to get some details about what the interactions look like."
Lincicum said that there wasn't any specific incident that prompted the probe. "It's become clearer and clearer that PCI is playing a major role" in payments today, he said. "We want to look all of the ecosystems of the assessment, who has a role in it. The general effectiveness of the assessments. We will see what we will see."
The FTC statement listed nine companies that are the initial direct targets of the probe: Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust).
There was an interesting bit of government trivia in how the FTC decided to initially look at nine companies. Attorneys concluded that the Paperwork Reduction Act of 1995 would force the initial study to look at only nine companies so that the amount of paperwork generated didn't hit the act's limit, Lincicum said. Beyond that limit, agencies need to get approval from the U.S. Office of Management and Budget.
As for how the FTC selected those companies, Lincicum said, "We tried to look at a variety of size and location" as well as the size of the merchants that different companies were assessing.
But of much greater interest are the specifics of the initial probe, as spelled out in the federal orders sent to those companies. Among the specific demands being sent were:
- "State whether the Company has any policies or procedures relating to potential conflicts of interest, including, but not limited to, any policies that prevent the Company from providing Compliance Assessments to clients to which it has also provided another type of service, or that concern the marketing or provision of other services to clients for which You have provided a Compliance Assessment. State whether the Company has any policies or procedures relating to potential conflicts of interest, including, but not limited to, any policies that prevent the Company from providing Data Security Forensic Audit Services to clients to which it has also provided another type of service or that concern the marketing or provision of other services to clients for which You have provided Data Security Forensic Audit Services."
This directly gets into the conflict issue and will explore how much revenue QSA companies are getting from sales of the services/products they determine are needed.
- "State whether the Company performs PCI DSS Compliance Assessments and, if so, describe the nature of the service, the length of time that the Company has been certified to perform PCI DSS Compliance Assessments, the process by which the Company became certified to perform these Assessments, and the number of Compliance Assessments that the company has performed annually for each year of the Applicable Time Period. For each year of the Applicable Time Period, state the number and percentage of clients for which You completed a Compliance Assessment and for which You declined to provide: 1. a “Compliant” designation on the Attestation of Compliance (“AOC”); or 2. an “In place” designation on the final Report on Compliance (“ROC”). For each year of the Applicable Time Period, state the number and percentage of clients for which You completed a Compliance Assessment and for which You provided: 1. a “Non-compliant” designation on the AOC; or 2. a “Not in place” designation on the ROC. vi. If there is any difference, explain the reason for the difference."
This gets into the "easy grading" issue.
- "The Company’s pricing structure for Compliance Assessments and typical cost to clients of Compliance Assessments."
Just what every QSA wants: a government investigator shining light on its pricing policies. Pricing "is clearly a sensitive issue," FTC's Lincicum said.
- "The method by which the scope of Compliance Assessments is determined, including but not limited to, the extent to which a client or any third party, such as the PCI Security Standards Council (“PCI SSC”), a Payment Card Network, Acquiring Bank, or Issuing Bank, is permitted to provide input into the scoping of Compliance Assessments; the policies and procedures for completing a Report on Compliance (“ROC”), including, but not limited to a discussion of whether a draft report is created, whether that draft is shared with the client or any third party such as PCI SSC, a Payment Card Network, an Issuing Bank or an Acquiring Bank, whether the Company accepts input on the draft from the client or any third party, and whether the Company ever makes changes to the draft report based upon the client or other third parties’ input."
Ahhh, yes. This gets into the question of the degree to which PCI is a puppet of the cardbrands.
- "State the annual number of the Company’s Compliance Assessment clients that have suffered a Breach in the year following the Company’s completion of the Assessment for each year of the Applicable Time Period. For each such client, state whether it was subsequently determined not to be PCI compliant and provide the date of the initial Compliance Assessment and any communications between the Company and client or any third parties such as PCI SSC, a Payment Card Network, an Issuing Bank or an Acquiring Bank related to the Breach."
Here's another popular request. The FTC plans on exploring the relationship between being declared PCI-compliant and the number of subsequent data breaches. A very old problem with PCI has been the card brand tendency to employ revisionist history to data breaches. No compliant merchant has ever been breached, they say, because when a compliant merchant has been breached, the assessment is re-evaluated and invariably removed. It's classic 1984 think. PCI works, so if any PCI-compliant merchant is breached, they couldn't have really been compliant.
The problem there goes beyond it being a self-fulfilling prophecy. It stems from the flawed assumption that PCI compliance somehow equals that mythical perfect security — one that can't ever be defeated by a bad guy.
"Just because there was a breach doesn't mean that there was unreasonable security or a PCI violation," Lincicum said.
This article is published as part of the IDG Contributor Network. Want to Join?