PCI Compliance: Does it Help or Hinder the Fight Against Fraud?Interview with David Taylor, Founder of PCI Knowledge Base
David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses:
Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.
TOM FIELD: Hi this is Tom Field, Editorial Director with Information Security Media Group. The topic today is PCI Compliance, does it help or hurt the fight against fraud? And we are talking with a definite expert in the field, David Taylor, Founder of the PCI Knowledge Base. Dave thanks so much for joining me.
DAVID TAYLOR: Happy to be here.
FIELD: Now, Dave, I know you have just done some research on PCI compliance; could you tell us a little bit about the goals of the research and what the major findings are?
TAYLOR: Sure. The organization has been doing a lot of interviews. In fact, since our founding 18 months ago we have done over 450 hours of interviews, all anonymous, and honestly, that is the only way to get people to talk openly about PCI, to grant them anonymity. It is such a sensitive subject, and when it comes to PCI and the implications for fraud and fraud management, we have been working with a group called the Merchant Risk Council to identify among fraud managers what kinds of helps and hindrances PCI compliance affords those managers.
I will tell you I think the biggest finding is, well, it is not always good. Honestly, when it comes to being complaint with a very rigorous data security standard, sometimes fraud managers who need to have confidential information, including things like credit card numbers to do their jobs, find it difficult to get access to that information. Sometimes they can't at all, and sometimes the rules of the organization have been changed and they find it really difficult to do some aspects of their job. Some of the people that we have talked to have worked around this, but others are frustrated I would have to say.
FIELD: So Dave, given what you have learned from people, what would you say is the good news about PCI compliance and the fight against fraud?
TAYLOR: I think one of the biggest pieces of good news is PCI and the data security standards are very effective at combating internal fraud. So when it comes to individuals who might, let's say, exceed their authority or have access to data that they shouldn't have access to, the PCI data security standards have helped organizations segment their environments, separating the cardholder data environment from the rest of the organizations, and that is true whether we are talking about financial institutions or merchants. But the whole notion of being able to keep people from having access to data that they don't really need, that has been one of the biggest accomplishments I would have to say of the PCI security standards.
The other thing is PCI mandates a variety of different kinds of logging and tracking of access to that information. So if a person, even an authorized person, gets access to a particular system where cardholder data is present, PCI mandates that that be logged. It is one of the things that companies maybe could do a better job at. I have to say that even though companies have been working with the PCI data security standards for a while, some of them do a very good job and others not so much, particularly when it comes to things like tracking the access to that information.
So that is the good news, but it also the not so good news. I mean you know, honestly, here is what we are finding is that when it comes to fraud management, PCI is really good at the internal stuff. But when it comes to external fraud, things that merchants have to deal with like chargebacks to credit cards, PCI compliance doesn't really help all that much with that at all in the sense that the fraud managers that we have interviewed -- they already have a whole set of tools that they use. PCI requirements require a bunch of different reports, a bunch of different data be collected, but unfortunately that data is not all of that much use to fraud managers. They are looking for a specific type of tool, a specific type of information and whether it is firewalls or intrusion detection systems, antivirus and the other controls that are mandated by PCI, fraud managers in general don't see the benefits from have those controls in place. So again, it is a good news bad news situation, I have to say.
FIELD: Well you anticipated my follow-up question, with the not so good news. Dave, what would you say are the major PCI challenges for the merchants in particular?
TAYLOR: Honestly, when it comes to most of the merchants that we talked to, because we have been working with the National Retail Federation and other groups to understand best practices ... We are finding the best practices among the larger merchants, the ones that felt the heat of the PCI fines and the mandates and the nasty grams, the letters saying you have to do this first, they are furthest along, so the major challenges for merchants are how do you, as a mid-size merchant or how do you as a small merchant implement the kinds of controls that PCI requires? Because we are talking now not just thousands of dollars, but somewhere between tens of thousands, hundreds of thousands and even millions of dollars. And so a challenge for a merchant is to kind of come up with money that is necessary to implement these controls, and beyond just paying for them it turns out that you can't just buy a technology and install it and be compliant. You have to change the way you do business, and a lot of retailers and a lot of ecommerce companies and restaurants, etc. they have been doing business the same way when it comes to data security for quite a while. The applications they use, the procedures they use, the way employees are trained has been ingrained for a while, so changing more than just the technology, changing the process and changing the employees and creating, if you will, a culture of security -- oh my God, that is a huge challenge.
FIELD: Now how about for banking institutions; what do you find to be their unique challenges?
TAYLOR: Well, you know the funny thing about the financial institutions that we have talked to is I think there is this assumption -- and it is not just within the banks. I think we tend to assume just looking at different industries from the outside as a researcher, an industry analyst if you will, the assumption has always been that financial institutions are in general much more secure than somebody like a lowly retailer.
But, when it comes to PCI compliance, one of the things that we have seen when talking with--and perhaps this is not true of the largest financial institutions because they do have a lot of money that they invest in information technology -- but mid-size regional banks and that sort of thing, they still have networks in some cases they haven't done this segmentation of the card holder environment in the same way and to the same effectiveness that some of the leading merchants have. So one of the things that I think is permeating the industry at this point, the financial industry, is that oh yeah, we have got a new PCI too; we have to do every bit of the security, every bit of the segmentation of the networks, every bit of the access controls that PCI mandates because honestly, from a procedural standpoint, guess what? Banks are no different from other types of businesses. The procedures that we use as financial institutions are no different than the ones that retailers use.
The assumption of trust is perhaps not quite as strong in the financial services industry, but still there are a lot of people with access to things like credit card data who don't need it. There is a lot of informal use of technology; emailing credit card numbers and other sensitive information like account data and debit card numbers, etcetera, emailing those things around and the rigidity that PCI and the data security standards mandate hasn't really been enforced in some of the mid-size and smaller financial institutions, even to the extent that it has in the largest of the retailers that we talk to. So I am not saying that retail is now more secure than the financial services industry, but I am saying that some of the leading retailers are more secure than some of the mid-size and even the upper mid-sized of the financial institutions, specifically relevant to PCI compliance. It is just that they have been working at it longer quite frankly, and that is one of the reasons.
FIELD: Dave let's talk about awareness. What needs to be done to raise the awareness level of PCI compliance with all the constituencies?
TAYLOR: Well, I know that one of the things. I was recently talking with Visa about this, because they are really one of the major instigators. All of the card brands are, but certainly Visa is one of the prime drivers of this, and they were telling me that they working with the Better Business Bureau. It didn't actually occur to me that that was a nice vehicle to do that, but what they are saying and what I completely agree with is if you are going to raise awareness of something like PCI compliance, and you are talking about let's say a mid-sized organization, you can't say 'Well, you should have somebody be a PCI manager.' That is not going to happen.
A lot of these people don't even have data security managers or security managers, security officers, so who do you appoint to own the task? Essentially you have got to -- if there is a head of technology, great, but if not then you are going to have to go to somebody who is an operations person for the business or maybe even the CEO. Some don't even have CEO's, so the President, owner, whatever. The point is to turn this into a business issue and make people understand that it is not a data security problem or even a security problem; it is a protect customers and their information and ensure that when a company does business with your company, and when an individual comes to do business with your company, whether it is a dry cleaning shop or a small regional chain of restaurants, or whatever, the point is to give people an awareness that this is customer satisfaction, this is customer confidence and make people understand that there is business value to be had in spending the money. And it is a money issue fundamentally. The money that it takes to achieve PCI compliance and to do the other things as well.
It is a change, and people don'' understand that there is some business value to doing it, and so they will just ignore it because they don't have a PCI person or a security person. So that is an awareness issue, I think.
FIELD: Dave a final question for you. The topic we are discussing here is PCI compliance, and we asked the question up front, does it help or hurt the fight against fraud. Now we know what we want the answer to be -- we want it to be to help the fight against fraud. So, toward that end, what advice would you offer to merchants and banking institutions to ensure that their PCI compliance is helping in the fight against fraud?
TAYLOR: I think one of the best things that has come out of our research is whether it is a web application. You know, ecommerce is a big deal these days. In the recession, ecommerce has weathered it better than your typical brick and mortar organizations, be they financial institutions or be they retailers or other types of organizations. If you can do business electronically, you have more flexibility to survive an economic downturn.
So advice certainly for merchants is if you are going to do business online, and most people are, you need to secure the applications that you use to do that business. If you are going to outsource that, if you are going to have somebody else take your orders and take your payments, process your orders, etcetera, you have got to make sure that they are secure as well. Asking if they are PCI compliant is nice, but it is also important to understand, maybe on a quarterly basis get reports, share information, give advice about what the organizations that you entrust with your payment processing, with the financial management of your company, make sure that you are aware and the companies that you do business with are aware of the importance of securing this information. And again, it is not just about technology. If you are going to prevent fraud, if you are going to reduce fraud, you need to understand that it starts at the business and the management of that business and making sure that reduction of fraud is important and that you have the tools in place to do it. PCI is one of an arsenal of tools that you can use to help you reduce fraud.
FIELD: Dave, that is well said. I appreciate your time and your insight today.
TAYLOR: Well, thank you, it's a pleasure to be talking with you ,and I hope folks find this of value and certainly check out the PCI Knowledgebase -- that's our organization.
FIELD: Very good. We have been talking with David Taylor with the PCI Knowledgebase, and the topic has been PCI compliance. For Information Security Media Group, I'm Tom Field. Thank you very much.