« November 2009 | Main | January 2010 »

December 2009

12/22/2009

Credit Card Interchange Fees

In recent years, merchants have become displeased with what they see as rising credit card processing fees (commonly referred to as credit card interchange fees).  In turn, merchants have leaned on industry lobbyists, acquirers, and credit card companies in an effort to find relief.   The result of this pressure is three separate proposed Congressional bills, most notable among them the Credit Card Interchange Fees Act of 2009. 

Though there is still no word on whether these proposed bills will proceed through Congress, that hasn’t kept merchants, processors, credit card issuers, and even some consumers from debating their merit. 

The release last month of a report on credit card interchange fees from the General Accountability Office has only added to the confusion, essentially reporting that regulating and/or limiting interchange fees would result in a sequence of nearly indeterminable feedbacks, with no clear definition of who might be the beneficiary. 

While the complaints of merchants over credit card interchange fees have been the primary driver of action on this matter, an important secondary consideration is at play as well.  Consumers, for whom the recent C.A.R.D. act was passed in Congress, are assumed to be paying higher prices for goods and services as a result of merchants raising prices to absorb what they view to be increasing interchange fees.

Essentially, then, the three proposed bills are aimed at protecting merchants and consumers, with the assumption being that merchants would lower prices for goods and services if interchange fees were lowered or eliminated.

At the heart of this growing debate, for some, is whether a lowering of interchange fees would actually result in lower prices.  Would merchants lower prices or simply grow margins?

What do you think will happen? Let us know in the comments below.  

Posted at 08:00 AM in Payment Processing | | Comments (1) | TrackBack (0)

12/21/2009

MasterCard PCI Compliance

We’ve blogged recently about the evolutionary component of PCI compliance, of how PCI compliance is an ongoing, adaptive, process rather than a simple checklist.

For more proof of this, we present MasterCard’s most recent changes to its PCI DSS requirements.  As changes are made by credit card companies, we are reminded that adaptations by card issuers, processors, and merchants are necessary. 

The first change MasterCard announced was a change to the December 31, 2010 deadline for Level 2 merchants to have an onsite QSA assessment to six months later, June 30, 2011.

Effective June 30, 2011 MasterCard PCI compliance will also subject merchants to new PCI DSS requirements.  Those changes break down, depending on merchant level, as follows:

Level 1 merchants will no longer be required to contract a Qualified Security Assessor (QSA) to submit their Reports on Compliance (ROC).  Instead, level 1 merchants, provided that their internal auditor is certified effective June 30, 2011, will be permitted to submit their own ROC.  Certification for internal auditors will be overseen by the PCI Security Standards Council (PCI SSC), with PCI SSC training for certification beginning sometime after January 15, 2010.

Similarly, level 2 merchants will no longer be required to complete an annual onsite assessment.  Instead, level 2 merchants may rely on internal resources to submit a Self Assessment Questionaire (SAQ), provided that their internal auditor is certified as of June 30, 2011.  As an alternative to submitting the SAQ, level 2 merchants may also opt to utilize a QSA for assessment purposes.  As with level 1 merchants, certification training dates will begin sometime after January 15, 2010.

In addition to the above MasterCard PCI DSS requirements changes, MasterCard PCI compliance will require that third-party payment applications be validated, by July 12, 2012, as fully compliant with the Payment Application Data Security Standards.  PA-DSS compliant payment applications will be comprehensively listed on the PCI SSC website. Visa’s PA-DSS deadline, however, is July 1, 2010 so software providers still need to be cognizant of this looming compliance deadline. 

We have integrated the above changes into our past post regarding PCI Compliance Deadlines.

Related Blog Posts:

MasterCard Toughens Stance on PCI Compliance

Posted at 09:45 AM in MasterCard, Merchant PCI Compliance, PCI Compliance, PCI DSS | | Comments (0) | TrackBack (0)

12/08/2009

PCI Compliance Interview

PCI Compliance Thought Leader Q&A
Interview with Rick Dakin, President of Coalfire

PCI DSS Compliance Blog: Tell us about Coalfire.
Rick Dakin: Coalfire is an IT audit and compliance firm.  We spun out of an application hosting company in 2001 and have remained focused on a single mission since that time - to provide cost-effective IT audits and compliance advisory services.  This focus allows us to provide an independent view of compliance to stakeholders subject to Payment Card Industry (PCI), banking, healthcare and privacy regulations and laws.

The company provides a wide range of security and IT audit and advisory services through a team of 50 professionals from offices in Colorado, Washington and New York.

What work does Coalfire do in the area of PCI compliance? Cc1small
Coalfire provides a full range of PCI assessment and compliance advisory services that includes certification to perform the following activities:
•    Qualified Security Assessor (QSA) – provide level 1 Report on Compliance (ROC) reports after on-site testing, and facilitation for completion of a Self Assessment Questionnaire (SAQ).
•    Payment Application – Qualified Security Assessor (PA-QSA) – Perform application testing and validation to the Payment Application-Data Security Standard (PA-DSS).
•    Approved Scan Vendor (ASV) –perform internal and external network vulnerability scans.
•    Penetration testing services are provided to all PCI clients.

What does it take to become a certified QSA? 
A QSA must work for a QSA company.  The requirements for QSA companies include registration (with fees), $2 million of professional liability insurance, and compliance to the rules published by the PCI Security Standards Council (PCI SSC).  All QSA companies are subject to review by the council.

Once a QSA company is established, an individual QSA must first obtain a security industry certification like a CISSP or CISA certification, 3 or more years of industry experience and hands-on PCI experience supporting another certified QSA.  All QSA participants must then pass a background check and complete formal PCI training and certification testing. 

At Coalfire, we estimate that each individual QSA costs us $7,500 per year to maintain industry certification, registration fees and insurance in addition to 50+ hours per year in training or off-site testing.  In short, it is a significant commitment by both the QSA and the QSA company to provide certified services in the industry. 

Merchants and software developers are often confused by the various levels of advice available to them.  Some companies do not complete the rigorous QSA training, testing, certification or peer reviews that guide our processes and methods to determine compliance to PCI standards.  Accordingly, the advice provided by a certified QSA may differ from advice provided by an industry observer who is not subject to the QSA process.

How many assessments are you doing per year?
Coalfire will perform over 1,000 assessments this year for more than 600 clients.  Over 60% of those assessments will be performed for clients with PCI DSS or  PA-DSS requirements.  Our processes and methods to determine compliance have been developed and vetted through thousands of tests, council peer review and success in preventing compliance failure for any of our validated clients.

Are more of your customers concerned with PA-DSS (ISVs) or PCI DSS (merchants)?
Since merchants outnumber the payment application vendors in the market, we conduct more merchant and service provider level 1 and 2 ROC and SAQ testing.  However, we are seeing a dramatic increase in the amount of PA-DSS compliance validation work from payment application developers.  This trend clearly verifies that merchants are improving security infrastructure more quickly than payment applications are being updated to comply with the Payment Application Data Security Standard (PA-DSS).

As a result, processors and merchants are facing critical deadlines to verify that payment application vendors comply with PA-DSS or force merchants to switch applications to a version that is already compliant.  This change is disruptive to many merchants since the updated applications typically require changes to platforms or infrastructure.

The problem cascades through the payment ecosystem because payment application vendors are having trouble finding a PA-QSA with resource availability to complete pre-audit testing or final validation testing on a timetable that will enable merchants to fully deploy PA-DSS compliant applications prior to the July 2010 deadline.

Can you walk us through a brief step-by-step process that you go through with your clients in the area of PCI compliance?Cc2small
Our process is consistent across all product areas to include ROC, SAQ and PA-DSS test and reporting.  The following example is provided to outline the payment application validation process.

1.    Prospects enroll in an online audit preparation and self assessment tool called Navis.  The Navis platform has RapidPA-DSS, RapidSAQ and RapidROC modules.
2.    Prospects enter evidence that they meet specific controls in a “Turbo Tax” styled online questionnaire and data collection portal.
3.    Once the prospect data is entered and indicates that the payment application is ready to test, Coalfire’s staff reviews the data entered into the online platform and advises the prospect on the process to complete PA-DSS validation testing.
4.    After a contract is signed, Coalfire performs PA-DSS validation testing and provides a final gap analysis report to the developer to complete program modifications required to comply with PA-DSS standards.
5.    Final testing is completed and a PA-DSS reporting is submitted to the PCI Council.
6.    To become registered on the PCI Council PA-DSS list, each payment application vendor must sign a compliance agreement and pay a registration fee to the PCI Council.

What’s the area of greatest confusion for your customers? (ISVs or merchants)
The biggest area of confusion that we typically see is the separation of compliance responsibility between the ISV and their merchant clients.  Many clients think that the payment application vendor is solely responsible for PCI compliance.

Another common misconception among some merchants is that if they use PA-DSS-compliant payment applications, the merchant itself has met its obligations for PCI validation.  Coalfire works with payment application developers to help them guide their customers through a process to meet the full PCI standard and reduce the merchants’ risk of fines and penalties for non-compliance.  At the same time, this helps mitigate the payment application developer’s risk from civil claims from merchants using their technologies. 

There is perhaps no greater concern for merchants and software vendors than the cost of PCI DSS and PA-DSS compliance. How do you see the costs of PCI compliance weighing out against the cost of non-compliance?
How does the old Carpenters’ song go? … “We’ve only just begun.”

While the amount of investment in data security is growing at a breath taking rate, so is the investment being made in the personal injury litigation market.  We are seeing a dramatic increase in the amount of litigation being pursued to recover costs associated with identity theft and data breach, including credit card compromise.

In the last 3 years, over 40 states have passed aggressive new data breach legislation that will enable even more litigation.  Most breached merchants contact us with fears that they will be fined by VISA.  This is the least of their concerns.  I see most of the losses associated with litigation, fraud recovery costs, breach notice and post-breach system remediation.

Coalfire is not a law firm, but we see the damage caused by data breach up close.  This has taught us that the cost of compliance is really the investment to defend your organization from growing claims of negligence.  In the retail sector, the PCI Data Security Standard is the reasonable standard being used to determine negligence.

The trade off that we have experienced from our support of compromised merchants is that a dollar of compliance investment will save $10 of potential breach costs. Accordingly, we see the card brands like VISA moving into a secondary role.  We see state data privacy laws and the liability attorneys driving the need to validate compliance in the future.

How aggressive do you foresee credit card companies like MasterCard and Visa being with the new fines for non-compliance? What about specifically for smaller businesses?
For level 1 and 2 merchants, fines for non-compliance have become commonplace.  For level 3 and 4 merchants, enforcement has been “spotty” due to the various levels of tracking performed by the merchant processor.  We expect this random review of merchant compliance to change in 2010 since every processor must understand the status of merchants using only validated payment applications. 

Processors are making significant investments in their ability to track compliance of their level 3 and 4 merchants as a part of the process to inventory all payment applications to the PA-DSS requirement.  Accordingly, we expect fines for level 3 and 4 merchants to grow starting later in 2010.

Again, the fines are secondary.  We see the bigger risk that software vendors are offering non-compliant payment applications to customers who use them after July 2010 as a reason for the liability attorneys to pursue claims of negligence in the case of a data breach.  The PCI Council set the standard for reasonableness and now the attorneys have a clear path to collect huge sums for negligence on the part of merchants, processors and software developers who continue to use non-validated payment applications.

With PCI standards evolving, how do you stay at the forefront of the industry?
Unfortunately, the demands for more secure payments are driving investment in evolving PCI requirements at a time when merchants want their software developers to help them provide higher quality and more focused service to consumers. 

It is clear that the PCI standards that are being used today are not yet adequate to mitigate all risks to the payment processes.  The PCI Security Standards Council is providing leadership for a number of “next-generation” controls that will likely be included in future PCI Data Security Standards at both the application and infrastructure levels.

Many larger payment application vendors are removing payment modules from other merchant application services in order to contain the cost of data security.  By removing payment modules from commerce platforms and installing a shared payment service (managed by the application or by a third party), payment application developers can release updates to other non-payment modules without the expense associated with PA-DSS testing.  For the payment modules, application developers can focus more effort on enhancing controls when the platform is shared.  As a result, we see the trend for payment application developers continuing to move towards shrinking the payment environment and continuing to remove payment modules from other commerce functions.  Over the next few years, we would expect that the number of payment modules to shrink by a significant percentage.

Where do you see this industry in five years?
The payment industry is maturing.  Merchants and payment application vendors are faced with the market demand to simplify the PCI-compliance process and to reduce the cost of compliance.

Over the next 5 years, I expect that this overwhelming market demand will be met with solutions like centralized management of payment data to dramatically reduce the amount of data that is placed at risk in a distributed commerce environment.  The industry will have to keep innovating to allow consumers to get in and out of a retail environment more quickly while receiving higher quality and inherently more secure service.

The sophistication of payment processes will also have to continue developing at a rapid pace to keep up with online, mobile, in-store and unattended commerce opportunities.  Accordingly, only a few players will be able to make the investment in these dramatically shifting payment solutions to embed more encryption and continuous monitoring.

Posted at 11:59 AM in Credit Card Security, Data Security, ISVs, Merchant PCI Compliance, PA-DSS, PCI Compliance, PCI DSS, QSA | | Comments (0) | TrackBack (0)