PCI Compliance Interview
PCI Compliance Thought Leader Q&A
Interview with Rick Dakin, President of Coalfire
PCI DSS Compliance Blog: Tell us about Coalfire.
Rick Dakin: Coalfire is an IT audit and compliance firm. We spun out of an application hosting company in 2001 and have remained focused on a single mission since that time - to provide cost-effective IT audits and compliance advisory services. This focus allows us to provide an independent view of compliance to stakeholders subject to Payment Card Industry (PCI), banking, healthcare and privacy regulations and laws.
The company provides a wide range of security and IT audit and advisory services through a team of 50 professionals from offices in Colorado, Washington and New York.
What work does Coalfire do in the area of PCI compliance?
Coalfire provides a full range of PCI assessment and compliance advisory services that includes certification to perform the following activities:
• Qualified Security Assessor (QSA) – provide level 1 Report on Compliance (ROC) reports after on-site testing, and facilitation for completion of a Self Assessment Questionnaire (SAQ).
• Payment Application – Qualified Security Assessor (PA-QSA) – Perform application testing and validation to the Payment Application-Data Security Standard (PA-DSS).
• Approved Scan Vendor (ASV) –perform internal and external network vulnerability scans.
• Penetration testing services are provided to all PCI clients.
What does it take to become a certified QSA?
A QSA must work for a QSA company. The requirements for QSA companies include registration (with fees), $2 million of professional liability insurance, and compliance to the rules published by the PCI Security Standards Council (PCI SSC). All QSA companies are subject to review by the council.
Once a QSA company is established, an individual QSA must first obtain a security industry certification like a CISSP or CISA certification, 3 or more years of industry experience and hands-on PCI experience supporting another certified QSA. All QSA participants must then pass a background check and complete formal PCI training and certification testing.
At Coalfire, we estimate that each individual QSA costs us $7,500 per year to maintain industry certification, registration fees and insurance in addition to 50+ hours per year in training or off-site testing. In short, it is a significant commitment by both the QSA and the QSA company to provide certified services in the industry.
Merchants and software developers are often confused by the various levels of advice available to them. Some companies do not complete the rigorous QSA training, testing, certification or peer reviews that guide our processes and methods to determine compliance to PCI standards. Accordingly, the advice provided by a certified QSA may differ from advice provided by an industry observer who is not subject to the QSA process.
How many assessments are you doing per year?
Coalfire will perform over 1,000 assessments this year for more than 600 clients. Over 60% of those assessments will be performed for clients with PCI DSS or PA-DSS requirements. Our processes and methods to determine compliance have been developed and vetted through thousands of tests, council peer review and success in preventing compliance failure for any of our validated clients.
Are more of your customers concerned with PA-DSS (ISVs) or PCI DSS (merchants)?
Since merchants outnumber the payment application vendors in the market, we conduct more merchant and service provider level 1 and 2 ROC and SAQ testing. However, we are seeing a dramatic increase in the amount of PA-DSS compliance validation work from payment application developers. This trend clearly verifies that merchants are improving security infrastructure more quickly than payment applications are being updated to comply with the Payment Application Data Security Standard (PA-DSS).
As a result, processors and merchants are facing critical deadlines to verify that payment application vendors comply with PA-DSS or force merchants to switch applications to a version that is already compliant. This change is disruptive to many merchants since the updated applications typically require changes to platforms or infrastructure.
The problem cascades through the payment ecosystem because payment application vendors are having trouble finding a PA-QSA with resource availability to complete pre-audit testing or final validation testing on a timetable that will enable merchants to fully deploy PA-DSS compliant applications prior to the July 2010 deadline.
Can you walk us through a brief step-by-step process that you go through with your clients in the area of PCI compliance?
Our process is consistent across all product areas to include ROC, SAQ and PA-DSS test and reporting. The following example is provided to outline the payment application validation process.
1. Prospects enroll in an online audit preparation and self assessment tool called Navis. The Navis platform has RapidPA-DSS, RapidSAQ and RapidROC modules.
2. Prospects enter evidence that they meet specific controls in a “Turbo Tax” styled online questionnaire and data collection portal.
3. Once the prospect data is entered and indicates that the payment application is ready to test, Coalfire’s staff reviews the data entered into the online platform and advises the prospect on the process to complete PA-DSS validation testing.
4. After a contract is signed, Coalfire performs PA-DSS validation testing and provides a final gap analysis report to the developer to complete program modifications required to comply with PA-DSS standards.
5. Final testing is completed and a PA-DSS reporting is submitted to the PCI Council.
6. To become registered on the PCI Council PA-DSS list, each payment application vendor must sign a compliance agreement and pay a registration fee to the PCI Council.
What’s the area of greatest confusion for your customers? (ISVs or merchants)
The biggest area of confusion that we typically see is the separation of compliance responsibility between the ISV and their merchant clients. Many clients think that the payment application vendor is solely responsible for PCI compliance.
Another common misconception among some merchants is that if they use PA-DSS-compliant payment applications, the merchant itself has met its obligations for PCI validation. Coalfire works with payment application developers to help them guide their customers through a process to meet the full PCI standard and reduce the merchants’ risk of fines and penalties for non-compliance. At the same time, this helps mitigate the payment application developer’s risk from civil claims from merchants using their technologies.
There is perhaps no greater concern for merchants and software vendors than the cost of PCI DSS and PA-DSS compliance. How do you see the costs of PCI compliance weighing out against the cost of non-compliance?
How does the old Carpenters’ song go? … “We’ve only just begun.”
While the amount of investment in data security is growing at a breath taking rate, so is the investment being made in the personal injury litigation market. We are seeing a dramatic increase in the amount of litigation being pursued to recover costs associated with identity theft and data breach, including credit card compromise.
In the last 3 years, over 40 states have passed aggressive new data breach legislation that will enable even more litigation. Most breached merchants contact us with fears that they will be fined by VISA. This is the least of their concerns. I see most of the losses associated with litigation, fraud recovery costs, breach notice and post-breach system remediation.
Coalfire is not a law firm, but we see the damage caused by data breach up close. This has taught us that the cost of compliance is really the investment to defend your organization from growing claims of negligence. In the retail sector, the PCI Data Security Standard is the reasonable standard being used to determine negligence.
The trade off that we have experienced from our support of compromised merchants is that a dollar of compliance investment will save $10 of potential breach costs. Accordingly, we see the card brands like VISA moving into a secondary role. We see state data privacy laws and the liability attorneys driving the need to validate compliance in the future.
How aggressive do you foresee credit card companies like MasterCard and Visa being with the new fines for non-compliance? What about specifically for smaller businesses?
For level 1 and 2 merchants, fines for non-compliance have become commonplace. For level 3 and 4 merchants, enforcement has been “spotty” due to the various levels of tracking performed by the merchant processor. We expect this random review of merchant compliance to change in 2010 since every processor must understand the status of merchants using only validated payment applications.
Processors are making significant investments in their ability to track compliance of their level 3 and 4 merchants as a part of the process to inventory all payment applications to the PA-DSS requirement. Accordingly, we expect fines for level 3 and 4 merchants to grow starting later in 2010.
Again, the fines are secondary. We see the bigger risk that software vendors are offering non-compliant payment applications to customers who use them after July 2010 as a reason for the liability attorneys to pursue claims of negligence in the case of a data breach. The PCI Council set the standard for reasonableness and now the attorneys have a clear path to collect huge sums for negligence on the part of merchants, processors and software developers who continue to use non-validated payment applications.
With PCI standards evolving, how do you stay at the forefront of the industry?
Unfortunately, the demands for more secure payments are driving investment in evolving PCI requirements at a time when merchants want their software developers to help them provide higher quality and more focused service to consumers.
It is clear that the PCI standards that are being used today are not yet adequate to mitigate all risks to the payment processes. The PCI Security Standards Council is providing leadership for a number of “next-generation” controls that will likely be included in future PCI Data Security Standards at both the application and infrastructure levels.
Many larger payment application vendors are removing payment modules from other merchant application services in order to contain the cost of data security. By removing payment modules from commerce platforms and installing a shared payment service (managed by the application or by a third party), payment application developers can release updates to other non-payment modules without the expense associated with PA-DSS testing. For the payment modules, application developers can focus more effort on enhancing controls when the platform is shared. As a result, we see the trend for payment application developers continuing to move towards shrinking the payment environment and continuing to remove payment modules from other commerce functions. Over the next few years, we would expect that the number of payment modules to shrink by a significant percentage.
Where do you see this industry in five years?
The payment industry is maturing. Merchants and payment application vendors are faced with the market demand to simplify the PCI-compliance process and to reduce the cost of compliance.
Over the next 5 years, I expect that this overwhelming market demand will be met with solutions like centralized management of payment data to dramatically reduce the amount of data that is placed at risk in a distributed commerce environment. The industry will have to keep innovating to allow consumers to get in and out of a retail environment more quickly while receiving higher quality and inherently more secure service.
The sophistication of payment processes will also have to continue developing at a rapid pace to keep up with online, mobile, in-store and unattended commerce opportunities. Accordingly, only a few players will be able to make the investment in these dramatically shifting payment solutions to embed more encryption and continuous monitoring.
Interview with Rick Dakin, President of Coalfire
PCI DSS Compliance Blog: Tell us about Coalfire.
Rick Dakin: Coalfire is an IT audit and compliance firm. We spun out of an application hosting company in 2001 and have remained focused on a single mission since that time - to provide cost-effective IT audits and compliance advisory services. This focus allows us to provide an independent view of compliance to stakeholders subject to Payment Card Industry (PCI), banking, healthcare and privacy regulations and laws.
The company provides a wide range of security and IT audit and advisory services through a team of 50 professionals from offices in Colorado, Washington and New York.
What work does Coalfire do in the area of PCI compliance?
Coalfire provides a full range of PCI assessment and compliance advisory services that includes certification to perform the following activities:
• Qualified Security Assessor (QSA) – provide level 1 Report on Compliance (ROC) reports after on-site testing, and facilitation for completion of a Self Assessment Questionnaire (SAQ).
• Payment Application – Qualified Security Assessor (PA-QSA) – Perform application testing and validation to the Payment Application-Data Security Standard (PA-DSS).
• Approved Scan Vendor (ASV) –perform internal and external network vulnerability scans.
• Penetration testing services are provided to all PCI clients.
What does it take to become a certified QSA?
A QSA must work for a QSA company. The requirements for QSA companies include registration (with fees), $2 million of professional liability insurance, and compliance to the rules published by the PCI Security Standards Council (PCI SSC). All QSA companies are subject to review by the council.
Once a QSA company is established, an individual QSA must first obtain a security industry certification like a CISSP or CISA certification, 3 or more years of industry experience and hands-on PCI experience supporting another certified QSA. All QSA participants must then pass a background check and complete formal PCI training and certification testing.
At Coalfire, we estimate that each individual QSA costs us $7,500 per year to maintain industry certification, registration fees and insurance in addition to 50+ hours per year in training or off-site testing. In short, it is a significant commitment by both the QSA and the QSA company to provide certified services in the industry.
Merchants and software developers are often confused by the various levels of advice available to them. Some companies do not complete the rigorous QSA training, testing, certification or peer reviews that guide our processes and methods to determine compliance to PCI standards. Accordingly, the advice provided by a certified QSA may differ from advice provided by an industry observer who is not subject to the QSA process.
How many assessments are you doing per year?
Coalfire will perform over 1,000 assessments this year for more than 600 clients. Over 60% of those assessments will be performed for clients with PCI DSS or PA-DSS requirements. Our processes and methods to determine compliance have been developed and vetted through thousands of tests, council peer review and success in preventing compliance failure for any of our validated clients.
Are more of your customers concerned with PA-DSS (ISVs) or PCI DSS (merchants)?
Since merchants outnumber the payment application vendors in the market, we conduct more merchant and service provider level 1 and 2 ROC and SAQ testing. However, we are seeing a dramatic increase in the amount of PA-DSS compliance validation work from payment application developers. This trend clearly verifies that merchants are improving security infrastructure more quickly than payment applications are being updated to comply with the Payment Application Data Security Standard (PA-DSS).
As a result, processors and merchants are facing critical deadlines to verify that payment application vendors comply with PA-DSS or force merchants to switch applications to a version that is already compliant. This change is disruptive to many merchants since the updated applications typically require changes to platforms or infrastructure.
The problem cascades through the payment ecosystem because payment application vendors are having trouble finding a PA-QSA with resource availability to complete pre-audit testing or final validation testing on a timetable that will enable merchants to fully deploy PA-DSS compliant applications prior to the July 2010 deadline.
Can you walk us through a brief step-by-step process that you go through with your clients in the area of PCI compliance?
Our process is consistent across all product areas to include ROC, SAQ and PA-DSS test and reporting. The following example is provided to outline the payment application validation process.
1. Prospects enroll in an online audit preparation and self assessment tool called Navis. The Navis platform has RapidPA-DSS, RapidSAQ and RapidROC modules.
2. Prospects enter evidence that they meet specific controls in a “Turbo Tax” styled online questionnaire and data collection portal.
3. Once the prospect data is entered and indicates that the payment application is ready to test, Coalfire’s staff reviews the data entered into the online platform and advises the prospect on the process to complete PA-DSS validation testing.
4. After a contract is signed, Coalfire performs PA-DSS validation testing and provides a final gap analysis report to the developer to complete program modifications required to comply with PA-DSS standards.
5. Final testing is completed and a PA-DSS reporting is submitted to the PCI Council.
6. To become registered on the PCI Council PA-DSS list, each payment application vendor must sign a compliance agreement and pay a registration fee to the PCI Council.
What’s the area of greatest confusion for your customers? (ISVs or merchants)
The biggest area of confusion that we typically see is the separation of compliance responsibility between the ISV and their merchant clients. Many clients think that the payment application vendor is solely responsible for PCI compliance.
Another common misconception among some merchants is that if they use PA-DSS-compliant payment applications, the merchant itself has met its obligations for PCI validation. Coalfire works with payment application developers to help them guide their customers through a process to meet the full PCI standard and reduce the merchants’ risk of fines and penalties for non-compliance. At the same time, this helps mitigate the payment application developer’s risk from civil claims from merchants using their technologies.
There is perhaps no greater concern for merchants and software vendors than the cost of PCI DSS and PA-DSS compliance. How do you see the costs of PCI compliance weighing out against the cost of non-compliance?
How does the old Carpenters’ song go? … “We’ve only just begun.”
While the amount of investment in data security is growing at a breath taking rate, so is the investment being made in the personal injury litigation market. We are seeing a dramatic increase in the amount of litigation being pursued to recover costs associated with identity theft and data breach, including credit card compromise.
In the last 3 years, over 40 states have passed aggressive new data breach legislation that will enable even more litigation. Most breached merchants contact us with fears that they will be fined by VISA. This is the least of their concerns. I see most of the losses associated with litigation, fraud recovery costs, breach notice and post-breach system remediation.
Coalfire is not a law firm, but we see the damage caused by data breach up close. This has taught us that the cost of compliance is really the investment to defend your organization from growing claims of negligence. In the retail sector, the PCI Data Security Standard is the reasonable standard being used to determine negligence.
The trade off that we have experienced from our support of compromised merchants is that a dollar of compliance investment will save $10 of potential breach costs. Accordingly, we see the card brands like VISA moving into a secondary role. We see state data privacy laws and the liability attorneys driving the need to validate compliance in the future.
How aggressive do you foresee credit card companies like MasterCard and Visa being with the new fines for non-compliance? What about specifically for smaller businesses?
For level 1 and 2 merchants, fines for non-compliance have become commonplace. For level 3 and 4 merchants, enforcement has been “spotty” due to the various levels of tracking performed by the merchant processor. We expect this random review of merchant compliance to change in 2010 since every processor must understand the status of merchants using only validated payment applications.
Processors are making significant investments in their ability to track compliance of their level 3 and 4 merchants as a part of the process to inventory all payment applications to the PA-DSS requirement. Accordingly, we expect fines for level 3 and 4 merchants to grow starting later in 2010.
Again, the fines are secondary. We see the bigger risk that software vendors are offering non-compliant payment applications to customers who use them after July 2010 as a reason for the liability attorneys to pursue claims of negligence in the case of a data breach. The PCI Council set the standard for reasonableness and now the attorneys have a clear path to collect huge sums for negligence on the part of merchants, processors and software developers who continue to use non-validated payment applications.
With PCI standards evolving, how do you stay at the forefront of the industry?
Unfortunately, the demands for more secure payments are driving investment in evolving PCI requirements at a time when merchants want their software developers to help them provide higher quality and more focused service to consumers.
It is clear that the PCI standards that are being used today are not yet adequate to mitigate all risks to the payment processes. The PCI Security Standards Council is providing leadership for a number of “next-generation” controls that will likely be included in future PCI Data Security Standards at both the application and infrastructure levels.
Many larger payment application vendors are removing payment modules from other merchant application services in order to contain the cost of data security. By removing payment modules from commerce platforms and installing a shared payment service (managed by the application or by a third party), payment application developers can release updates to other non-payment modules without the expense associated with PA-DSS testing. For the payment modules, application developers can focus more effort on enhancing controls when the platform is shared. As a result, we see the trend for payment application developers continuing to move towards shrinking the payment environment and continuing to remove payment modules from other commerce functions. Over the next few years, we would expect that the number of payment modules to shrink by a significant percentage.
Where do you see this industry in five years?
The payment industry is maturing. Merchants and payment application vendors are faced with the market demand to simplify the PCI-compliance process and to reduce the cost of compliance.
Over the next 5 years, I expect that this overwhelming market demand will be met with solutions like centralized management of payment data to dramatically reduce the amount of data that is placed at risk in a distributed commerce environment. The industry will have to keep innovating to allow consumers to get in and out of a retail environment more quickly while receiving higher quality and inherently more secure service.
The sophistication of payment processes will also have to continue developing at a rapid pace to keep up with online, mobile, in-store and unattended commerce opportunities. Accordingly, only a few players will be able to make the investment in these dramatically shifting payment solutions to embed more encryption and continuous monitoring.
