PCI, Auditor and Client Goals Rarely Align
PCI reporting requirements change depending on the size of your business. Smaller companies self-report. Larger companies such as Home Depot must use a third-party entity called a qualified security assessor (QSA) to perform what's essentially a security audit to make sure they comply.
The goals of PCI, retailers and QSAs don't often align, Lloyd points out.
- PCI is meant to protect card issuers and make sure that consumers feel safe enough to keep using credit and debit cards, therefore ensuring card issuers make a profit. That's why they set these standards.
- Retailers want to make as much profit as possible profit by keeping costs as low as possible. Security is expensive, especially for big retail chains, and it's a tempting spot to start cutting corners.
- QSAs, a group that includes big names such as PricewaterhouseCoopers and AT&T Consulting Solutions, also look to make a profit. They do that by performing as many security audits as possible — and retailers pay for those audits.
Fixing PCI: Automation, Fewer Cozy Relationships, Penalties?
Lloyd points to the relationship between a retailer and QSA as one potential weak point in the system. "Not all QSAs are the same," he says. "They have to compete with each other, too."
It's not uncommon for retailers to shop around for QSAs, he adds. Requiring retailers to hire a different QSA at least once every other year would prevent the relationship from being too cozy.
Orfei says PCI doesn't control or enforce the merchant/QSA relationship, which it sees as similar to any other client/auditor relationship. "Just like other auditors, QSAs have a responsibility to provide an independent third party assessment," he says.
Lloyd also recommends automation. "We're all engaged within this industry and trying to figure out how much of this we can automate, because that's where the profit is," he says. "Take PCI standards and turn them into something a machine can do and try to grab as much automation as we can."
Automation would lower the cost of meeting PCI standards. That, in turn, would increase the odds that companies would follow those standards without cutting corners. Automating the work of the QSAs means that there's less room for human error, too.
Another tactic: Penalize companies that don't comply. "In the case of all these breaches, it hasn't been done once. Transactions are never suspended," Troia says. "My personal opinion is it's the only way someone is really going to get the message."
Orfei says PCI doesn't play a role in managing compliance with its own standards. "PCI SSC is focused on payment security thought leadership including developing technical standards. Incentives or enforcement to comply with PCI Standards is the function of card brands and bank partners."
Sign up for CIO Asia eNewsletters.