This article can also be found in the Premium Editorial Download "Information Security magazine: Everything you need to know about today's information security trends."
Download it now to read this article plus other related content.
Something many retailers find confusing is that the council is not responsible for compliance or decisions relating to compliance. The council has no control over fees or penalties issued to retailers or processors, nor does it have any involvement in the service-level agreements between the card brands, the banks and their members. That's why David Hogan, CIO of the National Retail Federation, was shooting at the wrong target when he asked the council last October for changes in primary account number (PAN) storage requirements. The PCI DSS is the standard on how to protect PANs if they're stored, but doesn't address whether they need to be stored in the first place. That's between the retailers/merchants, acquiring banks and card brands.
Organizations that need to validate PCI DSS compliance, such as Level 1 merchants with more than 6 million Visa or MasterCard transactions annually, work with QSAs for validation. Prescriptive though the PCI DSS is, there's still room for disagreement on specific controls and their implementation. For example, one end user reports that for requirement 3.4 (render the PAN unreadable), his QSA refused to validate solutions that were not FIPS 140-2 certified. Though this federal certification provides a much higher value of assurance from a data protection standpoint, it is not specifically required for compliance by the PCI
| DSS Security Audit Procedures.
In cases like this, it may seem that the council is a good place to turn for answers, but it's not. The council has QSA feedback forms that companies are encouraged to fill out after audits, but these are used to determine if the QSA is performing audits properly. Finding a company out of compliance for not using FIPS 140-2 certified products is an interpretation issue. And sometimes even QSAs feel a little lost when looking for guidance. William Lynch, a manager and QSA at IT consulting firm CTG, says he's tried to go to the card brands and the council for help with interpretation: "They're generally very reluctant to provide specifics, and their responses can be somewhat slow. If I have an interpretation question, I usually discuss it with other QSAs first and contact the council as a last resort" (see "Chain Reaction," below).
This was first published in July 2008