Payment card regulations get mixed reviews

Data security standard has pushed the industry to significantly improve defenses, but some users are crying foul

Isenberg said that specific issues arise around PCI 1.1's demand for separation between mobile device hard drive encryption tools and Microsoft's Active Directory user account management system. Maintaining such an array in today's IT environments creates major headaches, particularly around the management of end-user encryption key data, he said.

Another impracticality of PCI 1.1, said Isenberg, is the mandate's demand for Web applications firewalls for all of the online systems maintained by companies who fall under its statutes, even those applications that are in no way linked to credit card data.

Norcross, Ga.-based CheckFree -- which claims to process over one billion transactions per year on its networks -- is working with auditors to "find a happy medium" in addressing the troublesome requirement, Isenberg said. However, the executive indicated his belief that PCI-related headaches won't disappear soon for larger, more complex businesses.

Industry watchers agreed that there are serious questions regarding the practicality of adopting all of PCI 1.1's provisions, particularly among large organizations such as CheckFree that process huge volumes of data.

Both the technical parameters of the standard and the manner in which auditors are supplying customer assessments are issues that need to be addressed in future drafts of the rules said Avivah Litan, analyst with Stamford, Conn.-based researchers Gartner.

"PCI is really unique in terms of how specific it is with its requirements; you don't see this type of specificity in Sarbanes-Oxley or most of the other data protection rules we've seen emerge," Litan said. "That's not necessarily a bad thing, but retailers and other customers are getting frustrated with all the interpretation."

The analyst said that many enterprise firms affected by PCI have burned through multiple auditors, based on their concerns over the inconsistency of their assessments.

However, worried of becoming the next company embarrassed in news story headlines for having their customer credit card data exposed, firms continue to invest millions in additional technologies and services aimed at addressing the issue, she said.

The expert observed that one of the biggest problems that needs to be addressed by the PCI Security Standards Council -- which oversees all governance of the mandate -- is the perceived conflict of interest that exists with the current practice of having firms conducting PCI assessments that are also actively marketing services to the companies they audit.

"Many of the assessors are also selling PCI compliance and security services, so customers don't trust the fairness of the overall system," Litan said. "It's easy to become skeptical when you feel like you're being sold."

Despite its shortcomings, PCI DSS is having a widespread impact and vastly improving the overall security of electronic card processing systems, she said.

Bob Russo, general manager of the PCI Security Standards Council, said that the feedback the organization has received regarding the standard, including the newest additions, has been largely positive.

The same compensation controls that have caused concern among enterprise companies have been received as a significant improvement by smaller firms that had sought additional details of what was expected of them, he contends.