On Wednesday at the RSA Conference 2010, Larry Ponemon presented the results of his PCI DSS Trends 2010: QSA Insights report. Some of the world’s largest acceptors of card payments, payments processors and card brands attended to hear about the research conducted on the recommendations and guidance of the Qualified Security Assessors (QSAs), the auditors responsible for assessing PCI DSS compliance.
Commissioned by Thales, The Ponemon Institute developed the research, firstly, to enable merchants to benchmark their compliance efforts and, secondly, for payment processors to identify competitive opportunities. During the talk, Larry reinforced the overall take away from the QSAs recommendations, which was the focus on protecting cardholder data itself.
Key findings of the research include:
- 41 percent of merchants would fail compliance if compensating controls were not allowed
- Average cost for an annual Tier 1 merchant QSA assessment was $225,000
- PCI DSS Requirement #7 – Restricting access to cardholder by business need-to-know – is both the most important and most difficult part of the PCI DSS for QSAs
- 60 percent of QSAs prefer encryption for end-to-end protection
The reasons why merchants are still storing cardholder data, i.e. chargebacks and customer service, was of particular interest to the audience. The research also found that QSAs believe that merchant networks and databases continue to be the systems most at risk of a breach.
Larry explained that, out of the 18 technologies for achieving compliance, three of the top five were encryption. While encryption was also the preferred solution for end-to-end protection, the research found that QSAs think that both encryption and tokenization technologies will coexist in the future. Larry revealed that QSAs preferred encryption technology for protecting cardholder data stored in databases but opinions on the use of encryption and tokenization in enterprise applications was divided.
PCI DSS Requirement #3 includes a number of key management best practices, such as reducing the number of locations for storing keys and enforcing access controls. Controlling access was a theme throughout the QSA’s recommendations as a means of protecting and managing cardholder data. In regard to this requirement, Larry explained that 81 percent of QSAs recommended the use of hardware security modules (HSMs) and 63 percent found that this technology reduced the time merchants spend on demonstrating compliance.
As part of the session, the audience questioned Larry on a number of issues, including how the QSA practice and business model might change if employers were responsible for protecting cardholder data stored in the enterprise expense management systems. Furthermore, everyone agreed that PCI DSS was not the end goal for stopping cardholder data breaches, but baseline guidelines in merchant and service providers’ data protection strategies.
To finish up the session, Larry announced that a companion report will also be available in April entitled the PCI DSS Trends 2010: QSA Business Report. This will take a close look at the issues facing the QSA business model and what QSAs see coming in the next release of PCI DSS.