Last week while watching Michael Phelps win his 20th Olympic medal, I was also reading a very interesting post on PCI Guru’s blog that discusses a topic covered in the latest Assessors newsletter. What do these two diverse topics have in common? Read on and see.
The blog post I mentioned refers to pre-authorization data and scope; a topic which has oft been the subject of discussion. Is pre-authorization data in scope with regard to PCI or not? While my personal belief is that it should always be considered in scope, the source of this debate comes from the fact that the standard does not really call it out. Indeed, many of the requirements are specific to post-authorization (such as restrictions on any storage of sensitive authentication data). In the newsletter, the PCI Council definitively states “PCI DSS applies wherever cardholder data (CHD) and/or sensitive authentication data (SAD) is stored, processed or transmitted, irrespective of whether it is pre-authorization or post-authorization.”
OK, so card data is in scope regardless of its authorization state wherever it is stored, processed or transmitted. But what does that mean to the merchant, other than putting a final period on the debate? The Council’s statement here is really one of common sense. Card data is not any less valuable before authorization than after it.
Generally, the length of time that data remains pre-authorization is short. That can vary however, especially when one considers new fees such as the Visa Zero Floor Limit Fee which adds a fee to any transaction that is settled without authorization. Merchants are incented to store the data to ensure they can receive an authorization prior to submitting for settlement.
The PCI Council leaves the requirements regarding storage of pre-authorization sensitive authorization data up to the individual payment brands. They did state however, that any storage of SAD prior to authorization would be held to a higher standard of security and controls. Regardless of what PCI states, from a risk perspective it’s just good practice for merchants to secure all credit card data, and to remove as much of it from the merchant environment as possible. Point-to-point encryption and tokenization can play a role in effectively removing and securing card data.
For merchants, it’s tempting to let the realities of day-to-day operations take priority over complex topics like PCI, kicking the can down the road so to speak. This brings us back to the Olympics. Michael Phelps mentioned in an interview all the various obstructions that his coach created during his training. One that stood out was his coach stepping on his goggles to crack them, so they would fill with water during Michael’s next swim. This was to prepare Phelps for any situation that could occur in competition. Sure enough, during one of his races, his goggles did fill with water and he had to rely on counting strokes to know where he was. Without that preparation, he might not have been prepared for that hurdle.
Similarly, merchants need to prepare themselves for the day when they may be the target of an attack. Whenever I hear the argument that pre-authorization data can be considered out of scope because the PCI DSS doesn’t specifically say, I know I’m talking to someone who is not taking a long term ongoing approach to PCI. Just like Michael Phelps trains for all eventualities, merchants today must prepare to face the threats of tomorrow. Look closely at your environment. Have you effectively secured data pre-authorization? Do you know every place that card data exists within your environment? In a recent blog post, one of my colleagues wrote about the security training that every Merchant Link associate participates in. Security is more than a moment in time, or a specific job role. It’s something that everyone needs to be aware of.
Oh, and just to remind you, the Council has spoken. It IS in scope.