PrivacyAtlas.com is free. The website's parent company, Security Validation LLC, a data-security consulting firm, makes money by charging participating companies fees to validate their compliance and to help bring them into compliance if they're not. Noncompliant companies can hire any of hundreds of security consulting firms to get right with PCI DSS; they're under no obligation to use Durko's company.
When we searched more than 30 major hotel brands on launch day, we found scores of concerning red X's, but most locations turned up as "In process," suggesting that PrivacyAtlas investigators still have lots of work to do. Nevertheless, the search tool represents an important first step in consumer empowerment on this issue. Until now, data breaches might have seemed like random bad-luck events that are impossible for consumers to guard against. But PrivacyAtlas.com exposes the fact that there is searchable and readily available information about where breach lightning is reasonably more likely to strike—at companies that don't even meet the minimum requirements of PCI DSS. Armed with that information, you can take your business to responsible companies and avoid those who aren't or won't publicly disclose their status.
PrivacyAtlas’ primary data source is the record of compliance that businesses already maintain—or are supposed to maintain. Payment card processors, including Discover, MasterCard, and Visa, require businesses of any size to comply with PCI DSS as a condition of accepting payment cards and storing, processing, or transmitting cardholder data.
But Durko, former director of security-compliance management for the Wyndham Hotel Group with 15 years in the data-security industry, said “no one is policing compliance.”
“We don’t have anything to do with enforcement," Bob Russo, general manager for the Payment Card Industry Security Standards Council, said. “We’re just the standards guys. The credit-card companies enforce it. If there’s a breach, there could be an enforcement issue that comes from the credit card brand to the acquiring bank, and the acquiring bank rolls it down to the merchant.” Discover, MasterCard, and Visa did not respond to our requests for an interview or comment.
Durko is thus something of a whistle-blower, who says PCI certification is also flawed because it's only a once-a-year test. Russo lends support to that view. “Compliance is a snapshot in time," he said. "It’s that one day in time when you’ve got all your dead-bolt locks in place. Now it’s up to you, the merchant, to make sure you do it. If you don’t do it every day, you’re not PCI compliant. That’s what we’re finding.”
Also, while a company may be PCI compliant at the corporate level, each hotel property and store location must also assess and report its own compliance. PrivacyAtlas.com requests these individual reports and its investigators send back a proprietary follow-up questionnaire that querries for known security and compliance issues.
For example, companies whose computer systems use Windows XP for payment processing just became PCI noncompliant today, April 8, when Microsoft ended extended support for that product. “Security updates and patches will no longer be available, and any payment systems and computers still running XP will be vulnerable to attacks,” leaving the door “wide open for hackers,” says the PCI Security Standards Council.
Durko’s consulting firm also conducts periodic follow-up compliance assessments of verified companies throughout the year.
Most important, Durko is bringing transparency to an industry that should make PCI compliance reports publicly available. "That is the crux of PrivacyAtlas," Durko said. "We want to give consumers the ability to make an informed decision.”