Payment Card Industry Swallows Its Own Tail

April 1, 2009 by ADMIN
Share |

By Anthony M. Freed, Information-Security-Resources.com Managing Editor

PCI DSS, the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security, may well have entered its death throes Tuesday, as evidenced by revealing testimony during the House of Representative’s Committee on Homeland Security hearings.

Why the dire prognosis?

Anyone who has been following the cascade of security failures plaguing the payment card industry, as punctuated by the still shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), must acknowledge that there are serious problems with PCI security that need to be addressed.

But the greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers, but instead may be the dysfunctional nature of the relationships between the very parties the standards are meant to serve.

The squabbling and finger pointing displayed during the first quarter of 2009  has resulted in nothing less than a public relations nightmare, as major card brands, payment processors and merchants each seek to deflect responsibility for security lapses.

RBS WorldPay and Heartland maintain that because they had been PCI DSS compliant at some point before their systems were breached, they can essentially shrug off any any culpability with the caveat that they are doing the best they can with what they have.

Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant - regardless of their good standing with the council at the time of the breach.  From Securosis.com:

Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.

Visa (V) echoed this sentiment in an interview with BankInfoSecurity.com:

“We’ve never seen anyone who was breached that was PCI compliant,” Phillips says without specifically naming - or excluding — Heartland. “The breaches that we have seen have involved a key area of non-compliance.”

To add to the confusion, Visa issued statements that RBS WorldPay and Heartland had been belatedly removed from the PCI Compliant list, in what has been widely considered to be merely legal maneuvering for anticipated class action suits.

“It’s all legal maneuvering by Visa,” says Gartner security analyst Avivah Litan in an interview with ComputerWorld.com. “This is PCI enforcement as usual: They’re making the rules up as they go.”

This was seen as an opportunity by some Heartland competitors to move in on some of Heartland’s clients, with reports of merchants being warned that they may be violating PCI compliance by continuing to do business with Heartland, and prompting Heartland to respond with threats of lawsuits.

During Tuesday’s Congressional hearings, representatives of the merchants who are thought to bear the brunt of security protocol “cram-downs” from the card issuers, threw their hat into the ring in what now amounts to an industry free-for-all.  From Forbes.com:

Michael Jones, the chief information officer at the retail company Michael’s, testified that the PCI rules were “expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.”

Now bear in mind, all of these factions are supposed on the same team, and all are supposed to be working in unison to continue the evolution of ever more secure systems to thwart the increasingly resourceful criminal hackers.

Is it any wonder that the future of PCI DSS is in question?

What could possibly be worse than an entire industry at each others throats in the midst of congressional testimony?

They could make enough of a brouhaha that they attract the wrong kind of attention of lawmakers,  who have regularly demonstrated their intent of late to force industries of all stripes to cede to their better judgment.  Also from Forbes.com:

“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”

This means that the PCI Security Council, keepers of the PCI DSS flame, have their work cut out for them if they want to remain the chief regulating body for PCI security.

Maybe they left these issues to simmer on the back burner for too long, and someone may be looking for a scapegoat.

It’s all uphill now.

During a phone call in early March with Lib de Veyra, VP of emerging technologies at JCB International and recently named Chair of the PCI Security Council, I expressed my concern over the state of relations between the various elements that make up the payment card industry.

I likened the public displays of policy incongruity and the tendency for all interested parties to respond to news of security lapses by rushing to throw each other under the bus to that of the image of a snake swallowing its own tail.

PCI DSS is not broken, but the collective will to make it an effective standard for security just might be.

* * *

Stay Informed With ISR News Alerts:

Email:

by FeedBurner

* * *

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Anthony M. Freed, Breach, Class Action Lawsuit, D&O Liability, FEATURE ARTICLE, Financial, Government, PCI, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

10 Comments on Payment Card Industry Swallows Its Own Tail

  1. Nick Waddell on Wed, 1st Apr 2009 8:37 pm

    2. Your stuff is so well researched and documented, yet as a newbie to the space, I have no trouble reading through and understanding it first time. Great stuff, thanks for posting to Bizzlo, too.

    Nick

  2. James Anderson on Mon, 6th Apr 2009 7:49 am

    3. Excellent article. One could draw the opposite conclusion, however. PCI-DSS is alive and well and producing the intended effect. The public statements you see on this — especially by processors who have had a breach — are nothing more than pre-litigation posturing. They have (belatedly) “lawyered up.” The comment that “We’ve never seen anyone who was breached that was PCI compliant” is probably true and illustrates the essential nature of PCI-DSS: security requires effective controls, constant vigilance, and is difficult and expensive to achieve and maintain. Good luck with trying to claim that a PCI-DSS certification is some kind of warranty that dealings with the subject processor will be secure. My bet is that substantial violations of PCI-DSS will be found to have existed in any processor or merchant that had a breach. Furthermore, if you could know the truth, you would *probably* find that the breached processor substantially overstated the effectiveness and/or maturity of controls they operate during the PCI-DSS review — sort of like cleaning up the powder room just before the in-laws arrive for dinner. It’s not representative of or a guarantee of ongoing hygiene… Simply stated, PCI-DSS works and represents the best approach to the problem of PCI security. If you want to ratchet things up (and this is easily done — with additional cost and effort of course) do two things: (1) make the certificate assessment process more procedurally comprehensive adding controls maturity to the mix, (2) publicly identify software makers whose products do not comply (you know who you are now, but the public does not yet). This will generate its own round of litigation, but that might be a good thing. The notion that you can solve the problem with more government regulation — brought to you by the people who brought you the mortgage and credit crisis — is laughable. Commerce on the Internet is nothing less than the front line in the battle for information security today — and attacks are (probably ;-) ) more intense and threatening than those faced by military targets. Those of us who have been around in INFOSEC for awhile remember “C2 by 92″ as an early poster child for a failed security initiative. Like democracy as a form of government, PCI-DSS may be awful, but it’s the best we have.

  3. Iain McRobie on Wed, 8th Apr 2009 3:08 pm

    4. A very interesting and well researched article by Anthony and a great response by James.
    I suspect that elements of both are the true state of affairs and am aware of times in the past where organisations that I am very familiar with have been audited by the Cards Schemes and have told them pretty much what they wanted to hear in order to get a clean bill of health. I can’t imagine that things have changed completely, so to extrapolate from this, there will be organisations that have a PCI-DSS clean bill of health that are not really compliant.

  4. pdebski on Fri, 10th Apr 2009 7:08 am

    5. Well, in my opinion the only secure payment protocol is SET (Secure Electronic Transaction) that is well researched, based on strong cryptography, sensible business model and indeed secure but neglected due to the lazy “not my problem” industry approach.

    As long as companies implement some solutions because it is cheap and easy instead of putting-in solid work to make things right we will see numerous disasters like the ones cited above.

    Best regards
    Pawel Debski
    pdebski ! econsulting @ pl
    +48-504-766-316

  5. pligg.com on Sat, 11th Apr 2009 8:21 am

    6. Payment Card Industry Swallows Its Own Tail : Information Security Resources…

    Anyone who has been following the cascade of security failures plaguing the payment card industry in the last year, as punctuated by the still-shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), has to acknowledge that there ar…

  6. Rocco Castoro on Thu, 23rd Apr 2009 3:23 pm

    7. As long as companies implement some solutions because it is cheap and easy instead of putting-in solid work to make things right we will see numerous disasters like the ones cited above.

    I Agree

  7. Heartland Regains PCI Compliance Status « Your Mortgage or Your Life… on Sun, 3rd May 2009 1:42 pm

    8. [...] future of PCI DSS is at stake, yet the leadership to required to secure its future and the much needed cooperation of all [...]

  8. The Merchant Maven on Wed, 6th May 2009 11:23 am

    9. Anthony:

    I agree with the comment that says you provide very well researched articles.
    I established the merchant maven to help merchants make wise decisions on various aspects of credit card processing. Among them, of course, is PCI compliance. I look forward to your next article on this. good stuff.

    The Merchant Maven

  9. Raphaella Alcasas on Mon, 11th May 2009 4:17 am

    10. Interesting viewpoint Anthony, but I would still argue that while far-from-perfect, the PCI Standard provides guidelines that are prescriptive and clear and more or less teaches companies, big and small, how to implement best-practice in regards to their IT security structures. Couple that with the fact that they are (trying) to implement it globally, and I would say that though it has a lot of evolving to do, they are on the right track. It does take a bit of stepping back and looking at the overal picture to see it, but in essence there is no downside to complying. The squibbling between the parties which results from breaches is still not a damper on the fact that the industry needed regulation as regards to security, and PCI has provided that blueprint. Whatever we end up calling it in the future, the goal to tighten security and maintain best practice amongst those making money off the average consumers transactions and their trust, is being achieved. Awareness is growing. There is always going to be room for improvement. Regulation in the Financial arenas does not necessarily stop a recession, as we can all attest. But without it, who knows, we could be in the wild west, it could always be worse. I challenge those who feel they could do better, to actually go and do it. God knows there are plenty of companies and institutions and governments willing to listen to it, and possibly collaborate or invest in that. Certainly there is some evolving to be done, but overal, let me say, we are better with the slightly flawed system we have, then without any at all.

  10. Wynand Vermeulen on Mon, 14th Dec 2009 1:38 am

    11. Great article!

    I personally believe PCI is a band-aid to try an prevent breaching of credit card data. The need for PCI is only justified by the continued reliance on outdated magnetic stripe technology, and the ability to perform transactions with only some data that is printed on a card.

    While magstripe is used, I agree that something needs to be done to try and make it more secure, but this is like trying to fit air bags to a 1908 Model T Ford. I believe the focus should rather be to aimed at migrating to secure technologies such as chip and PIN (EMV), and 2FA (2 factor authentication) for CNP (card not present) transaction.

    The use of EMV and 2FA, makes the card data itself useless, as authentication is performed using the secret keys inside the chip. If the data is useless, then why protect it (privacy excluded from this argument). If your country is planning to migrate to EMV, or busy migrating, or migrated, the PCI compliance means that you are paying the bill to secure the data of parties that are not migrating to EMV, and in the light of the EMV Liability shift non-EMV compliant parties are liable for fraud.

    EMV has been around for nearly 15 years now, and every year more and more countries are migrating, with just about every country in the world either being fully migrated, in process of migrating, or planning to migrate. The only exception to the rule seems to be the US, which will find itself at the receiving end of exponentially growing fraud due to the fraud migration effect caused by EMV.

    In some countries magnetic stripes are already banned (Malaysia), and in other you may find it exceedingly difficult to use a magnetic stripe card (United Kingdom).

    The Magstripe is Dead, Long Live the Chip (and PIN).

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!