The Green Sheet Online Edition
June 27, 2011 • Issue 11:06:02
PCI DSS effectiveness questioned
In a May 31, 2011, blog post, Federal Reserve Bank of Atlanta official Cindy Merritt questioned the long-term effectiveness of the Payment Card Industry (PCI) Data Security Standard (DSS).
The requirements wouldn't be necessary if the United States would do what Europe and most of the world have already done: switch from mag stripe to chip and PIN technology, according to Merritt.
Merritt, Assistant Director of the bank's Retail Payments Risk Forum, wrote in her blog, "PCI guidelines are necessary, unfortunately, because of cards that use mag stripe technology instead of the more secure chip and PIN technology.
"As schemes become increasingly sophisticated, however, these guidelines will likely be less and less effective - a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip and PIN card technology."
Merritt believes the situation can only get worse in the United States as long as its payment system continues to use mag stripe technology. "The vulnerabilities inherent in mag stripe technology are expected to contribute to ongoing skimming attacks in the future, not to mention the associated credit and debit card losses," she wrote.
In Canada and Europe, the move to the Europay/MasterCard/Visa (EMV) security standard for chip and PIN technology has resulted in reduced fraud, according to Merritt. "As more countries employ EMV, skimming in the United States is expected to rise," she added.
The Michaels difference
The vulnerability of retailers to card skimming was demonstrated in the Michaels Stores Inc. data theft. The theft was discovered in early May 2011 after thieves had been quietly downloading credit card information for months on 90 fake terminals they swapped for 90 PIN pads in Michaels' stores.
The terminal swaps were spread out in Michaels' locations in 20 states. The fake terminals relayed customer information directly to the fraudsters, presumably without interrupting transactions. The data theft forced Michaels to replace approximately 7,200 PIN pads.
The culprits managed to sort stolen cards by BIN (bank identification number), which allowed the thieves to target a single bank with multiple fraud charges before moving on to another bank for more charges. This technique may be why hackers were able to hide their theft from Feb. 8 to May 6, 2011, when the breach was finally uncovered. Michaels did not reply to a request for comment. But Avivah Litan, a Security Analyst for the technology research firm Gartner Inc., confirmed the Michaels' thieves used new tactics. By taking advantage of BINs, fraudsters bypassed normal, network-level fraud monitoring, Litan said.
"Also the fraudsters avoided the heat and microscopic attention generated via communications among banks and the card networks that takes place when a breach affects a larger group of card issuers at once," she added.
Litan said Gartner research shows retailers in the United States will spend an average of $1.7 million each over 2.4 years to become PCI compliant.
"The U.S. card industry will likely figure out that it's cheaper to move away from inherently insecure magnetic stripe payment card technology to more secure chip cards than it is to spend billions on PCI compliance and millions on recovering from breaches like this one," she said.
The PCI Security Standards Council (PCI SSC) promulgates all security requirements affecting PIN entry devices (PEDs) through the PIN Transaction Security (PTS) DSS.
According to the council, enforcement of PED mandates is the responsibility of the card brands. However, PCI SSC General Manager Bob Russo told The Green Sheet in a statement that the PTS requires PIN pads to include "technology that makes the device resistant to tampering.
While the council does not have any insight into this specific breach, what we've read indicates in this case that the devices themselves were switched out and replaced with fraudulent ones." Russo feels the Michaels data theft points out the need for more vigilant security. "Point of sale continues to be a security hotspot," he said.
"Not only must organizations ensure they are PCI compliant by implementing the controls mandated by the standards for the protection of devices and data at the point of sale, but also they must be vigilant in reviewing all transaction equipment and payment terminals to ensure that all seals are intact and no tampering is evident. We always talk about how technology is not enough when it comes to security - people and processes are critical." Russo also noted the PCI DSS website at www.pcisecuritystandards.org contains a guide on how to stop skimming.
The other argument
Getting the card industry to move to chip technology on its own may not happen, though. "No country has moved to chip and PIN unless the government mandated the change," said Chris Noel, a Senior Vice President with ANXeBusiness Corp. "It's a stretch to say PCI would not be needed if we went to chip and PIN, but it would lessen the need."
Not every expert agrees new chip and PIN technology is needed or warranted. Mark Rasch, Director of Cybersecurity and Privacy Consulting for Computer Sciences Corp., said the Michaels theft may not be "a breach of PCI standards. A data loss is not necessarily a breach. This is a technical definition but a meaningful one. If the thieves are putting fake POS terminals out there, then the store terminals may be functioning correctly, but the thieves just added something to them." Rasch added it's not possible to write contractual requirements to prevent every possible security problem and noted the PCI DSS has had many revisions in its history. "The store is not intended to be Fort Knox," he said. "PCI is a contractual requirement, not a statutory or regulatory requirement."
A comprehensive approach
Rasch believes chip and PIN technology is moderately more secure than mag stripe, but it has disadvantages, too. "If people can swap terminals and capture mag stripe information, they can swap terminals and capture chip and PIN information, too," Rasch said. "There's no difference." Another disadvantage Rasch noted is that the introduction of chip and PIN would be expensive, requiring new cards and readers at every card-accepting retail location.
Rasch encourages merchants to take a holistic, comprehensive approach to cyber security. "PCI compliance is not the end of security, it's the beginning," he said. "Merchants need to think about security from the moment the customer takes their card out of their wallet to the moment the sale is completed and the information stored. They need to start thinking like hackers."
He added that the PCI DSS should be continually updated to reflect new threats. "The whole point of the security standards is not to prevent fraud but to bring fraud down to where we get acceptable levels of loss," he said.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.