The Green Sheet Online Edition
November 28, 2011 • Issue 11:11:02
PCI: Target or shield
Since 2006 and the formation of the PCI Security Standards Council (PCI SSC) by the major credit card brands, identity theft and data breaches have continued to escalate - from large-scale incidents, impacting more than 130 million credit and debit cards, to an alarming and recent focus on small businesses.
According to the Verizon 2011 Payment Card Industry Compliance Report, roughly 80 percent of businesses in 2010 were not 100 percent compliant with the Payment Card Industry (PCI) Data Security Standard (DSS), an evolving standard managed by the PCI SSC to increase controls around cardholder data in an effort to reduce fraud.
To make matters worse, retailers and politicians often view breaches as an opportunity to attack the PCI DSS. Meanwhile, industry leaders and the PCI SSC forge onward with promoting adherence to and updating the data security standard. This article will explore some of the most common attacks on the PCI DSS and how merchants and the ISOs and acquirers that serve them can better understand, embrace and deploy the standard within their organizations.
Caught in the crossfire
Most criticisms of the PCI DSS are overly broad, demonstrating a lack of understanding of the standard or review of even the most basic of its requirements. Others are very specific, which are more often than not currently being discussed by the PCI SSC or addressed in updates to the standard, such as the PCI DSS 2.0. Let's explore some of the most common criticisms.
1. PCI DSS has done little to stop payment card data thefts and fraud. In public statements following a 2009 data breach, Heartland Payment Systems Inc. Chief Executive Officer Robert O. Carr claimed his company had implemented and abided by every single one of the security controls mandated by the PCI DSS. In an interview with Computerworld, Carr said the breach pointed to both the sophistication of the attacks against Heartland and the inadequacy of relying on PCI controls alone for data security.
2. PCI is overly complex and expensive. Michaels Stores Inc. Chief Information Officer Michael Jones testified before a U.S. congressional subcommittee that the PCI DSS requirements are "very expensive to implement, confusing to comply with and ultimately subjective, both in their interpretation and enforcement." He continued, pointing out that it is often stated there are only 12 "requirements" for PCI compliance when, in fact, there are more than 220 subrequirements.
3. PCI standards are not evolving quickly enough. According to Rep. Yvette Clarke, D-N.Y., much of the PCI compliance limitations have to do with the static nature of the standard's requirements, which Clarke believes are ineffective at dealing with the highly dynamic security threats that retailers and other merchants now face.
Paul Henry, Security and Forensic Analyst for Lumension, echoed Clarke's sentiment stating that, "At a time when cybercriminals only now need a day to create an exploit, we need a shorter mandatory timeframe for critical patch deployment, not a longer time." Henry has been vocal about what he views as PCI security compliance weaknesses. For one, he believes the patch lifecycle testing process should be shortened and that firewall requirements are far too vague.
4. Other technology, such as chip and PIN, will better protect against breaches. Cindy Merritt, Assistant Director of the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta, believes the cavalcade of recent breaches should lead the payments industry to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives such as chip and PIN.
PCI - An evolving standard
While the list of complaints may seem lengthy, the truth is the PCI DSS has forced the payments industry, financial institutions, businesses of all sizes and even consumers to pay more attention to information technology (IT) infrastructure and personal data security, and notable progress has been made toward improved security.
1. PCI DSS has curbed payment card data thefts and fraud. Anyone in the security field knows that achieving a 100 percent effective defense against identity theft and hacks is impossible. That said, experts believe it is not the PCI DSS itself, but rather inadequate implementation of the standard that limits the effectiveness of protective measures. Visa Inc. Chief Enterprise Risk Officer Ellen Richey stated, "...no compromised entity has yet been found to be in compliance with the PCI DSS at the time of a breach."
Also, when Bob Russo, General Manager of the PCI SSC, spoke with Computerworld about the Heartland breach, he said the fact that it resulted from a basic SQL injection error calls into question Carr's claims about the sophistication of the attack and the preparedness of the organization.
Adopting and maintaining adherence to the PCI DSS is simply the best way for merchants, ISOs and acquirers to protect card data. The standard's framework helps businesses build a security and compliance culture, while serving as an effective baseline for merchants needing to layer on additional security.
A VeriSign white paper analysis of 112 assessments titled Lessons Learned: Top Reasons for PCI Audit Failure and How to Avoid Them found that most merchants did not meet the PCI DSS requirements that mandated regular monitoring and maintenance of security systems and processes outlined in the PCI DSS requirements (30 achieved PCI compliance, 82 did not).
Following are the top reasons cited for PCI audit failure:
- 74 percent of merchants failed requirement 11: regularly test security systems and processes
- 71 percent failed requirement 10: track and monitor all access to network resources and cardholder data
- 66 percent failed requirement 1: install and maintain firewall configuration to protect data
- 60 percent failed requirement 12: maintain a policy that addresses information security
- 56 percent failed requirement 6: develop and maintain secure systems and applications
2. PCI is manageable when priority and resources are given to the important initiative. Merchants can either embark on PCI compliance alone or consult with a trusted ISO or acquirer. Engaging PCI compliance experts, especially for smaller merchants with fewer internal or IT resources, can make the PCI compliance effort much less daunting, often resulting in a more affordable approach to achieving compliance. Typically, ISOs and acquirers turn to third-party PCI compliance and security solutions vendors for support - a relationship that is often included in existing payment processing fees.
3. Approaches to applying PCI standards are evolving. Far too many merchants have a security mindset focused on the wrong goal - PCI compliance. Yes, merchants must meet the requirements, but achieving compliance should be an ongoing exercise in establishing a secure environment, not a pat on the back when a PCI certificate is received.
Constant monitoring of security posture, which the standard requires, will help merchants quickly evolve to meet breach threats. The PCI SSC supports these efforts with updated standards as well as the dissemination of supplemental guidelines including the PCI DSS Wireless Guidelines Information Supplement.
4. Advanced technology, such as end-to-end encryption and Europay/MasterCard/Visa (EMV), should be considered for use in conjunction with PCI. Merchants, ISOs and acquirers should consider tokenization, which replaces cardholder data with a surrogate value or token. The PCI SSC has provided high-level guidance on how tokenization can reduce a merchant's scope with glos point-to-point encryption (P2PE), which encrypts transaction data from the point of swipe to processing entity, and should be deployed by all businesses handling card-present transactions.
The PCI SSC has issued a P2PE roadmap and initial guidance on hardware-based solutions; a listing of validated solutions is expected in the spring of 2012.
While EMV is often heralded as the next step, or even the "end all, be all" in card data protection, the PCI SSC points out limitations with EMV in PCI DSS Applicability in an EMV Environment: A Guidance Document, which addresses how EMV can operate within the PCI DSS to secure both card-present and card-not-present transactions.
Terms of agreement
There is a statement both sides can agree upon: PCI compliance has largely been adopted as a point-in-time event. To be truly effective in preventing hacks and breaches, merchants and the ISOs and acquirers that serve them must maintain a continually vigilant security posture through the use of layered security, internal policies, continual review of all transaction equipment and payment terminals, and guidance from PCI-compliance and security solutions vendors.
The following correspondence from a PCI-compliance provider to its customers, demonstrates the importance of consistent application of and adherence to the PCI DSS:
"The card associations [now companies] require all merchants to become PCI compliant to help defend against credit card fraud and data breaches. Utilizing a PCI-compliant payment application or e-commerce gateway is not enough to be considered compliant. PCI compliance extends beyond the payment application and covers your systems and how you conduct business and manage your customer's data. Noncompliant merchants are subject to penalties and fines in the event of a data compromise which, as you can imagine, severely impacts your customers as well as your business. We have made every effort to make the process as quick and easy as possible."
Today, consumers are much more conscious of identity theft and protecting personal information than in the past. The PCI DSS provides a prescriptive baseline that improves security posture while providing a firm security foundation to build on. Meeting PCI compliance standards through constant and vigilant monitoring of business practices through the lens of the security standard is good for business.
By protecting against cardholder fraud, merchants are providing a valuable service and obligation to customers, as well as protecting one of their most important assets: their business reputations.
Steve Robb is Vice President of Products & Services for Atlanta-based ControlScan Inc., a provider of PCI compliance and security solutions that fit the specific needs of small- to medium-sized merchants. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.