End of PCI DSS?
Executives with data security firms and payment processors agreed last week that the era of a familiar, relatively reliable standard for protecting consumer payment data may be drawing to a close.
The news that the Target thieves had compromised data from perhaps 110 million accounts overall and that other retailers, including luxury retailer Neiman Marcus had suffered breaches, suggested the Payment Card Industry Data Security Standard, the accepted standard for card data security for over a decade, may have become irrelevant, the executives said.
They also noted that there is nothing currently in the works, except cards with embedded chips which are still some months or years away, to replace it.
Target initially reported 40 million customers had their data compromised at the point of sale while an additional 70 million appear to have had their personal data compromised as part of an older breach which was discovered while the company investigated the first breach.
At roughly the same time, Neiman Marcus revealed its card breach, and other retailers are also reported to have had breaches but so far none of have stepped forward.
Eric Chiu, co-founder and president of HyTrust, a cloud security firm in Mountain View, Calif., advanced the notion that the payment industry’s current data security strategy may finally have failed. In a Jan. 13 interview with Credit Union Times, Chiu suggested that 2014 may become the “Year of the Data Security Breach” unless payment industry executives find a way to more quickly and thoroughly update card data security standards and practices.
The payments industry in the U.S. has relied upon merchants, processors and issuers complying with the requirements of the PCI DSS since the end of 2004, and Chiu praised the standard for having prevented an unknown number of attacks and breaches. “We would probably be even worse off if we didn’t have it,” he said.
The existing PCI DSS seeks to maintain payment card data security by mandating what parts of the process must be encrypted and what level of complexity that encryption must maintain. It also limits the amount of consumer payment data that retailers can store online.
But by its nature, the standard is slow to update, complicated to monitor and difficult to implement, Chiu said, and there is evidence that hackers have begun finding new and innovative ways to repeatedly defeat it.
Critics have observed that the consumer data protection can often appear ephemeral. A retailer can be compliant with PCI DSS standards on the day auditors arrive, but then fall out of compliance a week or month later when they install new point of sale software or a new server. That makes it extremely difficult to maintain and a rapidly innovating and shifting payments industry, Chiu observed.
He further pointed out the data standard is also tasked with protecting a steadily growing amount of data, citing the reports suggesting that data taken from Target, Neiman Marcus and other retailers did not pertain to payment data, but also names and addresses and other consumer data taken from other parts of the retailer’s network.
“What I have been saying for some time is that we may need to change our data security approach from solely protecting the data and networks from intruders on the outside and also start focusing on protecting data from intruders we believe have managed to get inside,” Chiu said.
Too many data protection regimes are like M&M candies, he explained. “They are hard on the outside and soft on the inside. Retail corporations, processors, anyone who is keeping consumer data, need to start asking themselves, ‘How would I protect consumer data if I believed hackers were already able to access our network?’”
Chiu agreed with the observation that more widespread movement to cards which validate transactions through embedded strips would go a long way to fight fraud at the point of sale, but added that the steadily expanding range of theft targets means that protecting data networks will remain an abiding concern for some time.
“Since consumer data can be held and used for identity theft and other frauds for months and possibly years later, its value has steadily risen. Anything that valuable is going to need additional protection,” Chiu observed.
For its part, the PCI Security Standards Council, the organization that develops and promulgates data security standards for the payments industry, has generally declined to give detailed statements about the breaches but has pointed out the investigations are ongoing, so it might be too early to determine what exactly failed in each of these breaches.
Council executives also pointed out that is latest round of changes to the PCI DSS, so called PCI DSS 3.0, which came into effect on Jan. 1, might very well have prevented the Target breach had Target implemented them.
Target has said that the source of the breach was malware which infected its point-of-sale terminals.
But Steve Ruwe, chief risk officer for payments CUSO PSCU in St. Petersburg, Fla., faulted what he said was the attitude among too many executives that complying with PCI DSS is enough in and of itself.
“You would be surprised at how many people I hear say that they are compliant with PCI and then say it like, ‘Hey, I’ve done my bit’ or ‘I’ve done what I’m supposed to do,” Ruwe remarked, arguing that more executives need to remember that PCI compliance is just the first thing or minimal thing that needs to be done.
“If you are serious about data security, you put PCI DSS into place and then find a security professional to help you figure out what else you should do,” Ruwe said.
Ruwe added that the idea of figuring out how to better protect data from attacks from hackers who manage to get on the network deserves more study and added that the Target breach, ironically, is showing some of the virtue in that approach.
“Despite initial reports to the contrary,” Ruwe pointed out, “none of the compromised cards had their PINs compromised. If there was one thing Target did right, it was to encrypt those PIN numbers,” he said, adding that part of the answer might be “making sure your network environment is as hard as possible to breach and then doing what you can do make consumer data unusable to thieves,” he said.