Threat of the Week: Has PCI Failed?
With data breach following data breach, from Target to hotel management company White Lodging, Neiman Marcus and Michael’s, the question now is getting asked: Has PCI DSS – the Payment Card Industry Data Security Standards – flat-out failed?
Is it time for retailers and financial institutions alike to look for new protections that are more reliable?
Gartner analyst Avivah Litan is an outspoken advocate of the need to recognize PCI’s limitations.
“How much evidence do we need? PCI is not stopping the big breaches,” she said in a Credit Union Times interview. “It’s unrealistic to expect PCI to solve this problem.”
PCI defenders generally – and specifically in the Target case – have argued that PCI as such is fine, it’s the implementation that faltered.
But Litan derisively snorted at that.
“Target obviously slipped up,” she said. “But you can’t always say about every breach, ‘they didn’t really implement PCI properly.’”
Read more PCI DSS criticism: PCI Standard Losing Ground
Maybe, she suggested, there are so many moving parts, and so it becomes very difficult to implement PCI properly.
Litan’s suggestion was to scrap the current approach and instead “bake security into the data. Point to point encryption would be a good solution.”
A troubling metric for PCI DSS success comes from Verizon which, in a recent report, said that a staggering 88.9% of businesses failed their baseline compliance tests
“There are significant issues around knowing how to maintain compliance,” said Verizon PCI Practice Lead Ciske Van Oosten in an interview.
Note, however, that Van Oosten said there is encouraging news in the Verizon report. He indicated that in 2013, more than 82% of organizations were compliant with at least 80% of the PCI standard at the time of their annual baseline assessment. That is sharply up from the 32% that had similar compliance in 2012.
His point: organizations may be failing, but they are getting closer to achieving passing grades, and so their defenses are higher.
Van Oosten also indicated that Verizon favors continuing PCI DSS standards. He elaborated that the chances of a breach succeeding are significantly reduced if an organization is PCI compliant.
However he noted: “Can PCI help reduce breaches? Yes. But it doesn’t give you a guarantee; you need multiple layers of defense.”
Rick Ewart, a Miami Lakes, Fla. CPA who does substantial IT auditing of credit unions with a focus on security, added that organizations that approach PCI with a “check the box” mentality - that is, they are going through the motions of compliance to satisfy regulators - may not see significant gains.
“If you bolt on security to meet examiner requirements, you typically will have more problems,” said Ewart.
He added: “If you really buy into PCI, if you are proactive and think about security as part of the process, you will see the benefits.”
Stephen Cobb, a researcher at Eset, a security firm headquartered in San Diego, split the difference when it comes to supporting, or dissing, PCI DSS.
On the one hand, he said, “The standards give people the impression that compliance means safety, and that is not true. That overlooks the reality that cybercrime has become professionalized. The criminals are highly skilled and disciplined.”
That is why Cobb insisted: “I would not be surprised if we continue to see news of large breaches of credit card systems for the foreseeable future.”
Yet he also said, “It’s not useful to say PCI is dead. There is a need for standards. People need guidance. But it’s only guidance. It’s not a checklist that makes you safe.”
In other words: follow the standards ... but then do whatever else needs doing to keep confidential information secure.
Bob Woodbury, a senior vice president at FIS Global, offered muted support for PCI in this comment: “We believe PCI has provided some real benefits to the industry. The question is whether further PCI standards will materially increase the effectiveness of PCI.”
Put more plainly: Is it worth the bother to try to patch PCI DSS?
Woodbury pointed to new, potentially highly secure transactions rooted in mobile technology as a possible safer direction.
“FIS is a proponent that mobile based transactions introduce multiple layers of additional security over today’s static magstripe, or even EMV transactions,” he said.
From built in use of PINs through possible augmentation of mobile with biometrics, such as Apple’s Touch ID fingerprint biometric, Woodbury indicated that mobile may be a path out of the present insecurities of mag stripe cards, and suggested that is where eyes should be focused, and not necessarily on trying to beef up PCI DSS.
But as much as experts point to possible upgrades from current mag stripe PCI security standards – be the solution mobile, EMV, or yet something else – a shared reality is that for the next year, PCI DSS will be the prevailing security protocol.
And maybe, strangely, even if PCI is flawed, it does not matter.
Litan, whose criticisms of PCI fueled this debate, said that because PCI has proven so porous, financial institutions and card networks have gotten very good at short circuiting fraud after a breach. They take proactive steps, essentially as soon as a breach is disclosed, and that is paying off.
Litan’s current estimate for all fraud as a result of the Target breach of some 40 million credit card accounts: $30 million.
“There will be very little fraud,” said Litan. “Everybody is so on top of this now.”