25 September 2017
Stephen Wilson

Stephen Wilson in Lockstep

Stephen Wilson - Lockstep Group

34Posts 132,100Views 174Comments

An ounce of prevention is better than a pound of audit

01 May 2009  |  5151 views  |  0

While dissatisfaction with the PCI standards has been simmering for some time, the debate is now boiling over.  And not before time.

In March, the US House of Reps’ Homeland Security Committee held a hearing as to whether PCI security standards have been effective in reducing cybercrime. The chair, in his opening remarks, suggested empirically that “the PCI Standards are of questionable strength and effectiveness.” 

Over the years, the finance sector’s primary response to card fraud has been to require merchants to gather more and more corroborating data to prove that a customer is who they say they are.  But just as credit card numbers fall into the wrong hands, so too do CVVs!  The more identity data customers are required to divulge, the more ends up being stolen and turned against them.

The CIO of the US National Retail Federation told the PCI hearing that “The PCI guidelines are onerous, confusing, and are constantly changing”.  He noted the irony that “the credit card companies’ rules require merchants to store credit card data that many retailers do not want to keep” (his emphasis).  

In security circles, critics are currently revisiting the fundamentals of compliance audit, but in this debate, history is sadly repeating itself.  The past is littered with businesses that have passed all sorts of audits, only to let their customers down.  ISO 9001 quality certified companies can turn out defective products; ISO 27001 security certified companies can get hacked; audited public companies can go bankrupt.  Each generation seems doomed to revisit a tired old question: What good is any audit?

An audit is just a snapshot.  If a company passes an audit, it tells us that on the day, they were found to be in compliance with some set of criteria.  But between then and the next audit, nobody can say what was going on. 

And yet these technicalities are unedifying.  Ordinary users have a right to expect that if a company passes its security audit then it ought to be “secure”! 

The ugly truth is that most audits are horridly mechanical.  I speak from experience: I’ve been an auditor, and I’ve also been audited, under all sorts of conformance regimes.  Every six months or so, the auditor rolls in, armed with the report from the last visit, to check if non-conformities have been remedied.  But all too often the auditor is a brand new junior, looking at the business for the very first time.  Worse, the client representative is frequently also new, and had their first look at the audit report in hurried preparation for the visit.  The parties face off, consumed by paperwork, and can’t see the forest for the trees. 

I don’t think I’m being overly cynical, but in any case, even the best run audits are inherently blinkered.  Audits find problems, but the absence of findings does not mean an absence of problems. 

In my view, the PCI regime will generally reduce accidental breaches, and help fend off amateur attacks.  But PCI can do little to thwart inside jobs, nor the sophisticated attacks of organised crime gangs. 

The rewards to be gained from credit card fraud are so now enormous that no amount of security policy or conformance audit can deter organised cyber criminals, let alone defeat them. 

The PCI approach was always going to be a losing battle: an expensive endless loop of collecting ever more personal data to verify identity, and then needing to safeguard it all against theft.  It’s like putting out fire with gasoline. 

It’s high time that the underlying problem was dealt with properly.  We need to remove the profit motive for stealing and trading credit card data.  We need to make stolen credit card data worthless. 

The best long term solution probably lies in leveraging smartcards online, to digitally sign each transaction, rendering it unique and non-replayable.

TagsRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Stephen

Now is not the time to go soft

03 August 2012  |  3899 views  |  2 comments | recomends Recommends 0 TagsSecurityPayments

How much worse can CNP fraud get?

17 July 2012  |  3101 views  |  1 comments | recomends Recommends 0 TagsSecurityPayments

Credit card numbers are like nitroglycerine

13 January 2012  |  4604 views  |  0 comments | recomends Recommends 0 TagsSecurityPayments

Banks really know their customers

13 December 2011  |  3203 views  |  1 comments | recomends Recommends 1

Taking full advantage of Chip

02 June 2011  |  4391 views  |  6 comments | recomends Recommends 0

Stephen's profile

job title Managing Director
location Sydney
member since 2008
Summary profile See full profile »
I specialise in digital identity, privacy, smart technologies and fraud prevention. I run the Lockstep Group, which researches and develops innovative solutions to Card Not Present fraud and identity...

Stephen's expertise

Member since 2008
34 posts174 comments

Who's commenting on Stephen's posts