While dissatisfaction with the PCI standards has been simmering for some time, the debate is now boiling over. And not before time.
In March, the US House of Reps’ Homeland Security Committee held a
hearing as to whether PCI security standards have been effective in reducing cybercrime. The chair, in his opening remarks, suggested empirically that “the PCI Standards are of questionable strength and effectiveness.”
Over the years, the finance sector’s primary response to card fraud has been to require merchants to gather more and more corroborating data to prove that a customer is who they say they are. But just as credit card numbers fall into the wrong hands, so
too do CVVs! The more identity data customers are required to divulge, the more ends up being stolen and turned against them.
The CIO of the US National Retail Federation told the PCI hearing that “The PCI guidelines are onerous, confusing, and are constantly changing”. He noted the irony that “the credit card companies’ rules
require merchants to store credit card data that many retailers do not want to keep” (his emphasis).
In security circles, critics are currently revisiting the fundamentals of compliance audit, but in this debate, history is sadly repeating itself. The past is littered with businesses that have passed all sorts of audits, only to let their customers down.
ISO 9001 quality certified companies can turn out defective products; ISO 27001 security certified companies can get hacked; audited public companies can go bankrupt. Each generation seems doomed to revisit a tired old question:
What good is any audit?
An audit is just a snapshot. If a company passes an audit, it tells us that on the day, they were found to be in compliance with some set of criteria. But between then and the next audit, nobody can say what was going on.
And yet these technicalities are unedifying. Ordinary users have a right to expect that if a company passes its security audit then it ought to be “secure”!
The ugly truth is that most audits are horridly mechanical. I speak from experience: I’ve been an auditor, and I’ve also been audited, under all sorts of conformance regimes. Every six months or so, the auditor rolls in, armed with the report from the
last visit, to check if non-conformities have been remedied. But all too often the auditor is a brand new junior, looking at the business for the very first time. Worse, the client representative is frequently also new, and had their first look at the audit
report in hurried preparation for the visit. The parties face off, consumed by paperwork, and can’t see the forest for the trees.
I don’t think I’m being overly cynical, but in any case, even the best run audits are inherently blinkered.
Audits find problems, but the absence of findings does not mean an absence of problems.
In my view, the PCI regime will generally reduce accidental breaches, and help fend off amateur attacks. But PCI can do little to thwart inside jobs, nor the sophisticated attacks of organised crime gangs.
The rewards to be gained from credit card fraud are so now enormous that no amount of security policy or conformance audit can deter organised cyber criminals, let alone defeat them.
The PCI approach was always going to be a losing battle: an expensive endless loop of collecting ever more personal data to verify identity, and then needing to safeguard it all against theft. It’s like putting out fire with gasoline.
It’s high time that the underlying problem was dealt with properly. We need to remove the profit motive for stealing and trading credit card data. We need to make stolen credit card data worthless.
The best long term solution probably lies in leveraging smartcards online, to digitally sign each transaction, rendering it unique and non-replayable.