Blog article
See all stories ยป

Rationalising the Irrational

The card brands, Visa, MasterCard, JCB, American Express and Discover, are all mandating the universal and unquestioning acceptance and implementation of the PCI-DSS.  The justification for this has always been presented as a means of ensuring the protection Cardholder Data, whatever that means.  None of the card brands have really explained what this "protection" actually means, or indeed how it works.  Apparently, it is good enough to refer to security, card fraud and a "better safe than sorry" approach, without ever actually explaining how the security strategies defined within the PCI-DSS prevent card fraud.  

I am not going to argue why PCI-DSS is a complete waste of time and effort, other than to say that even if the whole world were to be secured to PCI-DSS standards, the "sensitive data" defined within the PCI-DSS - the PAN - is still freely available in the public domain, on the front of the card and on the magstripe.  If it is accepted that the PAN is "sensitive data", then this is a completely irrational approach, and I have no interest in attempting to convince experts who cannot see this otherwise.  

In EMV-land, the implementation of the PCI-DSS is also irrational.  In the UK, the number of magstripe transactions accepted at the point of sale is trivial: generally less than 1%.  However, they originate primarily from the US, and appear to account for well over half of all chargebacks.  This would indicate a correlation between fraud, as indicated by the level of chargebacks, and magstripe, as indicated by the fact that the chargebacks are mainly coming from the US (and I know that the US banks shouldn't be raising them because they are clearly fraudulent, but they are, which makes me think that the real fraud is much higher because they are coming from only a very small handful of banks).  I don't think it unreasonable to ask what the implementation of the PCI-DSS would do to prevent US magstripe fraud in the UK.  No answer is not acceptable, but no answer is the answer being given by the card brands!  So can anyone else answer this, rationally?  It is my opinion that the implementation of the PCI-DSS will do absolutely nothing to prevent this type of fraud, because it can't!  The implementation of PCI-DSS is already widespread in the US, but whilst the level of home-grown fraud in the UK is falling year on year as the investment in EMV pays off, US magstripe fraud is growing.  Implementing the PCI-DSS in the UK is not going to make this fraud go away.

The only rational rationale presented by the card brands in support of the forced implementation of the PCI-DSS that I am aware of is the one that says quite strongly that it's in the contract, and if an organisation chooses not become PCI-DSS compliant, then the organisation is effectively choosing not to accept cards.  This argument is rational, from the perspective of any retailer in doubt over their obligations to the card brands, and has the added advantage of being very easy to understand, but ... it is still irrational!  So why are the card brands persisting in rationalising the irrational?  There must be more to it.

Call me a conspiracy theorist if you like, but read on before judging.  The PCI-DSS does make sense as a framework and as a set of guidelines.  However, it makes no sense as a prescriptive mandate focused on protecting the PAN and other "sensitive data", because the so-called "sensitive data" isn't sensitive under EMV, and the PAN isn't a risk vector either.  I have not yet heard a coherent counter argument to this, and it's not for the want of listening.

The card brands have made it absolutely clear that the PCI-DSS will be implemented around the world, and that those regions where there has been considerable investment in EMV must now invest in the PCI-DSS to "protect" those regions where there has been no investment.  This is irrational; surely the rational approach would have been to mandate EMV in the undeveloped nations (I am employing the use of irony here - those who get it will know that I mean the US) instead of arguing, but not coherently, that even in EMV regions the PAN still presents a risk if it is let out into the open.

I am no expert on the US legal system, but I have had a look.  It seems to me that there are a number of bills, at varying stages in the bill lifecycle, that refer to the protection of personal data; there are also bills that are related to the cost of data breaches and the cost of recompense.  None of these bills refer directly to payment cards and card-related data, but there is a remarkable similarity between them and some of the principles of the PCI-DSS.  It would also appear that the case for the PCI-DSS was made in March 2009 by Bob Russo, the General Manager of the PCI Security Standards Council, and others, to the House Committee for Homeland Security, which I find very odd, or maybe it's all beginning to make sense?

Funding for the events of 911 have been attributed to credit card fraud, which means that credit card fraud has become a global issue for US Homeland Security: it is no longer a regional financial issue that can be resolved locally, like in the UK, and the rest of the EMV world.  It would appear that we now have an issue that can only be resolved globally by implementing a global card data security standard.  The PCI-DSS is not, therefore, a solution to the losses that might be suffered by individual cardholders, it is a "security" solution for the world.  The PCI-DSS is really an anti-terror strategy and not a cardholder-focussed financial integrity strategy.

The problem is that whilst forcing the implementation of the PCI-DSS in an area where card fraud is at a ten-year low, and falling, might be irrational, the requirement for PCI-DSS isn't going to go away because the requirement isn't based on any rational analysis of real-world card fraud vectors.  It would appear that even though the card brands have repeatedly failed to present any valid arguments in support of the forced implementation of the PCI-DSS, they are still pushing the mandate.  Perhaps this is because they are not really doing the pushing, and the Committee for Homeland Security is not limited by rationality!     


Comments: (3)

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 27 October, 2010, 07:46Be the first to give this comment the thumbs up 0 likes

Bravo David.  I am not sure I agree with your underlying theory, but I'm in total alignment with your criticisms. 

PCI-DSS -- like most security management standards -- provides protection against accidental breaches and against amateur attacks.  But it cannot do anything to stop highly organised crime gangs, nor inside jobs.

The fundamental problem is that PANs are currently replayable.  But if we instituted asymmetric encryption between smartcards and merchant servers, we could render stolen numbers totally useless.  And we could preserve the four cornered card processing model as is, avoiding all the horrid legal novelty and contractual changes that go with 3D Secure and its ilk. 

PCI-DSS does nothing at all to prevent the replay of stolen numbers; it does nothing to undercut the value of stolen numbers to criminals.  It is like shutting the stable door after the horse has bolted (or putting a steel door on a grass hut, as the Smartcard Alliance has said). 

And here's perhaps some more grist to the conspiracy theorists' mill: is it a coincidence that those other "innovations" tokenization and end-to-end encryption don't do anything to protect against stolen PANs either?!


Stephen Wilson, Lockstep.

A Finextra member
A Finextra member 27 October, 2010, 10:37Be the first to give this comment the thumbs up 0 likes Hi Stephen, thanks.

I have moved on to the conspiracy theory because I can't find any other rationale.  I have had the question open with MasterCard (up to and including Bruce Rutherford) for the last four months, and they haven't been able to tell me why - Hmmm!  What else could it be?

I have to take you to task on the replay attacks though - they only work where the merchant isn't following the appropriate remote transaction rules - it isn't an EMV or PCI problem!  Implement 3d-secure, for example, and the problem goes away (more or less).  I would argue that MOTO is a very weak argument for PCI, but it would also seem to be the only one left - apart from my Homeland Security theory, obviously.


Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 28 October, 2010, 00:00Be the first to give this comment the thumbs up 0 likes


I look at the whole card fraud problem from first principles.  The flaw in the system is that account numbers are replayable, and merchant servers cannot on their own tell good numbers from stolen ones.  There are a few ways to render numbers unreplayable.  CAP with dynamic signature is one; 3D Secure is another.  I advocate a third way, which is to asymmetrically encrypt (digitally sign if you will) transactions between the smartcard and the merchant. This is similar to CAP but subtly different; the chief advantage over CAP is that a proper PKI based system doesn't require an intermediate authentication server, so it's more scalable and lower cost.  It also skirts the klunky CAP reader problem.

Regarding 3D Secure, it has two fundamental problems (not to mention the practical problems of phishing-like pop-ups and the high transaction drop-out problems).  Firstly, 3D Secure represents a major departure from the elegant, mature four corner architecture.  For the first time in decades, we have the Issuer being joined directly to the Cardholder at the time of transacting.  The whole point of the four party model is to separate Issuer and Acquirer; to break that principle I think has immediate impact in tems of legal complexity, and I fear it will have unforeseen consequences as well.  From an IT point of view, 3D Secure adds significant new overheads, with a host of new messages being sent back and forth between the 3D Secure directory and the merchant server, and the issuer to the cardholder.  So it's inherently inelegant -- and sloooow.

The other fundamental problem is that any protection offered by 3D Secure against replay doesn't come from the protocol but rather from the personal authentication device that is used to identify the cardholder against the issuer.  3D Secure is agnostic to authenticaion method, which is allowed to vary from bank to bank. Typically the Issuer just re-uses whatever gadget they've already issued for Internet banking.  So some 3D Secure implementations use OTP dongles, some use SMS, some just use passwords.  Doh! 

Of course, 3D Secure can use smartcards, in CAP readers, or in connected readers.  This seems to me to be the only way to make 3D Secure properly non-replayable.  And then we can go one step further ... if transactions are signed using a smartcard, they can be validated at once by the merchant server without needing to be pushed through the 3D Secure cycle.   I've worked out a hybrid architecture that blends 3D Secure with chip, and thereby manages to push the Cardholder-to-Issuer authentication 'under the covers'.  Happy to discuss further offline.

Now hiring