The "security bar" has to be raised on the Payment Card Industry Data Security Standard (PCI DSS), and it has to happen now.
This was the message last week from the head of a Congressional subcommittee that conducted a hearing on PCI DSS. And it's a message that is drawing mixed reactions from financial services analysts and practitioners, all of whom have fresh PCI perspectives in the wake of the Heartland Payment Systems (HPY) data breach.
The Congressional hearing, entitled: "Do The Payment Card Industry Data Standards Reduce Cybercrime " was held by the Subcommittee on Emerging Threats, Cybersecurity, Science and Technology Committee.
Yvette Clarke, D-NY, Chair of the Subcommittee, admonished the payments industry, saying "The payment card industry and issuing banks should be ashamed about the current state of play and doing everything possible to immediately institute improvements in infrastructure."
Clarke called for the U.S. payment system to move toward the chip and PIN technology used in Europe as a way to thwart the increased number of data breaches and fraud.
Chip and PIN is the name of a government-backed initiative in the United Kingdom to implement the EMV standard (group effort between Europay, MasterCard and Visa) for secure payments. The EMV standard for credit card transactions, both physical and online, is being phased in around the world under names such as IC Credit and Chip and PIN.
Industry Reactions
Gartner Group's distinguished analyst Avivah Litan, a recognized expert in information security issues in the payments industry, sees some benefits of the committee subcommittee hearing and the issues it raised.
"Card fraud is getting out of control, in many areas and bank card fraud detection systems across the globe are struggling to keep up," Litan says. "Even issuers that have moved to chip and PIN have not seen a drop overall in card fraud because the magnetic stripe on the card is still accepted in physical locations around the world, and the card data itself is still accepted on ecommerce sites."
Litan believes Visa is finally recognizing the limitations of PCI. "They discussed some encouraging projects they are looking at such as end-to-end encryption and dynamic card authentication, which they say will 'complement PCI' and also 'perhaps' minimize PCI compliance requirements accordingly," she notes.
Litan does add that Visa "would never come out and say PCI is deficient, and no one can argue with stronger security. But Visa is subtly recognizing the limitations of relying on PCI compliance for card data security. They know they need to do something because card fraud has become a major problem for many major banks around the world."
She recommends if there is more government regulation in this area it should "stick to enhancing and consolidation breach disclosure laws. Government should also focus on balancing the power in the card area so that it's not so lopsided in favor of the issuing banks, but also equally considers merchant and acquiring needs."
David Taylor, Founder of the PCI Knowledge Base, says he doesn't see the committee's concerns resulting in any major changes to the standards or procedures for the management of liability and risk in the payment card industry.
"The purpose of PCI is not to prevent cyber terrorism, and no security standard can prevent breaches," Taylor says. The hearing could serve to increase awareness of payment card security and focus attention on the desire of the merchant community to retain little or no cardholder data. "But I don't see the banking industry or the federal government having the stomach for mandating a multi-billion dollar changeover to chip and PIN technology anytime soon," he says.
Chip and PIN?
Tom Wills, Senior Analyst from Javelin Strategy and Research, disagrees with the idea that implementing chip and PIN in the US would solve the problem.
"While it's true that chip and PIN in the UK reduced fraud at the point of sale, total fraud suffered by UK cardholders increased in the same period as it has overseas," Wills says.
Wills doubts that a business case exists for chip and PIN in the U.S. "The cost of issuing new cards to all cardholders and new POS terminals on all merchant countertops would be less than the cost of the fraud it prevents, especially if effective protections against overseas fraud and CNP (Card Not Present) fraud aren't added at the same time," he says.
Debra Geister, Director of Fraud Prevention & Compliance Solutions at Lexis-Nexis, an Alexandria, VA-based risk management consulting company, sees no short-term gains from the current PCI discussion.
 | As a retailer, we are not the one's out promoting the use of debit/credit. We are simply reacting to the different forms of tender being marketed by the card industry to the end consumer. For this "privilege" we are charged x% of the sale. The product is inherently flawed. The card industry needs to bear the burden (using the money already provided by the retailers and end consumers)to find a solution which is more secure and as the article states is more balanced in approach. PCI represents good business practices which every company should adhere, but is not the answer to fix a fundamentally flawed product. The US Treasury has spent millions if not billions of dollars to implement technology into securing US currency from counterfeit and the Card Industry should be required to do the same. |
|
| Holland's point at the end sums up the wisdom in this article. Fixing card fraud is simply not cost-effective in the US. If it were possible to redact fraudulent transactions from customer view, the banks would do it and drive on because the benefits of continuing to drive up transaction volumes far outweigh the costs of fixing fraud.
Professionals know that a PCI certification is a snapshot. IMHO NO truly PCI compliant entity HAS EVER BEEN BREACHED. It is certainly possible to game the PCI certification process by a merchant or processor -- kind of like having all employees wear suits on the day the assessors are on site. If we want to drive up PCI effectiveness, focus on follow-up assessments and force assessors to test, sample and review ongoing documentation of controls in order to come to a conclusion that controls are functioning continuously in the way asserted by the merchant or processor. Assessors would have to certify that they have reviewed documentation that shows ongoing effective controls and document control continuity from the previous review. This will work to end much of the PCI charade that is tolerated today.
Now, merchants and processors will SCREAM at this because they will finally have to walk their PCI talk, and pay to walk it. This scream will be very much like what we are hearing today about the onerous burden of SOX 404, especially for SMBs.
The second thing that should be done to shore up PCI is to get much more aggressive on third party software and hardware implementations that are demonstrably insecure. Much of the POS infrastructure runs on tired old legacy equipment that contains serious flaws and embedded vulnerabilities. Merchants running such equipment should be put on notice that their PCI cert will be null on such and such a date if they do not upgrade. Providing incentives to swap out insecure legacy might help.
Finally, a roadmap to something like CHIP and PIN in North America should be clearly defined so that merchants and processors can be sure that their hardware and software upgrades and investments will allow them to converge with a more secure future. Remember SET? Remember VxV? Merchants do. |
|
| Couple of things in regards to this article. For one, none of the sources quoted in this article on the problems of PCI are even certified PCI QSA's.
Also, while the PCI requirements are not a cure-all, they are a step in the right direction. I do know a little bit about the Heartland situation. For starters, regardless of the "stamp of certification" they received, since they were compromised, they were not PCI compliant. If they were compliant, the particular way in which they were compromised would not have happened.
I would have to say if it weren't for the PCI requirements we would probably be hearing of a lot more Heartland and TJX type breaches. |
|
| This article focuses on new initatives to reduce debit/credit card fraud. This article, but more importantly THE INDUSTRY, has missed an easy to remedy solution to some of the debit/credit card fraud. I have heard that this lack of control comes from VISA and merchants.
If a bank customer loses their card and an unauthorized individual uses the card to make purchases and does signature-based transactions vs. a PIN-based transaction, NO IDENTIFICATION is asked for from the merchant. I have verfied this with other bankers, and we have been told that VISA does not require the merchant to ask for identification at the point of purchase because the merchant is concerned with keeping their customer lines moving and not a requirement from VISA. When the customer notices there is an unauthorized purchase on their account, the loss goes to the bank. This ruling is 100% wrong. The chargeback should go back to VISA or the merchant since the merchant is where this should be stopped. In most cases, by asking for identification and verifying the signature on the card, or approved ID, to the sales slip, it should be apparent that an unauthorized purchase is occuring, and the fraud would stop at the point of sale. Of course this control would reduce SALES, and merchants would not want to ask for ID, but the control must go back to the merchant. A trained clerk can stop much of this preventable fraud. And this is such an easy solution to implement. |
|
| Here are some key points to consider:
- "Chip and PIN" only works at the point of sale, and is bypassed for "cardholder not present" transactions, including phone and internet sales. The largest growing sector of fraud is computer-based. Although "Chip and PIN" has reduced fraud AT THE POINT OF SALE by 80%, computer-based fraud is unaffected, and continues to grow at the same rate as everywhere else. So it seems that once again, our political leadership seems undereducated about the true risks, but is more than willing to become involved in helping complicate the problem.
- Visa's "3-d secure" is an attempt at securing online transactions, but has some key deficiencies, such as being confusing to end-users who can't tell the difference between a phishing scam and a legitimate transaction process step. The net-net is that there is no "good" solution right now for securing online transactions "on the net".
- Compare Gramm-Leach-Bliley to PCI-DSS. GLB, although "recent" is already dated. Although the FFIEC continues to issue updated guidance, keeping technology standards updated, in reality, any change to GLB will LITERALLY require an act of congress. Meanwhile, PCI-DSS is fluid and agile because it's privately-owned. There may (or MAY NOT) be some holes in PCI, but they can be plugged by industry experts who develop and maintain the standard, rather than by non-technical politicians.
- Mastercard says Heartland WAS NOT in compliance with PCI standards at the time of the breach. Therefore, it seems to me that adding additional regulation would not have helped, if the regulation already in place was not being followed. So perhaps more rigorous monitoring is called for, but how does one propose to quantify that for the purpose of legislation?
- The biggest risk when it comes to credit card fraud is the consumer. Whether from "voluntary" disclosure through phishing or Nigerian scams, or involuntary disclosure through malware, the consumer is the biggest risk in the entire process. Pass all the laws you want, but the "risky consumer" will be unaffected.
As a parting thought, Banks have already started to torque down consumer security requirements for online banking access, using tactics such as multi-factor authentication that are not impossible to circumvent, but do succeed in shifting the target of opportunity elsewhere (the assumption being that criminals go after the easy target). That said, my opinion is that multi-factor authentication for ALL credit card transactions is a necessity -- this is already part and parcel of the PCI-DSS, but not enforced at the level of the consumer's transaction. Why not?? |
|
| Risk vs Reward. If we continue to stick to the same outdated magstripe technology, we will need to raise the reward for issuing the devices, as the risk is becoming too great. |
|
Comment on this article
