BankInfoSecurity.com - Information Security News, Regulations, & Education

Bank Information Security Articles

The Future of PCI: 4 Questions to Answer

Credit
Eligible
As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
As PCI Conference Begins, Security Debate Heats up Over Key Issues
September 22, 2009 - Linda McGlasson, Managing Editor
Share

Comment on this article

Editor's Note: Managing Editor Linda McGlasson is in Las Vegas this week to cover the 2009 PCI Security Standards Council Community Meeting. This is the first in a series of reports she will file on the Future of PCI.

It's been an interesting year for the Payment Card Industry Data Security Standard (PCI DSS, or just PCI).

On one hand there were the Heartland Payment Systems (HPY) and Network Solutions data breaches, after which at least one industry analyst declared "It's stop pretending that PCI is working."

On the other, there is the State of Nevada, which has passed a new law requiring businesses to comply with PCI when collecting or transmitting payment card information.

In the middle, is a debate among payment card companies, banking institutions, merchants, industry groups and even congressional leaders, questioning the merit of the standard and all hinting at the same open question: What is the future of PCI?

PCI stakeholders are gathering this week for the 2009 PCI Security Standards Council Community meeting in Las Vegas, NV. Among the questions sure to be discussed at this conference:

1)What About End-to-End Encryption?
Following the announcement of the Heartland breach, company CEO Robert Carr called for end-to-end encryption efforts and acceptance of that standard by the payments industry. Heartland even has piloted such a program, but critics say this initiative has a long road ahead if it's to become an industry standard. This is likely to be a major topic for discussion this week and in the coming months.

Click to Get Updates on the Latest Information Security News

2) Is Chip and PIN Viable?
In the wake of the year's bigger breaches, some PCI critics have called for U.S. adoption of the UK's chip and PIN security standard, which relies on smartcard technology to reduce point-of-purchase fraud. Alas, the solution is not as effective in online card not present (CNP) transactions - one of the fastest growing fraud schemes. Still, given discussion of chip and PIN at a congressional hearing earlier this year, the solution is likely to get significant consideration in the PCI debate.

3) What are PCI's Limits?
Gartner analyst Avivah Litan has been one of the more outspoken PCI critics, arguing that U.S. card issuers and the industry need to strengthen the core of card payment security. "Card fraud is getting out of control in many areas, and bank card fraud detection systems across the globe are struggling to keep up," Litan says.

Following the recent indictment of Albert Gonzalez for the Heartland breach, Litan said Litan asserts it's time for the U.S. card industry "to get on the bandwagon and upgrade payment card system security, and stop pretending that PCI is working."

Litan's statements will fuel the ongoing debate.

4) Where are the Lessons Learned?
The PCI debate has been riddled with contradictory statements. Following the Heartland breach, the company stated publicly that it was PCI-compliant at the time of the hack. But then Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer, countered: "We've never seen anyone who was breached that was PCI compliant."

Network Solutions likewise argues that it was PCI compliant when it was breached. But David Taylor, CISSP and founder of PCI Knowledge Base, says it's a mistake for anyone to equate "compliant" with "impossible to breach."

There is no way that a committee that has to consider what is "reasonable" and "affordable" to its members and the industry as a whole can possibly design a set of standards that can prevent one clever hacker from figuring out a way to break in, then sharing his/her hack with millions via the Internet, Taylor says.

One common refrain in PCI discussions this year has been that PCI compliance represents a point in time - not a permanent state of being. To ensure ongoing compliance, financial services firms and merchants need to engage in a detailed, ongoing review of service providers to better understand what is specifically being done to protect data at rest and in transit.

No doubt, the names Heartland and Network Solutions will come up frequently in the ongoing debate. The key is: What are the lessons learned from these incidents, and how will the payment card industry strengthen its standards?

The answers to those questions will shape the true future of PCI.




Next Related Article:


Question
Question
?What are the biggest PCI questions you want answered in the coming months?
Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.
Please login if you would like to post a comment on this question.

"The answer is Dynamic Authentication of the card, the cardholder data, the payment device, the data recipients and the transaction details.

You need to build a system that protects the consumer. The system should presume that the card data has already been stolen or will be at some time. Rather than trying to shroud cardholder data in secrecy (which is an impossible task) the card/token and the cardholder data should be AUTHENTICATED with a process that yeilds machine readable, dynamic, one-time-use authentication values. Then, stolen cardholder data, whether sniffed or skimmed, has no value. When you make stolen cardholder data useless, would-be criminals have no incentive to steal it. When you AUTHENTICATE the card and its data, encryption is a nicety but not a necessity.
"Stop the insanity of PCI. We need to get over treating the symptoms (PCI) and fix the problem (flawed product). Credit cards as they are today are inherently insecure (duh!). The banking, financial institutions and payment processors generate revenue from the use of their products and services. The Merchants (pick your level) generate revenue from selling widgets and services. Credit cards are an "expense" to the merchant. The solution and related cost for fixing the problem should be bourne by those who benefit from the use of card or electronic payment. The merchants need to focus on delivering widgets and services that are safe, reliable and as advertised. The card industry needs to do the same.

I keep reading in these articles "if the merchant wants to take credit cards" then they need to do x,y, and z or risk the consequences. No merchant "wants" to take an insecure form of payment; they are "forced" to, and for that they get to pay the credit card industry for that privilege. This whole discussion needs to factor in "risk and reward" into the scenario for finding a solution.

I think the card industry "forgets" who their customers are in the discussion. It is not just the end consumer.
"On the contrary, Chip and PIN has a great deal to offer CNP fraud. The chips can be used to encrypt online transactions to render them non-replayable.

It's time we thought about leveraging chip cards in settings beyond retail EMV terminals, to safeguard Internet e-commerce payments. Inexpensive external smartcard readers have been popular in places like Taiwan for years. And new PCs with integrated smartcard readers are even making inroads in the US (driven by the government PIV program); see e.g. Dell e6500 with contact and contactless readers built in.
""Why do companies claim they are PCI compliant when they are not?"

How can you be compliant with the requirement to monitor logs "at least daily" when you were breached for months and months?

How can you be compliant with the requirement for file integrity monitoring software when malware is installed on your servers and survives reboots over a period of months?

How can you be compliant with the requirement to limit inbound and OUTBOUND traffic from the cardholder data environment when you let your servers and point-of-sale terminals talk to the Internet in general?

PCI is not the problem. The problem is companies refusing to take responsibility for their own inactions. Heartland and other companies knew or should have known they were not in compliance. It's not up to an auditor to tell you that. You should have a very good idea going into the audit.

Mr. Carr of Heartland complained that security monitoring was a 24x7 job. Yes, it is, just like monitoring your card processing systems is a 24x7 job.

Heartland wasn't a mom-and-pop donut store chain accepting cards for payment. Their sole business was storing, processing and transmitting cardholder data.

PCI is a great standard, but one area they need to address is Level 4 merchants. Stop saying "ask your acquirer" about what needs done. Make all Level 4 merchants file an SAQ-D every year.
"Compliance does not necessarily equal security. It's a good starting point and framework upon which merchants can establish good security practices. It's impractical, as Taylor states, to equate compliance with "impossible to breach." There are clearly some challenges with the Standard and its management by the card brands, but that can be expected with such a large-scale effort and such a varied constituency. Credit card data security is a crucial issue; I hope that constructive and pragmatic voices (and actions) prevail in the ongoing debate and improvement of the Standard instead of focusing efforts on debating whether or not PCI is the cure all.
"A few points....

PCI represents a baseline security posture and configuration. HAVING such a baseline is important, but as the article mentions, creates no guarantees. Without the baseline, rewind the clock to 2005 when payment card processing was the wild, wild west, with no specific limitations or requirements.

In order for PCI to remain relevant, it must evolve at the rate of technology, which means you need an updated PCI every 12 to 18 months, matching the rate of technology innovation and consumer availability of commercial and open source tools -- An example being RFID readers and smart chip scanners that can be purchased readily today, that were not available four years ago.... or were prohibitively expensive.

PCI, just as with GLB describes a set of standards. With GLB, the audit process for those standards is very well-defined as a result of having standard MDPS / FFIEC audit criteria. HOWEVER, some issues are ultimately subjective and are left to the interpretation of the individual auditor, leaving some variation in the ultimate determination of "what is GLB-compliant?"

Unfortunately, PCI is very well understood, but the audit process is not, leaving much more variation and therefore less value in the "PCI Certified" stamp of approval. The industry would significantly benefit from issuing detailed audit standards, down to the level of testing methodology that is used to determine PCI compliance.

Topics of Interest

Insider

SIM/SEM

Patriot Act

Government Accountability Office

Guidance

Application Security

Latest Tweets & Mentions

BankInfoSecurity.com Research

Recent Blog Entries

More Blogs Posts

Vendor Solutions

  • Actimize Actimize

    Solutions For:

    Anti-Money Laundering, Authentication, Fraud Detection

  • SafeNet, Inc. SafeNet, Inc.

    Solutions For:

    Compliance, Identification and Authentication, Secure E-Commerce

More Vendor Solutions

Marketplace

Advanced Search
Browse Topics
close

Agencies

Anti-Money Laundering


Banking Today

Business Continuity & Disaster Recovery

Compliance

Emerging Technology

Fraud

Governance & Standards

Identity Theft

Leadership & Management


Physical Security

Risk Management

Training & Education