It's Time to Get Serious About PCI as a Regulation
I had an interesting email from a colleague the other day. Turns out someone he knows had recommended that he read a post of mine from January in which I discuss the value (or lack thereof) of having controls in place that don't function. He wanted to let me know about the reach of BIS and let me know that our audience is aware, paying attention and apparently taking notes. But in trying to figure out which post was being referred to, I wound up taking an unintentional stroll down BIS Blog memory lane.
Eventually I stumbled across a post from last June in which I discussed the role and significance of PCI-DSS and the banking community. Briefly, for those who don't know about PCI, it's the credit card industry standard for information security intended to protect credit card transaction data. So there I was having just blogged about Heartland and the impact it's having on the banking community, I'm reminded about a blog post in which I discuss having controls that look great but don't function as intended and wrap it up by finding an old post about PCI and the banking community. A sad but relevant convergence of topics if ever there was one.
What we have here with the Heartland breach and those exactly like it is a situation where a reasonably strong control framework failed to do its job, the banking industry has little to nothing in place to protect their customers/members from such violations, and an already bleeding industry experiences yet another significant wound. Where do we go from here?
Timing is everything -- a tried and true cliché and one that fits this situation like a glove. We have a new presidential administration that really seems to get what's going on in our country. President Obama and his team have already proven that the promises of a campaign have not been forgotten. In the first month in office there have been significant steps taken to try and stabilize the economy. Additional steps are being taken to untangle and stabilize the mortgage crisis. And so with this in mind and with a President who understands the value and widespread reliance on technology (he refused to surrender use of his Blackberry -- my kind of guy), there's never been a better time to take decisive steps to address the crisis of both identity theft and credit card fraud. And we're already off to a solid start.
First and foremost, the PCI standard truly is a solid framework to build upon. Let's make it the law rather than an industry requirement. Some states have already done so, and now it's time for the rest of the country to follow suit. If you manage, store or process anything electronically with credit card information involved, you need to be required by law to adhere to a basic set of controls to protect that information. The framework part is done, figure out the proper degree of enforcement and make it the law.
Second, put in place the system to make sure that the rules are being followed, that the controls are in place and are routinely tested for effectiveness. Perhaps it becomes a function of the FTC or DHS; I haven't quite worked that part out just yet. But there should be a team of examiners that inspect retail Point-of-Sale equipment, network and telecommunication equipment used to transmit the data to the processors, the processors themselves and ultimately the issuing entity (e.g. banks, credit unions, credit card companies, e.g.). Every handshake along the way and every piece of equipment used to conduct and settle a transaction needs to be reviewed. Honestly, if we could pass Sarbanes-Oxley and enforce it for the past five years despite its breathtaking ineffectiveness, this one should be a no-brainer. And for those PCI practitioners who may beg to differ with my opinion of the standard, PCI is to Sarbanes-Oxley what Shakespeare is to the Sunday Comics, and I'll gladly debate anyone on that point.
Third, make security awareness the responsibility of everyone involved in issuing, processing and using (yes, using) credit cards. Note:
- I'm not suggesting that Heartland happened because consumers used their cards irresponsibly, but I'm amazed by how many people use ATM's in gas stations and convenience stores. No cameras anywhere, usually little to no physical security controls and virtually no idea if the device being used is legitimate. How many times have you given a waiter/waitress your credit card and took eyes off of them while they processed the transaction? So few of us ever think to worry about who has access to our information when it's in what we perceive as a trusted environment; that has to change.
- For those who take credit cards for payment, there needs to be a heightened sense of their role in the process. Are you placing the card down on a counter, face-up for all to see? Does the equipment your using look right to you? Are transactions taking longer to settle or sometimes not going through when they always did before?
- People who work in secured facilities need to be more aware as well. Who do we let into our computer rooms and data centers? What are they doing while there? Having monitoring in place is great but that's all about detective controls. Keeping the bad guys out to begin with is far and away the better approach. For some great ideas on this check out Steve Katz's most recent blog post, but everyone involved in any part of the lifecycle of a credit card transaction needs to be constantly thinking, assessing and keeping their eyes open.
Fourth (and final), punishment for those convicted of identity and credit card theft has to be significant. If this is treated like just another white-collar crime with short, thirty-six-month medium security prison terms, the reward will likely be perceived as greater than the risk. I routinely point out that cyber-crime is a greater threat because there's a perception that individuals aren't really hurt, but rather the big, bad banks and credit card companies absorb the loss, and they can afford it. This allows otherwise decent law-abiding citizens who are desperate to consider using stolen credit cards and/or identities to acquire and then convert to cash everything under the sun. But we've come to learn that the damage is incurred on many levels. People suffer serious damage to their credit worthiness, businesses can be forced to close, and for institutions that are forced to manage the process of alerting their account holders of the breach and working with them to reduce their risk, there's a real cost that comes at the worst possible time.
Heartland needs to serve as the rallying point for all of us, consumer, retailer, processor and issuer alike. This is the event that needs to bring PCI to the masses, have it become the law and be given the muscle necessary to make it work. And if anyone out there has a better idea, I'd like to hear about it.