Is PCI the Humpty Dumpty of Information Security?
"All Visa's Horses and All Visa's Men couldn't put PCI back together again" -- is this where are?
The question isn't if PCI is broken. The standard obviously is in need of repair, or as some observers recently said -- "major changes." I won't say PCI is broken, just in dire need of some remediation and change, including the enforcement of PCI-DSS and need for continuous monitoring of networks. The need to improve it is apparent to many, including the Department of Homeland Security committee that conducted the hearing.
The question isn't if PCI is broken. The standard obviously is in need of repair, or as some observers recently said -- "major changes."
Obviously, Visa and the other card companies have invested a great deal of time, money and effort to get a wide range of merchants, payment processors, acquirers and issuers to accept PCI and embrace it as a standard. But the subcommittee chairwoman Yvette Clarke nailed it on the head when she said PCI should be the floor, not the ceiling, for information security compliance.
The fact is: PCI is better than what existed before it came along, and without it there would most likely be a plethora of merchant breaches. But the time for two-year cycle of changes to PCI-DSS and the requirement of unanimous votes on changes to PCI-DSS is over. If it isn't clear yet to the credit card companies and others, the cyber war has been declared on the credit card industry. And it has been for several years. The current financial crisis has just kicked it up a notch. Also, the hackers have the advantage because there are some holes in the PCI security fabric.
PCI, according to an unnamed security expert at a financial institution, is "clearly not good enough to defend against the sophisticated attacks we are experiencing." The use of clear text card data on any network is just asking for trouble, my source says, but under current PCI requirements it is allowed provided the network is private, i.e., not connected to the Internet.
The hackers that are attacking entities such as TJX, Hannaford, Heartland and RBS WorldPay are not stupid; in fact, they're really smart. "They know that the processors accept large batch files, and some of these are not encrypted in transit between the merchants and processors," the source says. "And of course the card data is unencrypted on at least part of the processor private network."
After looking at what other countries are doing with "chip and PIN" technology to cut fraud, such as all of Spain's merchants agreeing to use chip and PIN, even Clarke came to the conclusion that the US is behind on technology. Yes, it may take a giant effort and cost to upgrade all the merchants, processors and banks, but the day is coming when the "breaking point" or tipping point will be reached. How much more fraud loss can the industry sustain? It's interesting to note that I saw the same thing my unnamed source saw during the testimony. He says it was "interesting that the PCI people at the hearing pushed how great PCI is, but did not mention chip and PIN technologies." Their silence says a lot about how they feel about it.
Let's be clear -- PCI is not going anywhere, even with the implementation of a chip and PIN solution or end-to-end encryption across the industry. We will still need PCI controls to keep data secure, because clearly there is no silver bullet, no magic beans or pixie dust that will absolutely guarantee a system can't be hacked.
The last thing I'd like to note is that if it takes a DHS Congressional hearing to bring these issues out into the open, well, then that hearing was a good thing. I'd expect the PCI community to wake up and realize that if the federal government suspects that PCI isn't working, then there needs to be some swift and obvious changes to how PCI works -- before there are federal regulations enacted to enforce information security and data protection in the payments industry.
A study just released by Verizon Business has a blaring fact that all "PCI-compliant" companies will want to heed. The study found in 75 percent of the confirmed breaches that the company (victim) wasn't compliant with PCI-DSS or, even worse, had never been audited. One of the common reasons that Verizon discovered among businesses that weren't compliant with PCI was that they failed to monitor all of their network segments or test on a regular basis their security systems and processes. Do you see a pattern for PCI modification here? How about a call for continuous network monitoring with IDS (Intrusion Detection System) and IPS (Intrusion Prevention System)? It's hard to break into a system when the red alarm sensor light is blinking. If these changes don't come soon, the credit card industry will end up being regulated like banking, which continues to be one of the most heavily regulated industries in the country. The hearing before the DHS subcommittee is just a reminder of what will come if change does not come swiftly.