05/24/2012

PCI Provides No Benefit to Merchants

This post was written by Steve Sommers, Shift4’s SVP of Applications Development. His insights and expertise are shared regularly on his personal blog, http://paymenttidbits.blogspot.com.

When the Payment Card Industry (PCI) Council was formed, I (like many in the payments industry) was excited. But, over the years, I have gradually lost faith in the program and now I am left questioning whether or not PCI has any benefit to merchants.
PCI’s well-intentioned early aspiration was to combine all the individual security requirements from the various card brands and merge them into one “best practice” standard. All the individual requirements from the various card brands merged into one consistent standard? This was a thrilling proposition! Unfortunately, it didn’t take long before the glamour started fading and glimpses of a darker future for PCI started to show (see PCI SSC Show Their True Colors — Regulate for Profit!). In this time of turmoil, as they monetized the PCI Council and built an entire industry around it, I still held out hope that PCI was good. When PCI finally recognized tokenization as an “emerging technology,” I got excited again (see PCI SSC Community Meeting and Emerging Technologies). Then came the tokenization bastardization of 2011 (see Tokenization, the Newest Horse – err, Camel – in the Stable), and it’s been all downhill from there.
Impossible Standards
In the past, Visa has stated, “No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach.” While this quote may have come from Visa, Bob Russo of PCI SSC has repeated it several times in various interviews over the years. This quote can be taken two ways: either PCI is perfect and all-encompassing and compliance guarantees you won’t be breached, or there are so many “gotchas” in PCI that no one can escape non-compliance. I personally believe that PCI is written in such a way – and interpretations among QSAs vary so much – as to make it impossible for anyone to be 100% compliant 100% of the time.
Today, I started thinking about PCI and whether or not it was beneficial to merchants. I’ve thought for a few years now that PCI was nothing more than a liability shield for the card brands. What started out as a “best practice” for merchants has changed into a minefield, and any misstep (perceived or real) means fines and/or penalties from the card brands via the acquirers (see Rare Legal Fight Takes On Credit Card Company Security Standards and Fines). Now, don’t get the feeling that I’m blaming the card brands or acquirers and going easy on PCI – they all share an equal part of the blame. The decisions of one affect the others, and their collaborative efforts trickle downstream to the merchants.
While I want to give PCI the benefit of the doubt, and I do think security is good and that there has to be some benefit in forcing merchants to pay attention to security, I find it difficult to support these efforts – especially when I factor in the costs and realize that all this effort and expense really offers no safe haven for merchants. Think about it; no matter how hard you try to be secure, if you are breached you will be found out of compliance with one or more “best practices.” Case in point, look how quickly Visa removed Global from their PCI compliant list following the announcement of their recent breach – and this was prior to any forensics being completed or reported (see Global Payments taken off PCI lists over data breach). Losing your PCI standing after a breach has become a fait accompli. So, the real question is did a lack of compliance cause the breach, or did the breach cause the loss of compliance?
Black and White
What is the true value of PCI? What “best practices” has it really created? Well, frankly, none. The only thing PCI did was round up a bunch of existing security best practices, compile them into lists, and publish these lists as “guidance” documents. Then the card brands attached fines and penalties to punish merchants if they failed to comply with PCI “guidance” 100% of the time. PCI’s move didn’t enhance security. All it did was create an entire industry around the near-impossible task of compliance.
Most security experts agree that there is no such thing as 100% security (“most” might be an understatement, all the security experts that I know feel that way). The real goal of security is to make stealing your data so costly or time consuming that the evildoers seek out easier targets. We know the adage that to escape the jaws of the hungry lion, you don’t have to be the fastest in the herd – you just have to be faster than somebody – anybody – else in the herd. In many ways this applies to security. You don’t need 100% security (assuming 100% security was possible), you just have to be secure enough to frustrate the bad guys into moving on to easier targets.
So the experts agree that security is not a 100%, black-and-white issue, yet the card brands continue see PCI compliance as black or white – an entity is compliant or non-compliant – and, they say, a breach is “proof” of non-compliance.
While writing this post I read a report claiming that the Global Payments breach started in January 2011 – more than a year earlier than initially reported (see Global Breach Date Now Jan. 2011). Now, this proves much more than just my premise that 100% security –let alone 100% compliance – is impossible, it also serves as strong evidence of the PCI’s total lack of value to merchants. How? Well, look at it this way. The initial breach stories mentioned that Global had just concluded their annual PCI assessment when they were attacked. Now, we all know that PCI “experts” are quick to point out that their assessments reflect only a moment in time, so Global could have been 100% at that time but breached shortly thereafter when they were unable to maintain that level of compliance. However, now that we know this breach spanned fifteen months (or longer) this means Global had not one, but two onsite PCI assessments during the breach, and neither detected an active attack! My point is that neither the PCI DSS nor their assessors helped Global in this case and that even the “point-in-time” argument is a myth. Global was found to be compliant at the very point-in-time that they were falling victim to a breach. Is this Global’s fault? I would argue that this is much more a case of PCI DSS failing Global as opposed to the other way around.
To me, the issue is this: PCI SSC promotes their work as “best practices” or ”guidance”, and then the card brands turn around and flog merchants for not following them when they are breached. How can you punish someone for not following a guideline? The very fact that they don’t call much of what they publish a requirement attests to the fact that somewhere deep down they recognize that security is never 100%, PCI is not 100%, and 100% PCI compliance is impossible. So, if it doesn’t offer 100% protection, what exactly is the benefit to merchants here?
The Wrong Focus
In further thinking of all the above, I realized that there are two parts to PCI that I deal with on a daily basis: PCI DSS and PA-DSS. All the problems I described above revolve around PCI DSS. PA-DSS, on the other had, is attainable and can be looked at as black or white. I think of PA-DSS as seal of approval for payment applications. Demonstrate compliance and you make the list, otherwise you’re not listed. It really is that easy.
PA-DSS certification is attainable and useful, PCI DSS certification on the other hand, while attainable, is useless (as many merchants and payment entities have learned the hard way). If I had it my way, I’d scrap the PCI DSS (or at least the compliance aspect) and find another way to motivate merchants to secure their environment. (Fines for lack of security, or maybe a better discount rate for having better security, the options are many.)
Or, perhaps instead of scrapping PCI DSS-compliance requirements, we could allow for a true safe harbor. Entities that go through the onsite validation should be immune from the fines and penalties associated with breached data. (Either the standards make them secure or they don’t. If PCI believes a compliant organization is 100% secure, they should put their money where their mouth is.)
Either way, I would absolutely keep the PA-DSS program for payment applications and I would expand it to include custom applications. My reasoning for this is simple: while having a common PCI DSS best practice list is useful, treating this list as a litmus test to determine secure or insecure, compliant or non-compliant, black or white, is a mistake. PCI DSS in its current incarnation is not a tool for merchants; instead it’s simply a whip for the card brands to use on the merchants. PA-DSS, on the other hand, is useful to merchants. It is a true testament to the security of their applications, much like the UL certification of the monitor on your desk is a testament that under normal use it won’t catch fire while you’re using your computer.
Summing it All Up
So, what have we learned? We’ve learned that PCI DSS compliance is no longer a benefit to merchants. Rather, it is a whip to be used on the merchants and a liability shield for those “in power.” While there may be limited benefit in using PCI DSS “guidance” as a checklist for security (what it was originally designed to be), merchants need to be aware that PCI DSS provides them no real protection. If and when they are breached, they will be deemed non-compliant and the expense and effort they wasted on becoming PCI compliant will be fruitless.

PA-DSS, on the other hand, does provide measurable benefits to merchants and vendors, and should be expanded. If the PCI Council hopes to remain relevant, and wants to present black-and-white standards to the industry, they should focus their efforts on PA-DSS and its ability to provide a legitimate measure of security by validating payment applications.