10/23/2014

Re: Bob Russo: Breached!

CardNotPresent.com published an article last week that featured an unusually candid Bob Russo. For those who aren’t familiar with that name, Russo is the recently retired GM of the Payment Card Industry Security Standards Council (PCI SSC). As GM and cheerleader-in-chief, Russo spent most of the last decade trying to get merchants to buy into PCI’s standard and convince us all that PCI compliance was the be-all, end-all.
In the article, apparently based on remarks he made at the CNP Expo last May, Russo explained how PCI-compliant businesses keep getting breached by equating it to a personal experience. You can read the full article on CNP’s site (a free, one-time registration is required), but the short version is this: Russo’s New York City home is very well secured. He has security doors, an alarm, surveillance cameras, and a dog. In his words, the property was “PCI compliant” and met all of the protective standards. Yet, two years ago, he was the victim of a burglary. The thief made off with a laptop, a GPS navigation unit, a camera, and a few other items – ironically stuffed into Russo’s PCI SSC backpack to facilitate a quick getaway.

Despite his obvious security mindset and considerable resources spent to make his house “compliant,” Russo had been the victim of a breach. A crook had entered his environment, rooted around, taken what interested him, packaged it all up in a PCI-branded backpack, and walked out the door with it. Ironic proof that PCI’s checkbox method of compliance validation is no long-term guarantee of security.

This demonstrates the fundamental flaw in the PCI system (and to data security in general) that we have been trying to help people understand for 10 years: as long as merchants continue to store sensitive data in their environments, thieves will continue to exploit vulnerabilities and oversights to steal that sensitive data.

So many security professionals are worried about digging deeper moats and building bigger walls to protect the princess (sensitive card data) within their castle, but the best solution is to get the princess out of there in the first place. We know that there is no silver bullet to security and that a persistent, skilled attacker will eventually find an “in,” so the trick is to keep payment data out of the merchant’s environment.

We recognize that asking Russo to keep his laptop and GPS unit in a safety deposit box at the local bank would be impractical, but for merchants securing their customer payment data, such a thing is both simple and cost effective. By leveraging point-to-point encryption and tokenization in the brick-and-mortar world, as well as a direct-post solution (like i4Go®) and tokenization for online retailers, merchants can essentially remove all sensitive card data from their networks and their physical environments – leaving hackers with nothing to steal.

Of course, mass adoption of this method would leave merchants with no card data environments, making PCI all but irrelevant. So, we don’t expect Russo and the PCI to get behind us on this any time soon. But as merchant advocates, it’s still our duty to promote the best course of action for the businesses we serve. Don’t worry; we’ll keep trying to get the truth out and – hopefully – someday PCI will catch up (or go away).