PCI DSS -- Good Isn't Good Enough

Ralph DeFrangesco

The Payment Card Industry (PCI) Data Security Standard (DSS) just does not seem to be working, and I don't see how it possibly could.

 

Last year credit card numbers were stolen from major companies including OfficeMax, Dave and Busters and, probably the most infamously, Heartland Payment Systems. Following a federal investigation, some of these companies were told that they were indeed the victim of a breach and must investigate. A few could not find any signs of a breach and therefore did not notify customers of the alleged breach.

 

The Federal Trade Commission (FTC) estimates that 50 billion is lost annually due to identity theft and credit card fraud. In response, 40 states have passed laws requiring companies to give consumers an early warning when their personal information is stolen. Companies have been reluctant to notify consumers due to loss of good will, embarrassment, or the possibility their stock might go down. This has got to change.

 

Heartland Payment Systems was recently returned to Visa's list of PCI DSS-validated service providers after completing its own PCI DSS assessment. As you may remember, Heartland was hacked last year in one of the largest breaches in history. The exact number of records stolen was not disclosed.

 

See, here is where I have the problem; the PCI DSS-guidelines are industry developed and administered guidelines and they just don't go far enough. The PCI DSS are basic security guidelines that every organization should be doing anyway. I would really have to question any organization that cannot meet these basic guidelines. There are even people out there that are pushing to lessen the requirements, putting us even greater risk. Implementing the standard is costly. Opponents argue that small organizations cannot afford to become fully compliant and PCI has driven some out of business. To that I say, too bad.


 

There is an expectation by the public that companies will properly handle their personal data. We have to go further than just the basics. We need to give the public world-class security to gain, and keep, their trust. Trust is earned, not expected.



Add Comment      Leave a comment on this blog post
May 20, 2009 2:16 AM Mike Mike  says:

Your statements a not balanced.  You are saying the equivalent of stating all dollars lost to security breaches and then using that as evidence that information security is a failed science and should be ignored.  Also, remember that infosec standards are developed by the same professionals they seem to protect.  Biased?

You cannot simply claim singularity data points and think you are telling a balanced story.

Reply
May 20, 2009 2:33 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Mike

Mike,

Please remember I am a blogger, not a reporter. I a not required to always provide a fair and balanced perspective. I am trying to spur thought and opinions from the people that read my blog. If I brought both sides of the story, what would my readers bring? I value all opinions whether I agree or not, even yours because that's how we learn about each other. I don't mind being criticized, but criticize the content and not the process.

Thanks,

-Ralph

Reply
May 20, 2009 3:11 AM Art Art  says:

I agree that PCI-DSS is insufficient, but not with the conclusion that the solution resides with vendors.  The banks and major card brands are the ones who are most in the position to fix the problem, while suffering no major pain due to identity theft.  Vendors and customers are least in position to fix the problem, while suffering the most major pain due to identity theft.  This last relationship must be reversed if there is to be any progress.  Laws must be passed that go way beyond simple reporting of breaches and requiring of 1 years worth of identity monitoring.  Card brands must be forced to bear the entire cost of card theft, including indefinite identity monitoring and complete identity hold-harmless requirements to their customers/card holders.  In no time at all, true multi-factor authentication and transaction will be a reality.  Banks would must bear the same for any loss of identity via their web sites.  Once the people that are most able to fix the problem bear the true pain of a breach, change will happen.

Reply
May 20, 2009 10:59 AM Donny Donny  says:

I would have to agree that the standards for CISP and PCI DSS are pretty much a joke at this point. I know personally of one company that has decided since PCI is not law, then they simply will not comply with it. This company is both a merchant and a software vendor/POS supplier for Quick Service chains. This company is storing card verification information as well as unmasked cc data, electronically and in hard-copy.

Another company, which will remain nameless for now, is a global name for payment processing software, and in the Payment Processing Industry, in general. One of the software applications that it puts out (and has for over 15 years) is wide open to a simple attack that will allow a user with local access to the computer to grab unmasked cards, exp dates, and other data, and with a simple automated script, at a rate of around  1200-1500 cards per minute. And this is every version of the software that has been put out in for over 15 years. Added to the fact that their network has an open door that would allow a customer to gain access to other merchants' account information, it's safe to say that they are engaged in some big no-no's.

The first company I bring up merely to illustrate that many vendors and merchants are not only oblivious to PCI DSS standards, but they could care less when the are told about them.

The second company, according to the CISP guys at Visa (yes, I know CISP is now PCI, but when reporting software, it still goes to CISP), do not have a vulnerable application. Despite the fact that you can grab unencrypted info in very little time (and with relatively minimal effort) from the software, they are not vulnerable by CISP guidelines as they do not store magnetic data or CVV2 information. With the amount of processing in this country that is done via Ecommerce and MOTO, it doesn't take much more than name (optional), card no, exp date, and maybe a zip code... and track data and cvv2 don't really matter. Many merchant banks and softwares do not mandate that this information be put in. And even in the software that does have the verification system in place, it is normally turned off by the merchant so that there are less 'Not Captured' messages coming back from the processor, which slows down business, especially in a QSR establishment. So if you don't have to, why do it?

While I'll agree that processors and merchant banks do need far stiffer penalties for security breaches (Heartland should have been shut down for at least 12 months, if not longer ... like Maverick was), stricter regulations and more scrutinized testing should be placed on the software that allows merchants to disable features, or that allow card info to be hacked, yet they still are classified as non-vulnerable software.

While the internet and broadband connections gave the industry a boost to process in real-time, the guidelines, testing techniques, and punishment for vulnerable software (in a computer sense, not Visa's lax definition) are still years from catching up with today's technology. I would say that the PCI DSS is a small step in the right direction, but it still has miles to go ... especially when it is not enforced.

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.