Exorcising the PCI demons

Share

Josh Corman, Principal security strategist with IBM Internet Security Systems, is on the record stating, “PCI is the Devil.” He is not alone; there is a fairly large group of security professionals that decry PCI.

For non-security specialists, the Payment Card Industry (PCI) standard was promulgated by the credit and debit card industry as a set of security “best practices” retailers and others accepting card-based payments need to follow if they are to continue doing business with card issuers.

As the vast majority of consumer transactions—even buying a $2.00 latté from the local espresso hut—use plastic, not currency, complying with PCI standards is an absolute requirement for most companies doing business.

Well and good, but adherence to PCI offers almost zero protection against security breaches and intrusions. Hardly a week goes by without some hapless retailer or “e-government” agency suffering an embarrassing and costly data breach targeting payment card-based information.

Payment card hackers recently achieved a new world record with a prince among data thieves caught with over 160 million credit card account numbers in his possession. Among the IT security chattering classes, PCI has become the poster child for all that is wrong with regulatory controls.

But let’s get back to Josh’s demonological metaphor and consider some of the ways that PCI resembles the Lord of the Flies.

The Devil is a tempter. PCI offers its adherents access to the riches of the world—at least those attainable through debit and credit cards—so long as they vow allegiance to PCI’s commandments. The PCI value proposition is so compelling that no retailer can resist it.

The Devil is a liar. PCI does not make retailers secure against hackers. The sorry history of breaches, blowouts, and damaged reputations attests to that. Far from proposing state of the art security protections, the standard dates back to the 1980’s and contains a mishmash of computer-oriented and physical security measures to be followed by adherents.

The scary thing is that PCI is probably the best that most organisations seem to be able to do to protect a transaction technology based on account numbers, fixed user identities, and passwords.

Changing the standard would probably mean obsolescing the vast corpus of payment card industry infrastructure. Card issuers are not about to let the tail of improved security processes wag the dog of billions of dollars of capital investments.

The Devil is a trickster. PCI has led countless companies and organisations to confuse compliance with security risk reduction.

Security professionals often find themselves on the short end of an argument that pits complying with a standard perceived as necessary for staying in business against taking actions to block threats that may or may not present themselves.

The Devil hates humanity. As at least one commentator has pointed out, the PCI standard is a brilliant way to shift responsibility for IT security from card issuers to retailers.

Retailers did not invent and institute the technologies that have proven so vulnerable to moderately skilled hackers. When a breach occurs, card issuers can shrug and talk about their devotion to promulgating security measures, knowing that the retailer will be left holding the bag, so to speak.

The Devil is a wolf in sheep’s clothing. There are two groups that will vehemently defend the virtues of PCI by providing insight into the benefit it provides those who must adhere, but in almost every case these PCIantists are the ones who really benefit.

Vendors that provide PCI solutions and those that provide PCI auditing services, also known as qualified security assessors (QSA), will always position PCI not as a necessary evil but a gift from above and why shouldn’t they, the more we all have to comply the more money they all make.

At this point, readers may ask, with all of the Devil’s failings and track record in doing harm to innocent parties, why do people adhere to him? Well, remember the old saying that begins, “Better the devil you know…”?

Promoted