In mid-December 2006, just as Visa was announcing a $20 million incentive to try to hurry compliance with the credit card industry’s data-security standard, a consultant for TJX was discovering precisely the sort of breach that the standard is supposed to prevent.
An undisclosed number of transaction records from TJ Maxx, Marshalls and other TJX stores had been compromised. “Removed” by intruders, even. Exactly which records, when and by whom, the $16 billion retailer was unsure, although The Wall Street Journal later put the number of affected credit cards at more than 40 million. Behind the scenes, TJX executives began working with law enforcement and additional outside security experts to try to identify and fix the problem, prior to a January announcement of the breach.
Meanwhile, in San Francisco, Visa was going public with an announcement of its own. Technically, if its merchants aren’t compliant with the Payment Card Industry (PCI) Data Security Standard, Visa can cut off their ability to accept Visa cards—a death sentence for commerce. Despite deadlines that had come and gone, however, only 36 percent of Visa’s largest merchants were following the rules. So starting in April, banks whose retail customers were in compliance and had not suffered security breaches would be eligible to receive funds from a pool of up to $20 million. In addition, Visa warned, it would increase fines to banks whose retail customers were not compliant and make PCI certification a requirement for some pricing discounts.
As far as Visa is concerned, the standard is working—if only merchants would adopt it. “To date we have not seen that a PCI-compliant entity has been compromised,” Eduardo Perez, vice president for payment system risk at Visa, told CSO in January. Although he would not comment on the TJX incident specifically, he continued: “In every instance we’ve dealt with, compromised entities have not been compliant with PCI.”
For critics, however, the TJX breach proves something else entirely. “It’s a perfect example of where the PCI program is not working,” says Avivah Litan, vice president and research director at Gartner. “It’s a good step. It’s good for the card brands to enforce security, but it’s impractical to expect 5 million retailers to become security experts.”
In reality, the TJX breach is not so much an example as it is a test. Corporate America has long insisted that self-regulation, not government intervention, is the cure for what ails information security. Government regulations, they claim, tend to be poorly crafted and difficult to enforce; they turn into needlessly expensive exercises in bureaucratic paperwork. In response to the threat of such legislation, industry sectors have attempted to police themselves by establishing either voluntary guidelines or ones imposed by business partners. (See “Security Standards for Power Companies.”)
The PCI program is the largest, most ambitious of such efforts to date. Last autumn, American Express, MasterCard, Visa and other highly competitive rivals came together to fund an independent PCI Security Standards Council, which will promote and drive a single data-security standard. In the midst of a steady stream of credit card breach announcements from companies large and small, the message the card associations wanted to send was clear: They are doing something about the problem.
But will it be enough?
“Remember, the reason the PCI standard exists is to avoid legislation from Congress,” longtime CISO John Kirkwood says plainly. Kirkwood is no stranger to PCI. The former CISO of American Express, he is now global information security officer for $52 billion Dutch grocery-store chain Royal Ahold, where he has to make sure that subsidiaries such as Stop & Shop comply with the standard. He has dealt with his own recent security breach, involving checkout equipment tampering in at least six Stop & Shop stores in Rhode Island and Massachusetts.
“The credit card companies said, hey, wait a second, you don’t have to legislate us. We’ll regulate ourselves,” Kirkwood continues. “It’s going to be very interesting to see what happens in light of the TJX incident. I can see another [Gramm-Leach-Bliley Act], another Sarbanes-Oxley coming.” Indeed, soon after the breach was disclosed, as TJX-related cases of fraud started to surface, legislators began pointing to the incident as further proof that Congress must take action.
All of which means that it’s showdown time in the battle between government regulation and preemptive industry self-regulation. Businesses that accept, process and enable credit card transactions will have to convince legislators (not to mention the American public) that the PCI program is going to prevent data breaches. If they can’t, the implications will reach far beyond the payment card industry, as the PCI standard goes down in history as nothing more than a crash test of private industry’s ability—even under the best possible circumstances—to regulate itself.
A Sharp Stick
The roots of the PCI standard date back to the summer of 2000, when Visa unveiled its “Digital Dozen” of rules that merchants needed to follow in order to accept its credit and debit cards. The requirements ranged from installing firewalls to encrypting data to restricting physical access to cardholder information. “Eventually, if we don’t have proof from an independent third party that you qualify with our requirements, we really don’t want you to take the card,” a Visa executive told CIO magazine (a sister publication to CSO) in 2002.
Visa, it was clear, had an especially pointy stick with which to prod its business partners—and, with its cards accepted at millions of locations worldwide, an especially far-reaching group of business partners who could be prodded. American Express, Discover and MasterCard soon whittled similar sticks to prod far-reaching business partners of their own. Compared with, say, the federal government’s ineffectual attempts to enforce the Health Insurance Portability and Accountability Act, card companies’ chances of success seemed promising. They had both resources and commercial clout. “Ultimately the reason companies need to be able to comply with PCI is that Visa and MasterCard have the ability to cut them off,” says Mark Rasch, a former federal prosecutor who’s now a computer security consultant. “You could pay a fine. If you’re a large financial company, you could pay a fine of a million dollars. But if they told you tomorrow that you can’t process credit cards, you’re out of business.”
Not surprisingly, though, merchants balked. As the standards from the various card associations grew and took shape, merchants had two main complaints: first, that there were too many standards, and second, that they had insufficient input into how standards were formed.
“Merchants had to certify with each brand,” explains Julie Fergerson, cofounder and board member of the Merchant Risk Council, a trade association. “Each of the four were coming up with their own individual products and weren’t necessarily talking to one another.”
To address these concerns, more than half a decade after Visa’s Digital Dozen was created, rival card companies came together to form an army of sorts. The PCI Security Standards Council was created last September as a joint agreement between American Express, Discover, JCB, MasterCard Worldwide and Visa International. Each of the companies contributed seed money and agreed to push jointly for a single set of security requirements—this being the PCI Data Security Standard, which still has 12 main criteria that encompass installing firewalls, encrypting data and restricting physical access to cardholder information, among other things. A primary goal of the common standard is to prevent merchants from ever storing all the data on a card’s magnetic strip, which may contain private cardholder information as well as PINs and the printed security codes that help merchants authenticate online transactions. (See PCI To-Do List for highlights of the standard.)
With the creation of the council, all suggestions and changes to the rule book are now funneled through this group. Furthermore, the council determines which auditors are qualified to perform PCI assessments and which vendors are qualified to perform scans for vulnerabilities or misconfigurations in an organization’s infrastructure. Eventually, says chairwoman Seana Pitt, the council’s funding will come not from the card associations but from training and certification fees.
“What we’re evolving to is becoming a center of excellence,” says Pitt, who is also a vice president at American Express. “Anybody who has questions about interpreting the standard or suggestions on making it better will come to us, whereas in the past they would talk to the individual brands.”
The sticks, meanwhile, stay in the hands of the individual card associations. That’s because the standards council itself has no enforcement capability. In fact, when asked in January about current compliance levels, Pitt admitted that the council has no numbers to benchmark against. Instead, members will measure their success based only on feedback from the card companies and members.
“We actually get the happy part of driving education and compliance,” Pitt says. “Or the proactive part,” she clarifies.
At Marriott International, Chris Zoladz is among those who are working to comply with the PCI standard. The $12 billion hotel chain has been working on the standard over the past few years, but “it’s quite an undertaking to get to the point of full compliance,” says Zoladz, who is Marriott’s vice president of information protection and privacy.
One pain point is the encryption requirement. Although Marriott has long been encrypting data while it’s in transmission, the PCI standard also requires that data be encrypted at rest, something Marriott had not been doing because other protections were in place. Card data is initially saved in a central reservation system but later gets passed on to a property management system for the individual hotel where the customer has booked a room. The challenge, Zoladz says, is to encrypt the data as it is stored in both places while still allowing the systems to talk to one another.
Another pain point is the requirement for two-factor authentication. The standard stipulates that a user name and password are not enough to authenticate an employee, administrator or third party who gains remote access to any system that holds debit or credit card data. In addition, the merchant must set up a second factor of authentication, such as tokens or biometrics. That’s no small undertaking for a company with a large, dispersed workforce like Marriott’s.
Not that Zoladz is complaining about the changes, mind you. “I think the standard is pretty solid,” he says. “When I look at each of the requirements in the standard, a lot of what’s in there is very consistent with what you find in the ISO 17799 standard or what you would find in any of the various articles and publications around best practices in information security.”
Likewise, at CheckFree, Vice President and CSO Ed Sarama is still working on his company’s PCI compliance. “Nothing is easy in the IT world,” says Sarama, whose $880 million company does payment processing for many of the United States’s largest banks. “We like for everything from a consumer perspective to be magical, but there’s a lot of work behind the scenes, and this is no exception.”
Sarama says the main challenge he’s having is that the standard is a moving target. For instance, last autumn, the PCI Security Standards Council made some changes to retention requirements that affected CheckFree. Now, an audit trail of all access to cardholder data and network resources must be available online for three months and offline for another nine months, which means that CheckFree has to invest in additional online storage devices. Another change means that CheckFree must put application firewalls in front of its Web servers; Sarama has to figure out how to do this in a way that won’t cause any applications to fail.
On any given point, the fallback to meeting the letter of the law is meeting the spirit of the law. In PCI-land, this is known as a “compensating control.” Ken Rowe, a principal of the consultancy Chief Security Officers, and a certified PCI assessor, knows all about compensating controls. For instance, he’s working with one city government whose network isn’t segmented with firewalls, as the PCI standard requires. That means that the entire network must be in compliance with the standard—not just the portions of it, such as the ticketing application for the performing arts center, that actually house card data.
“There are other compensating controls in place, like VLANs and access control, that prevent someone from another department accessing credit card numbers,” Rowe says. “But the standard calls for segmentation using firewalls,” so that’s what the city government is working on.
Some of the technical issues may work themselves out sooner rather than later. For instance, at PayPal, CISO Michael Barrett—another American Express alum—is trying to figure out what to do about the standard’s vague stance on whether Unix servers must have antivirus software installed.
“PCI says this [need for antivirus control] is more applicable if you’re running Windows servers and less applicable if you’re running Unix servers,” says Barrett, whose company, an eBay division, processed $37.8 billion online payments during 2006. “It doesn’t actually say, if you’re running a Unix server you’re exempt from the requirement. You get into discussions with auditors about whether it’s enough. I expect PCI to mature over the next year or so, so that those discussions become much more routine.”
Likewise, the vulnerability that Stop & Shop dealt with, involving criminals who tampered with the equipment customers use to swipe their credit cards and input PINs, is not currently addressed in the PCI standard. “I think the standard will mature,” Kirkwood says, “and as it matures, it will be more comprehensive.” (For details, see “Bolting on Security at Stop & Shop” at CSOonline.com.)
The bigger issue for CSOs, however, may be the nature of the discussions with the standards council, and how united a front the credit card associations are really presenting.
Barrett and Kirkwood both mention that a PCI audit acceptable to one card association does not always satisfy the other associations. Kirkwood says, “It’s the same standard, but it’s not like you can say you’re PCI-compliant and then you’re done for all the entities. Why don’t we have one PCI assessment of Ahold, and have that apply to everyone? I think that’s the way we’re going to evolve; we’re just not there yet.” Kirkwood thinks he understands the reasons why. “At American Express, we couldn’t rely on Visa certification, because if something happens to the merchant, then American Express would be in a really bad situation, saying they relied on what Visa did. The public would say, why did you do that?”
Council or no, Kirkwood says, it’s simply hard for any one body to take on that kind of responsibility. “If a central organization says, ‘We certify ChoicePoint,’ who gets sued when ChoicePoint has a problem? If you did that, you would have to have a limitation of liability that says something like, ‘We’ll review them, but don’t hold us accountable if something happens to them.’ Therefore the certification doesn’t mean too much.”
Suddenly, government intervention doesn’t sound like such a crazy idea.
The Best of All Possible Standards?
Of course, there are a raft of reasons why government intervention doesn’t work much better than the PCI standard. Look no further than HIPAA, which contains both security and privacy provisions for healthcare organizations. Despite the fact that the law is more than a decade old, there have been no fines to speak of, leaving some organizations scratching their heads about why they should bother complying. Meanwhile, federal CIOs and CISOs complain that the 2002 Federal Information Security Management Act has turned into nothing but an exercise in completing paperwork, rather than improving security. The one piece of federal legislation that did prompt widespread work on information security controls—the Sarbanes-Oxley Act—stemmed from one small section, 404, and corporate America is currently in rebellion that the end has not justified the multimillion-dollar means. The problem is always an economic one—not that compliance costs too much money, precisely, but that the money it costs isn’t worth spending.
The challenge for the card associations now is twofold: to prove the value of the PCI standard in and of itself, and to create an incentive system that gives organizations the final shove if the standard on its own doesn’t provide enough value. One-time compliance incentives may simply be too small. Visa’s $20 million incentive could be split up by as many as 33 merchant banks, which could then choose (or not choose) to pass on the incentives to thousands of their merchant customers. And even fines may not be enough. Visa, for instance, levied $3.4 million in fines in 2005 and $4.6 million in fines in 2006. But compliance likely would have cost fined organizations even more.
“It’s kind of like, you can drive a car without car insurance, but if something happens you’re going to be in big trouble,” says Rowe, of Chief Security Officers. “I think a lot of [merchants] are accepting the risk and hoping the controls they have in place will prevent a breach even though they may not be in compliance.”
The associations, leery of exercising their death penalty, have done so only once. After hackers accessed some 40 million card numbers stored by payment processor CardSystems Solution in 2005, both Visa and American Express cut off the company’s ability to process payments. The company went into bankruptcy, where its assets were acquired by Pay By Touch. CardSystems disappeared.
More encouragingly, Visa has announced that it will start making PCI compliance a requirement for some reductions in the interchange fees they charge to merchants who accept credit card payments. This is more a backward penalty than a new incentive: A merchant that currently qualifies for the reduced fee, known as tiered interchange, could lose that reduction because it’s not PCI-compliant. Visa’s Perez says the largest merchants could stand to lose millions of dollars annually. “It’s a very compelling incentive,” he says.
Count on chief security officers—risk managers at heart—to look at all these changes pragmatically. “If I was going to get fined $5 million but I brought in $150 million in business, that’s fine,” Kirkwood says, speaking hypothetically. “It becomes a cost of doing business.” A bigger motivator, however, is interchange fees. “That impacts the profit per transaction, which has a much bigger potential than anything else.”
Since announcing the changes, Visa has seen some increase in its compliance rates. Among what are known as Level 1 merchants, which process more than 6 million Visa transactions per year, compliance rose from 36 percent in December 2006 to 40 percent in January 2007. Among Level 2 merchants, which process between 1 million and 6 million Visa transactions each year, compliance inched up to 16 percent from 15 percent since the Level 2 requirements took effect in July 2006.
In the same time period, however, calls for regulatory action stepped up even more quickly. Shortly after the TJX breach disclosure, Barney Frank, chairman of the House Financial Services Committee, issued a stern rebuke, calling the incident “further evidence” of Congress’s need to intervene. “[T]hose institutions where breaches have occurred must be identified and they must bear responsibility,” the Massachusetts Democrat said in a statement. “Specifically, this means retailers or wholesalers must take responsibility, contrary to what common practice is today.”
No one really wants more regulation; everyone just wants the security breaches to stop. Jay White, global information protection architect at Chevron, where some business units must comply with the PCI standard, isn’t alone in pointing out that it would, in theory, be easier for private industry to police itself. “There are times when you are applying resources just for government compliance as opposed to having it add any business value,” White says. “I would rather have industry be self-regulated, until companies demonstrate that they can’t self-regulate.”
The PCI standard is corporate America’s big chance to demonstrate that it can self-regulate. The question now is, How long before it will have proven just the opposite?