In mid-December 2006, just as Visa was announcing a $20 million incentive to try to hurry compliance with the credit card industry’s data-security standard, a consultant for TJX was discovering precisely the sort of breach that the standard is supposed to prevent.
An undisclosed number of transaction records from TJ Maxx, Marshalls and other TJX stores had been compromised. “Removed” by intruders, even. Exactly which records, when and by whom, the $16 billion retailer was unsure, although The Wall Street Journal later put the number of affected credit cards at more than 40 million. Behind the scenes, TJX executives began working with law enforcement and additional outside security experts to try to identify and fix the problem, prior to a January announcement of the breach.
Meanwhile, in San Francisco, Visa was going public with an announcement of its own. Technically, if its merchants aren’t compliant with the Payment Card Industry (PCI) Data Security Standard, Visa can cut off their ability to accept Visa cards—a death sentence for commerce. Despite deadlines that had come and gone, however, only 36 percent of Visa’s largest merchants were following the rules. So starting in April, banks whose retail customers were in compliance and had not suffered security breaches would be eligible to receive funds from a pool of up to $20 million. In addition, Visa warned, it would increase fines to banks whose retail customers were not compliant and make PCI certification a requirement for some pricing discounts.
As far as Visa is concerned, the standard is working—if only merchants would adopt it. “To date we have not seen that a PCI-compliant entity has been compromised,” Eduardo Perez, vice president for payment system risk at Visa, told CSO in January. Although he would not comment on the TJX incident specifically, he continued: “In every instance we’ve dealt with, compromised entities have not been compliant with PCI.”
For critics, however, the TJX breach proves something else entirely. “It’s a perfect example of where the PCI program is not working,” says Avivah Litan, vice president and research director at Gartner. “It’s a good step. It’s good for the card brands to enforce security, but it’s impractical to expect 5 million retailers to become security experts.”
In reality, the TJX breach is not so much an example as it is a test. Corporate America has long insisted that self-regulation, not government intervention, is the cure for what ails information security. Government regulations, they claim, tend to be poorly crafted and difficult to enforce; they turn into needlessly expensive exercises in bureaucratic paperwork. In response to the threat of such legislation, industry sectors have attempted to police themselves by establishing either voluntary guidelines or ones imposed by business partners. (See “Security Standards for Power Companies.”)
The PCI program is the largest, most ambitious of such efforts to date. Last autumn, American Express, MasterCard, Visa and other highly competitive rivals came together to fund an independent PCI Security Standards Council, which will promote and drive a single data-security standard. In the midst of a steady stream of credit card breach announcements from companies large and small, the message the card associations wanted to send was clear: They are doing something about the problem.
But will it be enough?
“Remember, the reason the PCI standard exists is to avoid legislation from Congress,” longtime CISO John Kirkwood says plainly. Kirkwood is no stranger to PCI. The former CISO of American Express, he is now global information security officer for $52 billion Dutch grocery-store chain Royal Ahold, where he has to make sure that subsidiaries such as Stop & Shop comply with the standard. He has dealt with his own recent security breach, involving checkout equipment tampering in at least six Stop & Shop stores in Rhode Island and Massachusetts.
“The credit card companies said, hey, wait a second, you don’t have to legislate us. We’ll regulate ourselves,” Kirkwood continues. “It’s going to be very interesting to see what happens in light of the TJX incident. I can see another [Gramm-Leach-Bliley Act], another Sarbanes-Oxley coming.” Indeed, soon after the breach was disclosed, as TJX-related cases of fraud started to surface, legislators began pointing to the incident as further proof that Congress must take action.
All of which means that it’s showdown time in the battle between government regulation and preemptive industry self-regulation. Businesses that accept, process and enable credit card transactions will have to convince legislators (not to mention the American public) that the PCI program is going to prevent data breaches. If they can’t, the implications will reach far beyond the payment card industry, as the PCI standard goes down in history as nothing more than a crash test of private industry’s ability—even under the best possible circumstances—to regulate itself.
A Sharp Stick
The roots of the PCI standard date back to the summer of 2000, when Visa unveiled its “Digital Dozen” of rules that merchants needed to follow in order to accept its credit and debit cards. The requirements ranged from installing firewalls to encrypting data to restricting physical access to cardholder information. “Eventually, if we don’t have proof from an independent third party that you qualify with our requirements, we really don’t want you to take the card,” a Visa executive told CIO magazine (a sister publication to CSO) in 2002.
Visa, it was clear, had an especially pointy stick with which to prod its business partners—and, with its cards accepted at millions of locations worldwide, an especially far-reaching group of business partners who could be prodded. American Express, Discover and MasterCard soon whittled similar sticks to prod far-reaching business partners of their own. Compared with, say, the federal government’s ineffectual attempts to enforce the Health Insurance Portability and Accountability Act, card companies’ chances of success seemed promising. They had both resources and commercial clout. “Ultimately the reason companies need to be able to comply with PCI is that Visa and MasterCard have the ability to cut them off,” says Mark Rasch, a former federal prosecutor who’s now a computer security consultant. “You could pay a fine. If you’re a large financial company, you could pay a fine of a million dollars. But if they told you tomorrow that you can’t process credit cards, you’re out of business.”
Not surprisingly, though, merchants balked. As the standards from the various card associations grew and took shape, merchants had two main complaints: first, that there were too many standards, and second, that they had insufficient input into how standards were formed.
“Merchants had to certify with each brand,” explains Julie Fergerson, cofounder and board member of the Merchant Risk Council, a trade association. “Each of the four were coming up with their own individual products and weren’t necessarily talking to one another.”
To address these concerns, more than half a decade after Visa’s Digital Dozen was created, rival card companies came together to form an army of sorts. The PCI Security Standards Council was created last September as a joint agreement between American Express, Discover, JCB, MasterCard Worldwide and Visa International. Each of the companies contributed seed money and agreed to push jointly for a single set of security requirements—this being the PCI Data Security Standard, which still has 12 main criteria that encompass installing firewalls, encrypting data and restricting physical access to cardholder information, among other things. A primary goal of the common standard is to prevent merchants from ever storing all the data on a card’s magnetic strip, which may contain private cardholder information as well as PINs and the printed security codes that help merchants authenticate online transactions. (See PCI To-Do List for highlights of the standard.)
With the creation of the council, all suggestions and changes to the rule book are now funneled through this group. Furthermore, the council determines which auditors are qualified to perform PCI assessments and which vendors are qualified to perform scans for vulnerabilities or misconfigurations in an organization’s infrastructure. Eventually, says chairwoman Seana Pitt, the council’s funding will come not from the card associations but from training and certification fees.
“What we’re evolving to is becoming a center of excellence,” says Pitt, who is also a vice president at American Express. “Anybody who has questions about interpreting the standard or suggestions on making it better will come to us, whereas in the past they would talk to the individual brands.”
The sticks, meanwhile, stay in the hands of the individual card associations. That’s because the standards council itself has no enforcement capability. In fact, when asked in January about current compliance levels, Pitt admitted that the council has no numbers to benchmark against. Instead, members will measure their success based only on feedback from the card companies and members.
“We actually get the happy part of driving education and compliance,” Pitt says. “Or the proactive part,” she clarifies.
At Marriott International, Chris Zoladz is among those who are working to comply with the PCI standard. The $12 billion hotel chain has been working on the standard over the past few years, but “it’s quite an undertaking to get to the point of full compliance,” says Zoladz, who is Marriott’s vice president of information protection and privacy.
One pain point is the encryption requirement. Although Marriott has long been encrypting data while it’s in transmission, the PCI standard also requires that data be encrypted at rest, something Marriott had not been doing because other protections were in place. Card data is initially saved in a central reservation system but later gets passed on to a property management system for the individual hotel where the customer has booked a room. The challenge, Zoladz says, is to encrypt the data as it is stored in both places while still allowing the systems to talk to one another.
Another pain point is the requirement for two-factor authentication. The standard stipulates that a user name and password are not enough to authenticate an employee, administrator or third party who gains remote access to any system that holds debit or credit card data. In addition, the merchant must set up a second factor of authentication, such as tokens or biometrics. That’s no small undertaking for a company with a large, dispersed workforce like Marriott’s.
Not that Zoladz is complaining about the changes, mind you. “I think the standard is pretty solid,” he says. “When I look at each of the requirements in the standard, a lot of what’s in there is very consistent with what you find in the ISO 17799 standard or what you would find in any of the various articles and publications around best practices in information security.”
Likewise, at CheckFree, Vice President and CSO Ed Sarama is still working on his company’s PCI compliance. “Nothing is easy in the IT world,” says Sarama, whose $880 million company does payment processing for many of the United States’s largest banks. “We like for everything from a consumer perspective to be magical, but there’s a lot of work behind the scenes, and this is no exception.”
Sarama says the main challenge he’s having is that the standard is a moving target. For instance, last autumn, the PCI Security Standards Council made some changes to retention requirements that affected CheckFree. Now, an audit trail of all access to cardholder data and network resources must be available online for three months and offline for another nine months, which means that CheckFree has to invest in additional online storage devices. Another change means that CheckFree must put application firewalls in front of its Web servers; Sarama has to figure out how to do this in a way that won’t cause any applications to fail.
On any given point, the fallback to meeting the letter of the law is meeting the spirit of the law. In PCI-land, this is known as a “compensating control.” Ken Rowe, a principal of the consultancy Chief Security Officers, and a certified PCI assessor, knows all about compensating controls. For instance, he’s working with one city government whose network isn’t segmented with firewalls, as the PCI standard requires. That means that the entire network must be in compliance with the standard—not just the portions of it, such as the ticketing application for the performing arts center, that actually house card data.
“There are other compensating controls in place, like VLANs and access control, that prevent someone from another department accessing credit card numbers,” Rowe says. “But the standard calls for segmentation using firewalls,” so that’s what the city government is working on.
Some of the technical issues may work themselves out sooner rather than later. For instance, at PayPal, CISO Michael Barrett—another American Express alum—is trying to figure out what to do about the standard’s vague stance on whether Unix servers must have antivirus software installed.