Collisions likely over PCI 3.0

In the ongoing cat-and-mouse game over the protection of credit card data, the Payment Card Industry’s (PCI) stated goal for its 700-plus participants – card companies, banks, payment processors, hardware and software developers, merchants and assessors – is to avoid being the mice.

Or, at the least, for them and millions of individual card holders to be very well-protected mice.

[5 myths of encrypting and tokenizing sensitive data]

But a portion of the security community believes that its real goal is not equal protection for all stakeholders, but much more of it for its founders – five major credit card companies – at the expense of the rest. The impending new PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS), Version 3.0 will do little or nothing to change that, they say.

A preview of highlights of the proposed changes was published last month by the PCI Security Standards Council (PCI SSC) and a draft version went to Participating Organizations (PO) Sept. 12. The draft will be discussed next week, Sept. 24-26, at the council’s North American Community Meeting in Las Vegas.

The final version is scheduled to be issued Nov. 7 and take effect Jan. 1, 2014, although Version 2.0 will remain active until the end of 2014.

In the preview of highlights, the council says that the new standards, based on feedback from participating organizations, are designed to improve education and awareness around payment security, to improve “implementation and maintenance of the PCI standards…[and] to help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities.”

Among the changes are requirements for organizations to show how cardholder data flows through their systems; stronger passwords and password management; new requirements for point-of-sale terminals; and expanded software development security requirements including threat modeling.

These will be accomplished with, “increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing procedures that clarify the level of validation the assessor is expected to perform,” and give organizations, “a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments,” the council said.

[Passing PCI firewall audits: Top 5 checks for ongoing success]

Rich Mogull, analyst and CEO at Securosis, and a former research vice president at the security firm Gartner, is not impressed. In a recent blog post, he noted that, in the new standards, “penetration testing is a requirement. If they are serious about this I am not sure how that will play out for the SMB side of the world.”

He also wrote that the idea that every organization can be expected to maintain 24/7 compliance with PCI DSS standards is a major stretch. “PCI isn’t totally worthless, but I don’t expect much practical improvement to come out of the 3.0 updates,” he wrote. “These are very reasonable holes to address, and will help, but we may be about to burden many organizations with activities they cannot possibly support. Start your SaaS engines now…”

[Mobile shopping remains stifled by security, ease of use]

In an interview, Mogull said another problem is the punitive element of the system, illustrated by the claim by PCI SSC general manager Bob Russo that businesses that are compliant with PCI standards have never been breached.

In more than one post over several years, Mogull has called that claim, “a load of [expletive],” insisting that if a company that has PCI certification is breached, the PCI SSC then retroactively revokes its compliance certification, “often due to the victim not checking log files on a daily basis or something similar…you can always find something someone missed.”

This, he contends, is because while PCI standards have helped in some measure to improve security, they remain more about protecting the card companies from the liabilities arising from breaches, with all the other players coming in “a distant second.”

Russo could not be reached for comment. A spokeswoman for the PCI SSC said the organization was “in a mad dash this week getting ready for our Community Meeting.” But she recommended several other analysts who had been briefed on the changes who, while agreeing in part with Mogull, were not nearly as ferocious in their criticism.

Derek Brink, vice president and research fellow, Aberdeen Group, is one of several who say the disagreement may in part be a matter of semantics. “Since certification of compliance is at some specific point in time, Bob Russo may be trying to assert that if the company was fully compliant with PCI DSS at the precise time of the breach, then the breach would not have happened,” he said.

[Thinking outside the IT audit (check)box]

But he and virtually everybody in the security community have asserted for years that “compliance is not security,” and that being compliant on the day of an assessment does not guarantee compliance even on the following day. “IT infrastructure – card processing environments – can be extremely complex, and changes all the time,” he said. “I may have been compliant last Tuesday at 3 p.m., but systems may have been updated and configurations may have changed since then.

“Another truism we’ve all heard is, ‘there’s no such thing as 100% security,'” Brink said. “So whether Russo is right or wrong about his assertion, it doesn’t mean that PCI DSS compliance is a guarantee against a breach.”

[Compliance isn’t security, but companies still pretend it is, according to survey]

Michael Whitcomb, founder and president of Loricca, agrees, noting that having the correct systems and policies in place doesn’t eliminate the human factor. “Most breaches are caused by human error or failure to follow proper procedure,” he said. “If those result in the company being non-compliant then it would be impossible for any organization ever to be compliant.”

Torsten George, vice president, worldwide marketing, products, and support at Agiliance, also says it is mostly a semantic debate, noting that even though specific controls and requirements are supposed to be continuously updated through the year, most organizations drop their intense focus on compliance once they have been certified, “until the next audit cycle starts.”

“According to Verizon’s Payment Card Industry Compliance Report the majority of organizations fall out of compliance within the first 60 days after certification and at the time a breach might occur, this number is even looking worse,” he said.

This, he said, is in part because of a certification process that, “propagates a check-box mentality. Once a year a regulator or standards body requires the organization to prove that it is compliant.”

He agrees that there is no such thing as 100% security, but said if the new standards can enable compliance as a daily, “business as usual” thing (one of the goals of the new standards), it could reduce the risk of breaches substantially.

Alphonse R. Pascual, senior analyst, security risk and fraud, Javelin Strategy & Research, agrees. “PCI compliance does not make an organization impervious to breaches, only resistant,” he said.

Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, notes that PCI DSS is up front about its compliance requirements. The standards, “clearly state that merchants are responsible for maintaining compliance at all times,” he said. “If you approach PCI as an annual exercise, the chance of you falling out of compliance is near certainty.”

But is it fair – even possible – for organizations of varying sizes and profitability to maintain 100% compliance when the threat environment is changing daily?

[Payment Card Industry clears up confusion over cloud use]

Brink said he has little sympathy for merchants, “who don’t implement even the most basic security controls,” but is sympathetic about the difficulty of maintaining 100% compliance. “For many merchant organizations, the complexity and cost of addressing security and payment card compliance requirements can be so difficult that it is simply beyond their reach,” he said.

Pascual contends that, as “complicated and complex” as constant compliance can be, it is in the best interests of merchants. It is not just the risk of fines or sanctions from PCI DSS that can hurt them, he said. “When this information is compromised, it is often used to make fraudulent purchases at merchant locations or via e-commerce sites. In addition, merchant brands suffer reputational damage.”

[The race toward compliance is ‘not optimal’]

A resolution to the conflict does not seem likely, at least in the near future. At least some merchants are rebelling against what they perceive is a system designed to protect cardholders at their expense. Sports clothing retailer Genesco filed a $13 million suit against Visa in March seeking to overturn fines it said were unfair and unenforceable because there was no proof that a breach had resulted in credit card data being stolen.

In August the parties told a federal judge they had been unable to settle the case. “It seems that it will take some more time to resolve,” George said.

But Mogull said he thinks the case could be precedent setting. If Genesco is successful, he said, “there will likely be a flood of similar cases.”

Another huge potential conflict is a statement by Russo in a recent webcast about PCI Version 3.0 that most mobile devices are not PCI DSS compliant, so any merchant using them, or dealing with customers using them is doing so at his or her own risk.

Analysts also are dubious that Version 3.0 of the PCI standards will produce a revolution in security. “Unfortunately, the majority of organizations are still using a check-box mentality as part of a compliance-driven approach to security,” George said. “I have not seen any indication that PCI DSS 3.0 will bring about a major shift to a risk-based approach. The bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack.”

But they do have some suggestions for improvement. Chuvakin said the PCI SSC should ask if a post-breach control assessment is, “more diligent than a typical routine QSA control assessment?”

Brink suggests a different model, comparing the storage of information by individual companies to people storing valuable information in their homes and being required to meet a detailed set of standards to protect it. “Eventually, someone would ask the obvious question: why must this valuable information continue to be stored in our individual homes?” he said. “Wouldn’t it be more cost-effective, and ultimately more successful, to store and protect the valuable information in fewer, centralized, secure locations?

[GRC: Trying to take the bite out of risk]

“This is one of the attractions of technologies such as ‘tokenization’ of data,” he said, “a process which substitutes unique, randomly generated values to reference payment card numbers or other sensitive or secret data that are typically stored in a secure off-site facility, eliminating the need for merchants to store and protect actual cardholder data.”