Global Security, Privacy, & Risk Management

Standards Aren’t Security and We Shouldn’t Expect Them to Be January 11, 2012

Today I saw an article about the PCI DSS in which the author lamented that, although progress had been made, there were still significant flaws in the Payment Card Industry Data Security Standard. I have seen a great many articles centered on the same idea: Though good in theory, the PCI DSS is just too flawed to work. I would argue that, in many ways, the PCI DSS is doing exactly as it is intended. Now, I do have to take off my academia hat here a bit and admit that, without a comprehensive policy and  program evaluation, it is simply not possible to accurately determine the efficacy of the standard. We cannot determine that a certain population of individuals has been spared identity theft as a result the implementation of PCI DSS or rising compliance rates. What we have is anecdotal evidence that, despite the best efforts of the card brands, the Qualified Security Assessors and everyone involved in the payment transaction chain, data breaches continue to occur and may even be growing, in terms of frequency and magnitude. Since anecdotal evidence seems to be the central data point in these arguments, I’d like to share some anecdotal evidence of my own.

I’ve been involved in the payment card industry, and specifically in the security side of it, for too many years to admit. When we began working with Visa’s Cardholder Information Security Program (CISP), the predecessor to the PCI DSS, many companies had no data security programs in place. In fact, we would often see global ecommerce companies that didn’t run anti-virus or have properly configured firewalls. It was not uncommon to ask about incident response plans and have the IT supervisor respond with “we unplug.”  Literally, they would pull the Cat 5 cable from the wall and pull their entire site down until they could figure out the issue.

In the intervening years, we’ve seen the industry make significant strides in their understanding and awareness of security issues. Merchants, third-party service providers, even consumers, have come light years in terms of knowing the questions to ask, the technologies to employ and the policies to implement. Security discussions around the protection of cardholder data have evolved to a very sophisticated place. Ten years ago, discussion about what is or is not cardholder data were unheard of, whereas today they are almost commonplace. In that regard, the PCI DSS has been successful. Has it stopped any data compromises? It’s difficult to judge that, but it has certainly driven companies to take security seriously and the ensuing noise around the standard has driven, and continues to drive, technological innovation in the security space.

Yet the most significant flaw in the standard is not with the standard, per se. It’s with the dependence on the standard as a comprehensive security program. It is certainly up to the discretion of each company to determine how far beyond the standard they need to reach in order to address the threats in their environment. Yet each time a compromise occurs, the first thing we hear is that it is another failure of the standard. No standard, regulation, law or best practice, regardless of how well written it may be, is going to address every contingency. Certainly there is room for debate about whether a compliant company can be compromised, but let’s remember that the standard is necessarily vague in some areas to account for the wide variety of business models in the industry. If it were otherwise, we’d certainly hear about how the standard is too prescriptive (and that charge has been leveled at the standard with equal ferocity as the too vague accusation) and still does not prevent all the compromises.

The important thing to remember is the objective of the standard is the protection of cardholder data. If you, as an individual responsible for data security or compliance, recognize an area of risk to the company or its customers that is not addressed by the PCI DSS, it is your (and your company’s) fiduciary duty to act. Court cases are now wending their way through courts to determine whether or not there is an implied contract between companies and their customers. If such a decision is made, then PCI DSS or no, companies will be held responsible for the loss of that data, and likely for a broader swath of data than is contemplated in the PCI DSS. Compliance is not an excuse to cede control of your security program. While the PCI DSS has a lifecycle of three years, companies should be constantly evaluating their threat environment and ensuring that their security program adequately addresses the risks to the data.