Collective Security & the Payment System June 11, 2012
Posted by Heather Mark in Laws and Leglslation, PCI DSS, Politics.Tags: collective security, compliance, Dr. Heather Mark, InfoSec, InfoSec & Privacy, mark consulting group, PCI, PCI DSS, treaty of westfalia
trackback
I recently attended an event focused on payment security and fraud prevention. It was an outstanding event and the presentations and panels were incredibly valuable – not something that I frequently say about payment security events these days. However, one term came up a couple of times that got me thinking. That term was “collective security.” As many of you know, I have a background in public policy and my dissertation was, in fact, on US foreign policy and our strategic interests abroad, so the mention of collective security set off my poli sci radar. But I wondered if collective security was really an appropriate phrase for what we’re doing in the payments industry. To address that question, it is necessary to first define collective security in its traditional sense.
Collective security was first formally introduced by the Peace of Westphalia in 1648, a series of treaties that put an end to a number of wars that had been plaguing Europe. Very simply put, collective security is an arrangement in which all stakeholders agree that their security depends upon the security of each of the other stakeholders. As a result, the collective agrees to act in concert to address any threat to any member of the community. In addition, each member agrees that it is equally committed to the collective peace and will act to protect any member of the collective against the aggressive acts of another party. The collective also agrees to present a united force that would be sufficient to deter antagonists from attacking any member of the community, lest they provoke the entire community. Lastly, and perhaps most importantly, each member of the collective agrees that it will subordinate its own interests to that of the greater good. The United Nations and NATO provide examples of collective security in practice. With this definition in mind, though, can one describe the current state of affairs in the payments industry as one of collective security? Let’s break it down point by point.
Agreement that the security of any one member of the community impacts the security of all other members.
It seems that we’ve agreed that there are weak links in the chain. For example, it is commonly agreed that a processor or merchant that does not adequately protect data might put that particular transaction chain at risk, but it seems debatable as to whether the industry at large believes that the insecure systems of Merchant A pose a risk to the security of Merchant B. Again, a principle component of collective security is the impact of one on the security of all. What is not debatable is the financial chain – a breach means a showering of fines from the card brands to the acquirer to the merchant or service provider. In that respect, a breach of one entity can have an impact on many. In fact, this phenomena is so well recognized that the industry has developed tokenization as a means to mitigate risk to the merchant, and subsequently to the acquirers. If the merchant cannot be compromised, the acquirer cannot be fined. So while we can’t agree that lack of security may be contagious – one insecure merchant leads to another – we can agree that the butterfly effect of a breach can be far-reaching. It is in everyone’s interest, then, to secure data.
Agreement that the collective will act to protect any member of the community against the aggression of another party.
This is a controversial point, but I will play devil’s advocate here. It can be said that the card brands, in recognizing the growing epidemic of card data breach and its repercussions, recognized the need to protect the industry at large by adopting a minimum standard of data protection for those that come into contact with payment data. I know that some will say it is more of a self-serving move, a risk management program for the brands, but consider for a moment the action in terms of collective security. Very few companies initiate security measures out of altruism. Most need to be incented, to put it nicely, into adopting something that has very little tangible ROI. In this instance, could it be said that the implementation of the PCI DSS was to protect community stakeholders from the aggression of data thieves? And how about tokenization and P2PE? Recognizing, perhaps, that merchants (and in particular small merchants) may have difficulty in protecting large volumes of data, many companies began offering technologies that would protect merchants, back office providers, application providers and others, from data thieves. In this respect, could the adoption of standards and new technologies be said to taken in the interest of protecting the industry against aggression?
The collective will present a united front to deter aggression.
Even assuming agreement on the first two points, it is here that the notion of collective security begins to break down. While the industry has adopted new technologies and standards to protect against data thieves, very few operate under the illusion that this adoption is a sign of absolute accord on the best way to address data security. The industry has fragmented into a very “us against them” mentality, with fault lines cropping up on a seemingly regular basis. There is little agreement as to whether the standards or the technology are sufficient protection and many feel that there is uneven adoption and enforcement. Such fragmentation hardly presents a united front, and frankly there is little evidence that a united front actually would deter the aggressors in this instance.
Each member will subordinate its own interests in the name of the greater good.
I’m not sure that we need much discussion on this point. In a capitalist market it is unreasonable to expect any organization to subordinate its interests (profit, revenue, shareholder value) in the interest of the greater good.
So in the final analysis, while it is good for all stakeholders in the industry to secure cardholder data, it can hardly be called an exercise in collective security, in the true sense of the word. That being said, the notion of collective security is something for which we should strive. More dialogue, information exchange and education can only help in that effort.
Heather Mark
Global Security, Privacy, & Risk Management 
A good example of true ‘Collective Security’ approaches to PCI DSS can be found in franchise communities. Because they share similar (if not exact) environments, and the fact that they all operate under the same name, this approach is gaining traction among franchisers and franchisees alike.
Agreement that the security of any one member of the community impacts the security of all other members.
– If a franchise in California is breached, the news story will not be “West Coast Eats LLC gets breached”, it will most certainly carry the franchise name. Social media has dramatically accelerate the spread of information and a friend in California might post a link to a story like this on a blog or Facebook. Now their friend in Virginia sees the posting and while looking for a place to grab a quick lunch, will most likely have second thoughts about going through the drive-through of their local franchise, even if it isn’t owned by the same franchisee.
Agreement that the collective will act to protect any member of the community against the aggression of another party.
– More and more, corporate franchisers are pushing PCI DSS and the franchise communities are pushing one another to get and maintain compliance. These collectives are able to negotiate a lower cost-per-member for various technology and/or services toward this end. Though each individual franchisee may, in some cases, have to ‘pay their own freight’, the act of banding together to offer more affordable solutions to PCI does, I believe, meet this definition.
The collective will present a united front to deter aggression.
– Many franchisers are now requiring/mandating compliance among their franchise community. In most cases, this effort is accompanied by a ‘preferred’ or ‘recommended’ solution (or set of solutions). The majority of franchisees tend to take advantage of these and from that standpoint, they present a united front. At a more elementary level, the mere fact that there are requirements to achieve and maintain compliance is, in itself a united front.
Each member will subordinate its own interests in the name of the greater good.
– Given the mandates or requirements for compliance, and the fact that the vast majority of small businesses would prefer to spend their time and money on other things, I would argue that, in some cases, franchisees are certainly subordinating their own interests in the name of the greater good.
Given the fact that Food and Beverage is consistently one of (if not the top) target of cyber criminals, the collective security approach is an entirely valid means of managing the risk for all members of a franchise community. In many other organizational models however, I would agree that this approach does not lend itself to their reality or business model.