jump to navigation

PCI DSS and Piracy January 12, 2012

Posted by Heather Mark in PCI DSS, Piracy & Maritime Security.
Tags: , , , , , , ,
add a comment

I’ve been reading quite a bit on piracy lately. Not the adventurous, swashbuckling tales of pirates flying down the Spanish Main, but piracy in its present form. From a purely detached perspective, its an interesting exercise in cause and effect. Natural disasters, for example, have an impact on the surge in piratical acts. The Christmas Tsunami left many Somali fishing villages devastated and took the last legal means of sustenance from many families that depended fishing for their survival. As a result, they turned to piracy. Of course, that is not to say that Somali pirates are the Jean val Jean’s of their day, the thief with the heart of gold doing only what is necessary to survive.  These pirates are violent and aggressive and should not be coddled.  The interesting comparison to the PCI DSS, in my mind, derives from the impact of the crime on the industry and the global reaction to the phenomenon.

Impact of the Crime

Piracy is a crime that has an impact on all consumers. Higher insurance rates, security contingents, longer routes and therefore higher fuel costs, and similar circumstances that result from piracy mean higher prices for consumers.  Any costs that cannot (or will not) be absorbed by the manufacturer or the shipping company are passed on to the consumer. Similarly, data thieves have very definitely left their mark on the consumer. Those of us involved in the electronic payment industry recognize better than most the increased cost structure that has resulted from trying to achieve and maintain compliance with the PCI DSS and the countless data security, data breach notification and consumer privacy laws at play in the United States. Ongoing compliance and security monitoring, evaluating the threat landscape and the cost of validating compliance can quickly add up for companies.  Organizations that are already seeing their margins get squeezed are required to spend additional resources on security and compliance to ensure the safety of consumers’ data. Those costs can sometimes be passed along to the consumer.

Global Reaction

Data security and piracy were both issues that “flew under the radar” until high-profile instances brought them to the public awareness. In the world of transoceanic shipping, the issues that brought awareness were a couple of kidnappings for ransom and the hijacking of the Maersk Alabama. It’s important to note, however, that even before these incidents, the shipping industry and governments worldwide were working on standards and regulations that would mitigate the problem. The reaction from the industry should sound very familiar to veterans of the PCI DSS compliance world – “The standards are too prescriptive.”  “The standards were written by people that don’t
really understand the issues.”  “How are you going to ensure that everyone is complying with these standards?’ “The cost of complying with the standards are too burdensome for small companies.” These concerns should resonate with payment security professionals. The same questions and concerns are often raised about the PCI DSS.

For the payment industry, the events that really brought public awareness were a couple of high-profile data breaches at well-known retailers. The question really is, though, “What is the alternative?”  If neither industry had done anything to address these growing issues, the constituents in the industry would have raised the alarm about the apparent lack of concern from the powers that be.  The catch-22 of the creation and enforcement of the standards is that even though these standards achieve their objective of raising industry awareness and attempting to mitigate the risk of adverse events, the companies that suffer piracy attacks or data breaches are still often cast as the villian (as opposed to the victim) in the scenario.

What’s the Answer?

That is the crux of the matter – are the issues of data security and high seas piracy “solvable?” There are a variety of issues that drive the increase in both crimes.  Economic stability, the ability of governments to project their authority into these areas, jurisdictional cooperation and other factors drive the growth of both types of crimes.

While I cannot confidently address permanent solutions to either problem, I can suggest a shift in perspective. In the realm of data security and payment security, practitioners often attempt to solve the problem by layering more and more technology in front of the sensitive data.  Tokenization is one example of how a shift in perspective can provide alternative solutions. Extracting value from the data makes significantly less attractive to thieves. So instead of asking, “How can we keep thieves from accessing the data?” one might ask “What can be done in the transaction processing chain to render the data unusable to thieves?” We are currently retro-fitting security onto a system that has been in place for fifty years. If we were to remove any preconcieved notions of what a payment infrastructure should look like, what would we design?

Standards Aren’t Security and We Shouldn’t Expect Them to Be January 11, 2012

Posted by Heather Mark in InfoSec & Privacy, PCI DSS.
Tags: , , , , , , , ,
add a comment

Today I saw an article about the PCI DSS in which the author lamented that, although progress had been made, there were still significant flaws in the Payment Card Industry Data Security Standard. I have seen a great many articles centered on the same idea: Though good in theory, the PCI DSS is just too flawed to work. I would argue that, in many ways, the PCI DSS is doing exactly as it is intended. Now, I do have to take off my academia hat here a bit and admit that, without a comprehensive policy and  program evaluation, it is simply not possible to accurately determine the efficacy of the standard. We cannot determine that a certain population of individuals has been spared identity theft as a result the implementation of PCI DSS or rising compliance rates. What we have is anecdotal evidence that, despite the best efforts of the card brands, the Qualified Security Assessors and everyone involved in the payment transaction chain, data breaches continue to occur and may even be growing, in terms of frequency and magnitude. Since anecdotal evidence seems to be the central data point in these arguments, I’d like to share some anecdotal evidence of my own.

I’ve been involved in the payment card industry, and specifically in the security side of it, for too many years to admit. When we began working with Visa’s Cardholder Information Security Program (CISP), the predecessor to the PCI DSS, many companies had no data security programs in place. In fact, we would often see global ecommerce companies that didn’t run anti-virus or have properly configured firewalls. It was not uncommon to ask about incident response plans and have the IT supervisor respond with “we unplug.”  Literally, they would pull the Cat 5 cable from the wall and pull their entire site down until they could figure out the issue.

In the intervening years, we’ve seen the industry make significant strides in their understanding and awareness of security issues. Merchants, third-party service providers, even consumers, have come light years in terms of knowing the questions to ask, the technologies to employ and the policies to implement. Security discussions around the protection of cardholder data have evolved to a very sophisticated place. Ten years ago, discussion about what is or is not cardholder data were unheard of, whereas today they are almost commonplace. In that regard, the PCI DSS has been successful. Has it stopped any data compromises? It’s difficult to judge that, but it has certainly driven companies to take security seriously and the ensuing noise around the standard has driven, and continues to drive, technological innovation in the security space.

Yet the most significant flaw in the standard is not with the standard, per se. It’s with the dependence on the standard as a comprehensive security program. It is certainly up to the discretion of each company to determine how far beyond the standard they need to reach in order to address the threats in their environment. Yet each time a compromise occurs, the first thing we hear is that it is another failure of the standard. No standard, regulation, law or best practice, regardless of how well written it may be, is going to address every contingency. Certainly there is room for debate about whether a compliant company can be compromised, but let’s remember that the standard is necessarily vague in some areas to account for the wide variety of business models in the industry. If it were otherwise, we’d certainly hear about how the standard is too prescriptive (and that charge has been leveled at the standard with equal ferocity as the too vague accusation) and still does not prevent all the compromises.

The important thing to remember is the objective of the standard is the protection of cardholder data. If you, as an individual responsible for data security or compliance, recognize an area of risk to the company or its customers that is not addressed by the PCI DSS, it is your (and your company’s) fiduciary duty to act. Court cases are now wending their way through courts to determine whether or not there is an implied contract between companies and their customers. If such a decision is made, then PCI DSS or no, companies will be held responsible for the loss of that data, and likely for a broader swath of data than is contemplated in the PCI DSS. Compliance is not an excuse to cede control of your security program. While the PCI DSS has a lifecycle of three years, companies should be constantly evaluating their threat environment and ensuring that their security program adequately addresses the risks to the data.