PCI security standards in the dock

So, 

I guess it won't be long now before US merchants realise that all the money they have spent on PCI was all money down the drain.  I believe that it will dawn on them that compared to EMV, PCI provides no protection whatsoever, and that merchants remain responsible for data breeches even after they are certified.  Once it has been accepted that the money would have been better spent on EMV, and more importantly that the card schemes knew this all along but chose to keep quiet, I am thinking that the merchants will be looking to be re-united with their cash.  I think the lawyers are going to be busy.  Rightly so, we have had to put up with this PCI nonsense for far too long.

Irrespective of the outcome, public reports to date indicate that investigators found unencrypted cardholder data on the point of sale. That is not only a PCI violation - and one that has been in PCI DSS throughout its five year history - it's a treasure trove for hackers to go after - especially if they already know the POS is at risk.

However, it's also an avoidable situation - with technologies like end to end/point to point encryption from the card swipe to take live data away from the retail systems on capture for authorization and tokenization for post authorization processes such as end of day settlement. Plenty of merchants and card processors have been using these approaches for some time - driven by compliance cost reduction and avoiding the inevitable breach for unprotected systems: In the event of a breach or attack the protected information stolen is useless to the hacker - unreadable and infeasible to break.

Hacking isn't going away. PCI DSS compliance isn't going away. The merchants have a duty of care over the data they are capturing. However, simple to use technology can meet the compliance need and the risk head on - these kinds of incidents should become a thing of the past - and progressive merchants are already there today.

Regards

Mark Bower

Voltage Security

As I was trying to say, and I knew it wouldn't be too long before someone jumped in to defend PCI, it won't be long before it dawns on people just what a complete waste of time and money PCI really is. You bleat on about how the data should be encrypted so that the hackers can't use whatever it is that they manage to hack from the POS or the merchant, but if the transactions were generated by an EMV card, any data held, rightly or wrongly, by the merchant would be worthless. Protecting EMV with PCI is like keeping a loosing lottery ticket in a safe!!

If there are no teeth behind PCI standards, then people will simply not adopt the standards.

Most companies are all too lax about security generally. Retailers complain about merchant charges, customers complain about card charges, but if hackers are allowed to run riot with card fraud, then the banks have no option but to pass the costs on.

PCI is about accepting responsibility for customer card holder data. If a retailer does not care about my card security then I am not going to give them my business, why would I? At the end of the day, having your card compromised is a real hassle, believe me, I been through it!

Yes improvements need to be made regarding clawing back the costs of a breach from a merchant, and merchants need to be made aware that it can happen.

But to throw away the the standards is totally ridiculous. There are lots of solutions out there to combat card fraud, and it does not have to be costly or complicated.

To David Griffiths: as I read from the story the merchant is based in the US so not sure why you are bringing up EMV.

In general this article is an example of low-standard PR where "fines levied by Visa and MasterCard" (probably chargeback fines) for some reason are mixed with PCI security standards leading to the self-explanatory ‘Finextra verdict' [yawn]. Shall we wait for the court verdict or Finextra’s one is sufficient?

Perhaps I am being a little too subtle, so I will try again.

No one is saying that security is not a good thing, I am only saying that PCI is a bad thing.  Hacking to collect card data for use in the developed world (ie, outside the US) doesn't happen, and this is because card and transaction data stolen from inside an EMV environment can not be used to generate another transaction in an EMV environment.  However, certian bits of it can still be used in the undeveloped world (inside the US).  Also, I can clone a magstripe card in the US and make an undetecable copy; I can also sniff authorisation data (and in some cases, settlememt data) and make another undetecable copy - none of this is possible in EMV-land.  

So, put simply, we in the developed world have chosen to adopt EMV, in which case we do not need to worry about the data that a merchant keeps hold of (they probably shouldn't but hey, we all know it happens) as it can't be used for generating other transactions!!!

In the US, they have chosen to force the implementation of PCI standards to protect the data at rest and in transit, because the hackers can make good use of it if they get hold of it - hey I was able to do this in the back bedroom in the 1980s - it ain't difficult.  However, if PCI is going to be useful, it necessarily needs to be adopted globally, as any old magstripe transaction can be compromised (especially ATMs in regions that still allow fallback) and then used in the US, because it will still work there.  

We in the developed world are being forced to adopt a security regime that provides us with virtually nothing, but it does protect the US, a bit.  However, again, US banks have their own methods of reducing fraud costs by raising RFIs against clearly frudulent transactions in the hope that they will end up as automatic chargebacks.  

You really need to look at cause and effect.  Hackers hack because they have a chance of stealing valuable card data.  That card data is ONLY of value in the US.  If it had no value in the US, it wouldn't get hacked.

Ah! you may say, but the hackers are also after the cardholder's addresses - Ah! Ah! I say, that isn't covered by PCI!

Cardholder data theft is not just about brick and mortar fraud. When brick and mortar fraud declines, it often reappears in the e-commerce space - as in the case in the UK for example. So while card not present fraud is down somewhat there (likely a combination of improved fraud detection and a reduction in consumer spending from economic downturn), the net card not present fraud in the UK is still over 220 million UKP for 2010 per the UK Card association 2011 report – not insignificant.

However, it’s a different story in the US where this story originates - the fraud costs are in the $Billions.

Data stolen from non EMV environments - which is more than just the US by the way - can be used outside its home jurisdiction in many cases.

Whilst EMV is a good tool in the fight against card present fraud where it is implemented - and perhaps one day ubiquity may come - it’s not close yet. It’s also just one it’s one of many tools and complimentary to end to end encryption and tokenization to provide a wide spectrum defense - along with real time fraud detection. With the rise in alternative payments, that spectrum is increasing in scope too - EMV pre-dated the payment world we have today for example.

Thus, raising the bar against hackers is the goal to avoid breaches and merchants suffering as a result as highlighted in this case - not a fight on what technology is best - they all have their place. Unfortunately, getting to ubiquity on EMV is a long term solution due to  the intricate nature of the payment and merchant ecosystem, though no doubt in some form it is on the long term radar for issuers, acquirers and card brands. However, todays risks need solutions now - and they are available now - without a massive incremental cost and complement the goal of PCI in reducing risk to data and consequential fraud from a breach in a major way.

Regards,

Mark Bower

Voltage Security