Following the data breaches at Target and Neiman Marcus, questions have been asked about the real usefulness of the Payment Card Industry Data Security Standard (PCI DSS).
The issue was raised by Gartner analyst Avivah Litan in a blog entitled How PCI failed Target and US consumers. Litan pointed out that Target believed itself to be fully compliant with PCI regulations, and yet customer credit card data was stolen in unprecedented volumes. When Neiman Marcus was revealed soon afterwards to have suffered a similar card security breach, it too stated that its systems were fully PCI compliant.
Questions subsequently arose about Target's apparent failure to react to alarms from its computer systems, indicating that although PCI compliant in terms of its technology, Target's internal processes appear to have been less than perfect.
Whenever a major breach like either of these, or the recent eBay breach takes place, everyone looks for someone to blame and the PCI Council may just be among the targets for general wrath. Prior to Litan's blog entry, and more recently revealed flaws (‘Chip and Skim: Cloning EMV Cards with the Pre-Play Attack',) the US media were more preoccupied with the fact that the United States has never adopted chip and pin security, unlike Europe.
There are undeniably some difficulties with PCI. For many organisations, compliance is expensive and time-consuming; checks and controls required for compliance can exceed 1,000 for some organisations and keeping the company's IT infrastructure up to the required security standard can be a full-time job for a CISO or IT director.
These measures have been tolerated by many organisations because of the perceived protection they bring. Litan is right to highlight that the promise of ‘safe harbour' from the consequences of any breach will have been a significant factor in the original cost-benefit analyses prepared by Target and Neiman Marcus when addressing PCI DSS compliance. The PCI council must urgently address this perception with the major card schemes or it will find it much harder to convince merchants to make the investment to achieve PCI DSS compliance.
The right response for all merchants must surely be to return to a reliance on core principles of good security rather than compliance per se for protection. Reducing the amount of data that organisations are obliged to handle will inherently diminish the likelihood of any breach. Wherever possible, sensitive card details should be transmitted directly from the customer to the bank, rather than passing through a complex network of intermediaries. Removing the card data in the first place is far and away the best way to ‘secure' the sensitive data and fortuitously makes compliance with PCI DSS cheaper and easier to achieve too.
Increasingly, we see organisations adopting solutions such as tokenisation to remove the card data from their environment. Put simply, tokenisation is the process of replacing sensitive data with unique identification symbols which retain the essential information about the data without compromising its security. “Tokens” can only be used in the context of a specific unique transaction so they cannot be mathematically translated back to reveal the details of a particular card. They can be used regularly by repeat customers to a particular website, providing a great combination of security and customer experience.
In the US banks are gearing up to make the move to chip and pin to address “card present” fraud, and starting to worry about how they are going to prevent fraud from increasing in the CNP (card not present) market of online and telephone sales. MasterCard and Visa have formed a new cross-industry group to see how tokenisation can be applied to online and mobile payment environments to protect against fraud.
The fact is that there is no way of making card details 100 percent secure. PCI regulations encourage vigilance and are generally reflective of good security practice, but hackers are clever and human error can unravel the most intricately laid plans. Nonetheless, the regulations hold large organisations to account for the measures they are taking to address fraud and by highlighting the costs involved with ‘good security,' they encourage the industry to seek better, more cost-effective solutions. There may be no such thing as a safe harbour but the industry must do everything in its power to address fraud. And there's no doubt that the less sensitive card data we hold, the less of it we have to lose.
Contributed by Tim Critchley, CEO of Semafone