A reporter asked me last week whether I think the PCI Standards have completely failed consumers and been proven useless — because of the recent breaches — and so should “Rest in Peace.” For those who don’t know about the PCI (Payment Card Industry), they have a “Security Standards Council” that mandates security to every company taking credit or debit cards in the U.S. (at least from all major banks). In order to accept cards, a business must be “PCI compliant.” The question is, how far do their standards go in terms of protecting us consumers? Some argue that PCI compliance is an unhelpful distraction.
ATM with malware on it. Really!
But before we decide if their requirements are tough enough, let’s consider whether the rules are useful at all. This is an easier question to answer, because anyone in the security field prefers some security to no security. We tend to be in favor of anything that gets people thinking about it. We are also big fans of education, because people’s “security posture” (what they are doing about security as a consumer or a company) usually improves as they learn more about cybercrime and how challenged all of us in cybersecurity are to stop it.
When PCI standards were first implemented, it surely forced a lot of businesses to beef up their security. And that’s good, because too often security is neglected. Although it is essential, security is in competition with other business objectives, because it costs money and it doesn’t add profit. It only prevents loss, and that’s a pretty ambiguous benefit sometimes.
This is especially true because security people can’t tell a company that, for example, “if you follow these fifty rules, you will be secure.” Security is never that certain. It is a rapidly moving target, which means different things to different companies. For example, retailers are much more highly prized by cybercriminals than manufacturers. But all businesses have hackers trying to get in. It’s more of a matter of how often the criminals try and how sophisticated their attacks are. To give you a feel for what the debate is all about, let’s look at two very common-sense PCI mandates: “protect all systems against malware”* and “protect stored card holder data”**. Hardly anyone would argue with these. But two major challenges with PCI rules are: a.) requirements are often subject to interpretation b.) they don’t go far enough.
as long as you’re uncommonly cute to someone
By example, the PCI requirements for anti-virus software says that it should be deployed on “all systems commonly affected by malicious software” (pg 46). So here’s a question: is malware considered “common” yet on Point of Sale card readers like the ones used at Target or Neiman Marcus? It certainly wasn’t a common tactic even two years ago, but we’ve seen a lot of it the last six months. When “compliance,” or lack of it, depends on the definition of a word like “common” — which often relies on opinion, as in “he’s an uncommonly cute bear” — there are some issues in terms of objectivity and enforcement.
Even if Target had put antivirus on their POS, it still would not have have stopped this latest group of cybercriminals. Smart cybercriminals do their best to find out what security products their target company is using. Then they test their malicious software against those products. They want to be sure they create malware that will remain undetected.
However, PCI does an okay job of establishing a “security floor” for smaller companies. And any standard that is applied across an industry must be flexible so the little guys can afford to adhere to it. And, anyway, what’s the alternative? Give the job to the government? Surely no one thinks that’s a good idea? (But stay tuned for a review of the Data Security Act just in case it is.)
best,
cj
* requirement 5 pg 46 of the latest PCI 3.0 document, Nov 2013
** requirement 3, pg 34
Who is Cynthia James?
Cynthia James speaks and writes about cybercrime. Her goal is to educate the average internet user as painlessly as possible and to comment on headline cybercrime news that matters. You can find her on LinkedIn, Twitter and Google+.