Feb 22, 2008 (07:02 PM EST)
PCI And The Circle Of Blame

Read the Original Article at InformationWeek

1   2   3   4   5   6  
The PCI Data Security Standard was launched in 2006 by private-sector organizations to improve the security of credit card data. But PCI has instead become a massive butt-covering exercise that extends from retailers to auditors to major credit card brands.

Whether data is any safer remains to be seen. Despite mandating a variety of security mechanisms and regular audits, our investigation shows that the Payment Card Industry Data Security Standard, known as PCI DSS or just PCI, can be manipulated so merchants seem compliant without actually making their data stores more secure. And card brands, which are supposed to be driving compliance, have little incentive to rock this boat.

InformationWeek Reports

The standard, which is mandated by major card brands including Visa, MasterCard, American Express, and JPMorgan Chase, requires merchants to implement 12 account-protection mechanisms, including encryption, vulnerability scans, and the use of firewalls and antivirus software. Visa has assumed a lead role in driving the compliance initiative, which took on increased urgency after a string of break-ins that resulted in the exposure of hundreds of millions of credit card accounts. The most infamous breaches occurred at discounter TJX, shoe store chain DSW, and credit card processor Card System Solutions.

Unfortunately, the notion of PCI compliance has become abstracted from actual security. Merchants can game the system to become "compliant" without necessarily improving the safety of card data. For instance, only a fraction of retail stores are physically audited, despite the fact that data thieves regularly target store networks and equipment. A PCI expert we spoke with has reviewed several compliance audits and found them wanting. And the PCI Security Standards Council admits that some auditors aren't as rigorous as others.

This isn't to say that card brands and many merchants aren't serious about security. They are. There's broad consensus that the requirements outlined in PCI represent a sound--some would even say remedial--security architecture. But security is expensive and complex, and merchants operate on razor-thin profit margins. PCI creates a financial incentive to seek the least expensive path to compliance.

At the same time, Visa and other card brands have a vested interest in demonstrating the success of the initiative by touting a broad adoption of the standard, which means they may not look too hard at whether PCI is actually making credit card data more secure.

If a compliant merchant is subsequently breached --and more successful attacks are inevitable--the card brands have created enough ambiguity in the system that they can shuffle blame by saying the merchant failed to properly interpret PCI standards ... even if the merchant passed its audits.