Feb 22, 2008 (07:02 PM EST)
PCI And The Circle Of Blame
Read the Original Article at InformationWeek
The PCI Data Security Standard was launched in 2006 by private-sector organizations to improve the security of credit card data. But PCI has instead become a massive butt-covering exercise that extends from retailers to auditors to major credit card brands.
Whether data is any safer remains to be seen. Despite mandating a variety of security mechanisms and regular audits, our investigation shows that the Payment Card Industry Data Security Standard, known as PCI DSS or just PCI, can be manipulated so merchants seem compliant without actually making their data stores more secure. And card brands, which are supposed to be driving compliance, have little incentive to rock this boat.
The standard, which is mandated by major card brands including Visa, MasterCard, American Express, and JPMorgan Chase, requires merchants to implement 12 account-protection mechanisms, including encryption, vulnerability scans, and the use of firewalls and antivirus software. Visa has assumed a lead role in driving the compliance initiative, which took on increased urgency after a string of break-ins that resulted in the exposure of hundreds of millions of credit card accounts. The most infamous breaches occurred at discounter TJX, shoe store chain DSW, and credit card processor Card System Solutions.
Unfortunately, the notion of PCI compliance has become abstracted from actual security. Merchants can game the system to become "compliant" without necessarily improving the safety of card data. For instance, only a fraction of retail stores are physically audited, despite the fact that data thieves regularly target store networks and equipment. A PCI expert we spoke with has reviewed several compliance audits and found them wanting. And the PCI Security Standards Council admits that some auditors aren't as rigorous as others.
This isn't to say that card brands and many merchants aren't serious about security. They are. There's broad consensus that the requirements outlined in PCI represent a sound--some would even say remedial--security architecture. But security is expensive and complex, and merchants operate on razor-thin profit margins. PCI creates a financial incentive to seek the least expensive path to compliance.
At the same time, Visa and other card brands have a vested interest in demonstrating the success of the initiative by touting a broad adoption of the standard, which means they may not look too hard at whether PCI is actually making credit card data more secure.
If a compliant merchant is subsequently breached --and more successful attacks are inevitable--the card brands have created enough ambiguity in the system that they can shuffle blame by saying the merchant failed to properly interpret PCI standards ... even if the merchant passed its audits.
RUN THE NUMBERS
PCI divides merchants into four levels based on their annual credit card transactions (see table, p. 32). A merchant's level determines the steps it must take to comply with PCI regulations. Level 1 merchants, the largest U.S. retailers, make at least 6 million transactions annually. Those on Level 1 undergo annual audits by Qualified Security Assessors trained by the PCI Security Standards Council, an entity created by the card brands to write the PCI standard. The assessor, or QSA, works with merchants to ensure that they meet all the requirements laid out in the PCI standard. QSAs report on merchant compliance to the institutions that process credit card transactions, called acquiring banks; banks then report on merchant compliance to the card brands (see diagram, p. 36).
Level 2, 3, and 4 merchants aren't subject to QSA audits. Instead, they fill out self-assessment questionnaires to measure their compliance with PCI and undergo quarterly vulnerability assessment scans by qualified scanning vendors.
In January, Visa said 77% of the largest U.S. retailers and 62% of midsize retailers were PCI compliant. Visa touted these numbers as evidence of improved credit card data security and progress of the PCI initiative.
But other numbers dispute Visa's claims. One independent retail analyst firm says its own survey puts compliance of large retailers at 46% and of midsize businesses at 50%. "Retailers are well behind where they need to be," says Steve Rowen, a partner at Retail Systems Research, which surveyed 174 retailers, 45% of which generate at least $1 billion in annual revenue. It should be noted that Rowen's study classifies retailers by annual revenue rather than by credit card transactions, so his numbers don't represent an apples-to-apples comparison with Visa's.
But Rowen also cites a more damning statistic: Only 40% of respondents have completed a wall-to-wall assessment to uncover all the places customer account data is held. Requirement 3 of the PCI standard is to protect stored cardholder data. But merchants can't secure that data if they don't know everywhere it is, making compliance impossible.
Rowen says Visa may be inflating compliance rate for several reasons. First, high compliance numbers make PCI look successful. Second, if the card brands fail to enforce stricter protection of card data among merchants, it's likely the federal government will step in. Not only might federal regulations be more onerous and expensive, they may also place significant restrictions on the type and amount of information that retailers can collect about customers.
This gets merchants' attention.
"That [customer] data is the lifeblood of every marketing and promotion campaign that runs today," Rowen says. "If you take that away from retailers, they will be back in the Stone Age."
Congress has held hearings around credit card security in the past several years. In 2005, a House bill proposed a federal law regarding customer notification when personal data is exposed. That bill did not become law, but a few more breaches like TJX's and scrutiny could resume.
OPEN TO INTERPRETATION
There are several reasons merchants struggle to comply with PCI. One problem is a lack of understanding of just where and how credit card information flows through retail systems, including individual stores and corporate data centers. Many retail organizations also operate legacy architectures that lack sufficient security controls. For instance, credit card data may travel unencrypted between retail stores and headquarters, or even among systems within stores. Point-of-sale equipment and applications may log or store credit card numbers and magnetic stripe data, making these systems targets for thieves. PCI has mandated that retailers encrypt all transmissions of card data, and that point-of-sale equipment and applications shouldn't store card data, requiring retailers to upgrade their infrastructures.
While PCI provides more concrete guidelines than, say, Sarbanes-Oxley, merchants are quick to complain that it's both too specific and too vague. For instance, the standard requires use of stateful packet inspection firewalls. "What if I choose to use another technology that I believe is equivalent?" says Michael Barrett, chief information security officer of PayPal, a Level 1 merchant. "You have a whole big fight with your auditors or you hold your nose and do it."
Level 1 merchants also clash with QSAs over issues such as "compensating controls"--technologies or processes used in place of specific requirements on the PCI checklist. "We believe our controls are adequate, but they are different from how the standard is written," Barrett says. "So you argue with auditors. Those kinds of things make you want to tear your hair out."
There's also a level of subjectivity in PCI that many find disturbing. The training for QSAs provides few guidelines for resolving this subjectivity. One PCI expert, who requested anonymity, says of the training: "When you ask if X or Y would be acceptable, or how to apply X in situation Y, they always answer 'Use your best judgment.'" He says that when others in the class pointed out how wildly their opinions could differ in a given situation, the instructor "had no answer other than to say 'do your best.'"
"It's a question of interpretation of the auditor, and the sophistication and skill set of the auditor," says Jay White, global information protection architect at Chevron, also a Level 1 merchant. "PCI was more painful than it had to be, but we've learned we have to help the auditors understand how we meet their objectives, even if they don't at first see it."
This lack of guidance can lead to significantly different approaches to compliance, even among auditors at the same Qualified Security Assessor. In one case, a company brought in a PCI expert to monitor a QSA's recommendations. The expert says the QSA had insisted the company deploy a million-dollar technical control when a simple change in operational procedure would have addressed the issue. "The assessment company then sent out someone completely different," the expert says, "and he disagreed with the recommendations of the prior QSA from his own company!"
This inconsistency can have significant repercussions for Level 1 merchants. If a merchant exposes card data, Visa dispatches a team of forensics security consultants to determine if the merchant was compliant with PCI at the time of the breach. "If a 'compliant' merchant gets compromised, I can guarantee you I can find at least one thing in the compliance report I could argue about," says the PCI expert. "This provides just enough wiggle room for the brands to point at the merchant or QSA and argue the standard was interpreted wrong."
Being judged noncompliant can result in substantial fines for the merchant and its acquiring bank, including higher per-transaction card processing fees. A judgment of noncompliance would also be useful to law firms contemplating action against the merchant.
GAMING THE SYSTEM
While many retailers use the PCI standard to improve their security postures, the spec has enough holes to let retailers demonstrate compliance without making significant changes to their security practices. A key issue is the number of retail locations that are physically audited by a QSA. The guidelines for Level 1 merchants require individual retail locations to be audited. This is a critical component of the standard, particularly in light of the TJX credit card theft, in which thieves first gained access to the company's systems through the weak wireless network of a single T.J. Maxx retail store.
However, the standard doesn't mandate a certain percentage of physical store audits. It says only that retailers must certify the IT and network configurations of their stores. Retailers tend to have large groups of stores with similar technical configurations, meaning only a handful of stores may be seen by an auditor.One major clothing retailer we spoke with said auditors examined four out of 1,000 stores, a sample size of just 0.4%. The retailer says all its stores share the same configuration and are centrally managed, but it's all too easy for security problems to go undiscovered with such small samples. "I could hide a multitude of sins from a QSA," says the PCI expert.
And while some retailers complain that auditors are too strict, the current system lets retailers seek out QSAs who may apply the standard less rigorously than others. "I've read several compliance reports that have been provided to us after the fact, and I wouldn't consider them appropriate," says the PCI expert. "They passed, but I don't know how." When asked if merchants are shopping for QSAs that provide an easy assessment, he says: "I can guarantee you that. Why wouldn't they?" Even the PCI Security Standards Council, which trains and certifies QSAs, admits that quality levels may not be consistent among the more than 100 active QSAs.
"It's a competitive game," says Bob Russo, general manager of the council. "One QSA might do an on-site assessment for X number of dollars, and another QSA will do the exact same assessment for less. A merchant thinks, 'If this guy is charging me $50K and this guy charges me $10K, there's a question there.'"
In response, the council is introducing a quality assurance program, due later this quarter, to ensure that all QSAs are performing assessments with the same rigor. "The goal is to make sure it's a level playing field so we don't have accusations from QSAs or merchants that some people are rubber-stamping," Russo says.
The question of rubber-stamping ties to the issue of liability. If a compliant merchant is breached, does the QSA bear any responsibility? It's a question that makes QSAs uncomfortable.
"Who's to say a retailer doesn't take what we say and toss it into the garbage?" says Barbara Mitchell, manager of security product marketing at Verizon. Along with Internet Security Systems and TrustWave, Verizon wins much of the assessment business for Level 1 merchants. "We should have some skin in the game, but if a retailer decides to not listen to our recommendations, it's a murky area," Mitchell says. "If we assume liability, we want to review all the stores, all the servers. That shoots the cost up to a prohibitive degree."
Retailers we spoke with were unclear about the liability question. "I think it would depend on whether our controls were deficient and on the audit process," says the network architect at the major clothing retailer. "I think there would be some level of liability, but we've not dug into that. There may be language in the contract I'm unaware of, but my focus has been on controls to prevent a breach rather than where we will point a finger." Unfortunately, finger-pointing is inevitable if credit card data gets stolen. "When a breach happens, if they see something out of whack, they will go back to the auditor, like Enron and Arthur Andersen," says Teri Quinn-Andry, product marketing manager for Cisco Security Solutions.
Then there's the problem of depending on what is, essentially, an honor system for Level 2, 3, and 4 merchants. There is no outside validation of a company's responses to the self-assessment questionnaire. "The reality is, you don't have to be compliant, if your business wants to take that risk," says the IT director of a Level 2 cruise ship operator.
"A lot with PCI is left to your interpretation," agrees Alan Stukalsky, CIO of Church's Chicken restaurant chain, also a Level 2 merchant.
There are significant flaws in the PCI system as it stands. But for CIOs who want to tighten security, it can provide leverage to fund new investments or serve as the impetus to adjust business practices or revise security processes. "We've always valued customer information and protecting customer info," says the CIO of an outdoor clothing retailer. "It's just that operationally, some things got easier if we were looser." He says PCI provides the incentive to tighten up certain business operations.
And many Level 2 and lower merchants do take self-assessment seriously. Church's Stukalsky says a team of six IT staffers spent three to four weeks reviewing the questionnaire. They also hired a QSA, which isn't required by PCI rules, to help identify where changes needed to be made to IT systems and processes. Church's has about 1,200 U.S. restaurants.
Stukalsky says the company revised its password policies and became more aggressive about updating software patches. He also says that recent investments in point-of-sale equipment and new network connections for the restaurants, which the company had undertaken before PCI requirements, went a long way to smoothing compliance.
Merchants complaining the loudest may be the ones that need to put the most investment into modernizing their infrastructures and managing customer data. "I'm not sympathetic with organizations that whine because they obviously haven't put a good security structure in place," says PayPal's Barrett. "If you're using old, outmoded technology that can't protect data, I'm not sure it's appropriate for you to take custody of that data."
There's no question that concrete steps must be taken to protect credit card account data, and at the moment PCI is the best effort, despite its flaws. Here are some ways those concerned with security can work to improve the system.
• Press for a federal breach disclosure law. At present, 40 of 50 states have laws that define how organizations must report a breach of sensitive data. A uniform federal law that includes rules regarding improper disclosure of credit card account information will reduce the hassle and expense of addressing the issue state by state--and give retailers no excuse if they get it wrong.
• Provide more uniform Level 1 audit guidelines, including sample sizes for assessing individual retail stores. Individual store audits should be based on a total percentage of stores in addition to store configurations. To offset the cost of additional store audits, the card brands should provide incentives, such as lower transaction rates or rebates, to acquiring banks. The banks can pass these savings on to retailers.
• Finally, make card brands share the cost of credit card fraud. At present, the card brands don't incur any of this financial burden. Issuing banks--the banks that provide credit cards to consumers--shoulder as much as 70% of the cost of fraud, including swallowing bogus transactions, canceling accounts, and issuing new cards. The remaining 30% is absorbed by merchants and acquiring banks. If the card brands have a financial stake in fraud costs, they will have a clear economic incentive to vigorously enforce credit card security measures.
(click image for larger view)
Can You Buy PCI Compliance?