PCI DSS, the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security, may well have entered its death throes Tuesday, as evidenced by revealing testimony during the House of Representative’s Committee on Homeland Security hearings.
Why the dire prognosis?
Anyone who has been following the cascade of security failures plaguing the payment card industry, as punctuated by the still shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), must acknowledge that there are serious problems with PCI security that need to be addressed.
Yet, the greatest threat to the survival of PCI DSS may not be the ever-evolving tactics of the criminal hackers, but instead may be the dysfunctional nature of the relationships between the very parties the standards are meant to serve.
The squabbling and finger pointing displayed during the first quarter of 2009 has resulted in nothing less than a public relations nightmare as major card brands, payment processors and merchants each seek to deflect responsibility for security lapses.
RBS WorldPay and Heartland maintain that because they had been PCI DSS compliant at some point before their systems were breached, they can essentially shrug off any any culpability with the caveat that they are doing the best they can with what they have.
Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant - regardless of their good standing with the council at the time of the breach.
"Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says."
“'We’ve never seen anyone who was breached that was PCI compliant,' Phillips says without specifically naming - or excluding — Heartland. 'The breaches that we have seen have involved a key area of non-compliance.'”
To add to the confusion, Visa issued statements that RBS WorldPay and Heartland had been belatedly removed from the PCI Compliant list, in what has been widely considered to be merely legal maneuvering for anticipated class action suits.
“'It’s all legal maneuvering by Visa,' says Gartner security analyst Avivah Litan in an interview with ComputerWorld.com. 'This is PCI enforcement as usual: They’re making the rules up as they go.'”
The lack of a compliant status was seen as an opportunity by Heartland's competitors to move in on some of Heartland’s clients, with reports of merchants being warned that they may be violating PCI compliance by continuing to do business with the company, prompting Heartland to respond with threats of lawsuits.
During Tuesday’s Congressional hearings, representatives of the merchants - who are thought to bear the brunt of security protocol “cram-downs” from the card issuers - threw their hat into the ring in what now amounts to an industry free-for-all.
"Michael Jones, the chief information officer at the retail company Michael’s, testified that the PCI rules were 'expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.'”
Now bear in mind, all of these factions are supposed on the same team, and all are supposed to be working in unison to further the evolution of ever more secure systems to thwart the increasingly resourceful criminal hackers.
Is it any wonder that the future of PCI DSS is in question? What could possibly be worse than an entire industry at each others' throats in the midst of congressional testimony?
They could make enough of a brouhaha that they attract the wrong kind of attention from lawmakers, who have regularly demonstrated their intent of late to force industries of all stripes to cede to their better judgment.
Also from Forbes.com:
“'I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,' (Rep. Bennie) Thompson said. 'We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.'”
This means that the PCI Security Council, keepers of the PCI DSS flame, have their work cut out for them if they want to remain the chief regulating body for PCI security. Maybe they left these issues to simmer on the back burner for too long, and someone may be looking for a scapegoat. It’s all uphill now.
During a phone call in early March with Lib de Veyra, VP of emerging technologies at JCB International and recently named Chair of the PCI Security Council, I expressed my concern over the state of relations between the various elements that make up the payment card industry.
I likened the public displays of policy incongruity and the tendency for all interested parties to respond to news of security lapses by rushing to deflect responsibility to that of a snake swallowing its own tail.
PCI DSS is not broken, but the collective will to make it an effective standard for security just might be.