On the Irrelevance of the PCI DSS

After last week’s blog, where I challenged the relevance of the PCI DSS v3.2 (and basically the relevance of the entire standard itself), I received a number of comments questioning my reasoning. As is always the case, opinions differ, and while I have no intention of trying to change the mind of those who disagree with me, I will at least attempt to put together a more lucid argument around my position. This will consist of a summary of the various points I have made on this topic in numerous blogs over the last 2.5 years.

First though, let me stress that I do not believe the PCI DSS is all bad. I do believe it is managed poorly, and that it in no way represents a valid security program / framework, but in reality, it was never designed as such. It was a minimal set of security controls the cards brands wanted in place around their data in order to keep government regulators off their backs. Basically smoke and mirrors with some minimal risk reduction thrown in for appearances.

These are my Top 10 arguments for the irrelevance of PCI:

  1. 50+ Year Old Technology: You wouldn’t gut-refurbish a house you intend to knock down would you? So why would you spend a fortune on PCI compliance when it’s clear you’ll need whole new payment channels for mobile, the Internet of Things, and whatever comes after that? Cardholder data cannot be protected at a reasonable cost …ever, and as the influence of the card schemes wanes, the thieves will move on to whatever is most popular.
    o
  2. QSA Training: Almost, but not quite, an oxymoron, and one of the biggest reasons PCI became such a waste of time. The requirement for 5 years of security experience on a resume/CV was completely inadequate (and often faked). QSAs needed to be security consultants first and foremost, what we got was a bunch of auditors who completely missed the point. The point should have been that the DSS was a MINIMUM set of controls, and that real security was never to be found in compliance alone. The QSA training is absolutely pitiful.
    o
    Why does no-one question the fact that not one QSA on the planet is an expert in all 12 requirements? Every assessor has skills and weaknesses, yet they are permitted to assess the compliance of all areas. No client wants to pay for TWO assessors, and a minuscule number of QSAs actually sub the validation of their weaker subjects. Why? Because they don’t have to.
    o
  3. Conflict of Interest: There is still a LOT of money in PCI, billions in fact, and there are many QSA companies out there that can credit their entire existence on the back of that money. The competition is fierce, and given the fact that every organisation going through compliance has 100% control over the commercials, means that QSAs have to be extremely ‘pragmatic’. I have personally had organisations tell me that if I did not loosen my interpretation they would find someone who would. They were dumped as clients immediately of course.
    o
    The second conflict of interest is that you can sell your client a firewall [for example], manage it for them, monitor the output, vulnerability scan and penetration test it, AND assess it for compliance. No due diligence required on how you perform checks and balances, all you have to do is be up front about it. Utterly ridiculous.
    o
  4. Risk Assessment: The PCI DSS is the result OF a risk assessment, one performed by the card schemes themselves. That’s what the control requirements ARE! If it was a true risk assessment, the PCI assessment itself would be a choice, not mandatory, and there would exist an ability to accept residual risk. There isn’t. In fact, the only point of the risk assessment in PCI is to decide if you need to go above and beyond, and who in their right mind would do that if they didn’t have to?
    o
  5. Scope: It is the role of any good QSA to help a client reduce the scope of their assessment as much as humanly possible. This makes perfect sense from a risk-to-cardholder-data perspective, but when ALL a client’s focus is on the remaining CDE, the rest of the business suffers. In most organisations personal data is far more prevalent, and with the GDPR looming, a much more sensitive asset. Only an organisation-wide security program makes sense, one that’s in line with business goals, not just a single set of commercial obligations.
    o
  6. GovernanceEasy, there isn’t any, and the word does not even appear in the PCI DSS. Not once. How are you supposed to run a risk assessment, determine control implementation in line with business continuity plans AND enforce repeatable processes to keep the controls in place without some form of governance?
    o
  7. Weak Controls: I have covered these ad nauseam; from the continued use of the word ‘periodic’, to lack of management systems framework, to logging and monitoring, the control requirements have always been, and will always be inadequate for real security. Perhaps this wouldn’t be so bad if the SSC didn’t keep saying things like; “[PCI] provides the most complete set of data security standards available globally.”, which in my view is nothing short of irresponsible.
    o
  8. Validation & Sampling: Sampling is supposed to be a privilege, not a right, and sampling starts at 100% until a client has earned a reduction. Systems that are installed the same, kept the same, managed the same, monitored centrally, ALL must be in place before sampling is an option, but try telling a client they must provide 10,000 pieces of evidence to achieve compliance (see 3. Conflict of Interest above).
    o
    Don’t get me started on the annual ‘point-in-time’ aspect. What security standard could possibly accept validation evidence that’s 364 days old? Nothing in the PCI DSS says you can’t.
    o
  9. Disaster Recovery & Business Continuity: These receive the very barest of lip-service, and frankly, even that is none of the card brand’s business. Beyond incident response, a company’s ability to get back online and stay in business is their own affair, so why even put “* Business recovery and continuity procedures” in 12.10.1 if not to create another illusion of best practice?
    o
  10. Threat Landscape: With a 3 year life-cycle and a complete inability to change radically, the PCI DSS is, and will always be inadequate to address current, and especially zero-day, threats. PCI compliance would spit out the back of a security program done well, ‘just compliance’ will always fall well short.

Basically PCI compliance is like being pressured into hiring the CEO’s son, no matter how lazy or incompetent the kid is, you can’t fire them. All you can do is marginalise them so they don’t actually do any real harm.

I have used the phrase “I hate PCI!” for almost 10 years now, and given that PCI has been directly responsible for funding my career, I may seem more than a little ungrateful. But it’s not about hating PCI, or even the SSC, it’s about making those who need help most pause, hopefully laugh, and above all, listen.

[If you liked this article, please share! Want more like it, subscribe!]

10 thoughts on “On the Irrelevance of the PCI DSS

  1. I get you’re hell bent on why the PCI DSS sucks and your article is well written, but is it REALLY THAT bad? What’s the alternative, especially for merchants/retail, which aren’t heavily regulated? Have you written a similar article about the positives of PCI (DSS and beyond), besides the fact it funds your career? Anytime someone points out the negative/problems I always challenge them to outline the options and potential solutions. I like your perspective and you make some good points, but I’d also be interested to read what you like about PCI and how it does solve some problems. If it didn’t it wouldn’t be around.

    • Hi Anon, and many thanks for your comments.

      I have indeed written an article on exactly that; https://www.davidfroud.com/why-pci-isnt-all-bad/. I have never denied that the PCI DSS has done a lot to raise the ‘security consciousness’ across many industries (and globally), but it will be the privacy and protection of personal data compliance regimes that take security to levels we expect.

      No blog I have ever published (except this one, but that was on purpose) does not include my thoughts on how to fix what’s broken. Just do a search on my site for “PCI – Going Beyond the Standard”.

      The many issues I have with PCI (and the SSC in particular) is that they never address the issue of the card brands being to blame for the whole mess. It’s THEIR data, THEIR technology, and THEIR need to stay in business that has delayed true progress in payments. Can’t blame them for it, but I don’t have to like it.

      Mobile devices and Identity Management will kill the PAN in due course, PCI budgets should be spent on business goals, not PCI compliance.

  2. The real problem is that while merchants are experts in their trade and have solid controls over physical cash, literally everybody, including banks, see electronic payments as a cost-saving mechanism. If the same rigor of controls was put in place for electronic payments as cash then the problem that PCI-DSS was created to fix would not even exist. But then much of the cost-saving would evaporate.

    A secondary problem is that in many organizations, this is the unwritten risk philosophy: “Almost any risk is acceptable until it actually happens to us.” That’s why so-called “risk assessments” are usually worthless. I work in financial services and routinely review vendor control assessments where they responded to literally every audit finding and pen test finding with “We accept that risk.” And all of the auditors nod their heads and say that this is acceptable because “the business” performed a risk assessment and “the business” knows their risk better than anybody else.

    That’s why SAQs are a joke. Just check the boxes and sign. There isn’t even a requirement to have the document notarized to lend a bit of credence to it. It’s a legal license to lie and later bleat “But we were PCI compliant!”

    People have a way of not paying attention until something or someone whacks them in the wallet or purse. That’s what PCI-DSS does. The penalties can be onerous enough that companies are actually paying a minimal amount of attention to electronic payment security.

  3. There are two major risks that the networks are trying to address with PCI DSS
    – Merchant Banks exposure. They are on the hook if there is a fraudulent transaction – they have to return the money to the issuer, who will revert the balance on your card
    – Perception. If the transactions are perceived as insecure people will not use the cards.
    I am not going to argue that PCI DSS does not have flaws – the iframe vs. hosted page comes to mind. There are PCI compliant companies that have been breached.
    However, it is designed to address network risks, not merchant’s risks. As such, the merchant has little say over the controls, aside from the notion of those been “workable”. The standard is probably weird for some sophisticated merchant; however, there are gazillions of small shops that would greatly benefit from some security framework like PCI DSS. Don’t forget that the Council is trying to deal with the most common denominator.
    As for the CC itself – the PAN was never intended to be a security feature, it is really like a routing address. However, the cards will be around for the next 10-15 years so we should do something about it. I would love to leapfrog to more modern methods of payment but that would require significant infrastructure and psychological investment, it cannot happen overnight.

    • Many thanks for your comments Mike. I will say that it’s the issuer on the line for fraud in an EMV world, not the acquirer (merchant bank), and small merchants will never care about PCI. Not saying they shouldn’t, but in a world where both acquirers and PSP are providing the payment terminals, it should be up to them to assure compliance.

  4. Agreed on some points. I think the big problem with PCI DSS is the lack of governance, oversight, and auditing. They’re finally going to start auditing the auditors. From my experience they’re in for a rude awakening.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.