PCI, You Have Chosen Poorly

PCI DSS, You Brought It On Yourselves

I have never hidden my disdain for the PCI DSS, and have written numerous blogs as to why. Not just whinging mind you, I have always included a stab at providing solutions or alternatives. But every now and again, I have to remind myself why the DSS even exists in the first place. And who needs to accept a sizeable chunk of the responsibility for it.

It’s you Mr. Retail, and you Mr. E-Commerce, and especially you Mr. Service Provider. You are every bit as culpable as the Card Brands.

Yes, the payment card technology is 50+ years old, and hopelessly outdated. Yes it’s a ridiculous way of paying now that there are so many better ways. And yes, it’s very difficult to protect cardholder data, but it’s really not complicated. All it took was effort.

But organisations didn’t make any effort. For decades on end. From stand-alone terminals, to integrated points of sale, to e-commerce, and now to mobile, the threat landscape has changed beyond measure. The corresponding risk management programs have done next to nothing.

Let’s take a quick look at the causes of 3 of the worst card data breaches to date:

  1. T.J. Maxx (2007 – 45.7M Primary Account Numbers (PANs) compromised) – I know this one’s going back a bit, but it’s one of those rare examples of where the PCI DSS was [mostly] up to speed with the prevailing threat landscape. The breach was caused by weak encryption on their wireless access points. Although Wired Equivalent Privacy (WEP) was:
    o
    i)   known to be vulnerable way back in 2001;
    ii)  replaced by WPA in 2003;
    iii) deprecated by the IEEE in 2004, and;
    iv) addressed specifically in the DSS from as early as v1.0 – “4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using Wi-Fi Protected Access (WPA) technology if WPA capable, or VPN or SSL at 128-bit. Never rely exclusively on WEP to protect confidentiality and access to a wireless LAN.
    o
    …T.J.Maxx still had WEP as its standard. This vulnerability (plus horrifically poor network segmentation) lead to the compromise. It also took T.J.Maxx 18 MONTHS to find out.
    o
  2. Target (2013 – 40M PANs compromised) – Network access credentials stolen from a 3rd party and used to remotely log in to systems in-scope for PCI. An HVAC provider at that! Where to even begin on where Target went wrong?! But we can assume:
    o
    i)   vendor due diligence and management was sub-standard (addressed in Requirements 12.8.x);
    ii)  vendor access standards and monitoring were not in place (addressed in Requirements 8.1.5.a, 8.1.5.b, and 8.3.2.a);
    iii) change detection mechanisms were either not in place, or ineffective (addressed in Requirements 6.4.x);
    iv)  logging and monitoring mechanisms were either not in place, or ineffective (addressed in Requirements 10.x), and;
    v)   network segmentation was inadequate.
    o
  3. Home Depot (2014 – 56M PANs compromised) – Similar to Target, which makes this one even more embarrassing and unforgivable.

If we were to look at the thousands of other breaches that have occurred we would find little difference. It’s not so much concerted attacks from dedicated and skilled hackers that’s the problem, it’s the complete disregard for basic security practices by the vast majority of organisations. Organisations who KNOW better, but have chosen instead to just roll the dice.

I’m not saying that these three examples were not perpetrated by skilled hackers, but the level of skill required was significantly less than it should have been. In fact, if these organisations only had DSS levels of security controls in place, the attacks would have significantly more difficult. REAL security would have made these targets of last resort.

What Are You Going to Do About It?

As the South Africans say; If you want security, build your fence higher than your neighbour’s.” The reason the PCI DSS exists is because no one was building any fences!

The right things to do for security have, quite literally, been written down for generations. Ignore these basics and the upcoming regulations related to privacy will make PCI look like a walk in the park by comparison.

[If you liked this article, please share! Want more like it, subscribe!]

2 thoughts on “PCI DSS, You Brought It On Yourselves

  1. Electronic payment systems were seen as a major opportunity to cut costs and employee theft. No cash? No problem. No cash-centric controls were needed. No counting of cash drawers, no couriers to the bank, no cash on premises available for theft, no employees overcharging and pocketing the difference, no insurance to cover cash theft, etc. It was the perfect win situation.

    Even the interchange fees, as much as businesses complained, could be lower than the cost of protecting physical cash for some businesses. Payment cards were even more secure than physical checks and their improvement to daily cash flow was great.

    But as soon as companies needed to start implementing those physical cash protection controls on electronic payments the cost-savings would fall apart.

    So companies squawked that they were trying to run their widget business and could not afford to become experts in computers, until the losses started to get out of hand, all the while ignoring that the concepts are the same as for physical cash. And as long as the business stayed offline and pretended to validate the signatures on the back of the cards they were protected from loss and still experienced the cost savings of electronic payments.

    That’s the real reason businesses still push back: When they have to protect electronic payments to the same extent as they do for cash, much of the advantage of electronic payments disappears. But now they have a problem. People don’t want to carry wads of cash and cash doesn’t work online.

    What I would love to see is the Council start to fine certain acquirers who charge their non-PCI compliant customers a “PCI non-compliance fee” as a money-maker. Those acquirers are part of the problem. They know their customers are non-compliant and they’ve turned that into a profit center.

    http://acquiring.elavon.com/pci/faqs/index.aspx

    “What happens if I don’t get certified?”

    “Elavon will impose additional fees for each month that your account has not been validated as PCI compliant or in any given month your account is deemed non-compliant. You must maintain your compliant status once it is obtained in order to prevent this fee in the future.”

    When it’s cheaper to pay the fees, that’s what companies will do.

    • As always, many thanks for taking the time to contribute JJ.

      I will say though that retail had little option BUT to accept payment cards. Banks were handing out cards to consumers like there was no tomorrow in order to make billions from the credit LOB. Not being “experts in computers” is no excuse for retail not to put basic security controls in place. I’m not qualified to diagnose my son’s illnesses, but you can bet I know someone who is. It is MY responsibility.

      I can empathise with small retail, but these days their payment solution COME from their acquiring bank (or preferred PSP) so fines aren’t an issue. Large or even medium retail have always known about security, but chose not to spend the money.

      Agree that acquirers who are still fining for non-compliance should be brought to task, but if the acquirer wants to fine their merchants it has nothing to do with the Council, or even the brands themselves. Now that the brands are no longer fining the acquirers (Visa anyway), the acquirers could stop also. It’s up to the merchant to negotiate their acquiring contract, and if the acquirer thinks the risk is too high, they can still insist on PCI compliance as mitigation. The merchant has a choice, and once again, ignorance OF their choices is not an excuse.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.