Will the PCI DSS v3.2 Make Any Difference Whatsoever?

Not feeling very creative today, but luckily the Payment Card Industry can always be relied upon to dish out plenty of blodder.

With a stunning twist, the SCC announced the potential release of the DSS v3.2 as early as March. It was greeted by the industry with a resounding; “Meh”. And quite rightly, have you read the potential changes? They are;

…evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed; and including the updated migration dates for SSL/early TLS that were published in December 2015.

While I understand this is part of their new program to; “…[move] towards a system of smaller, more incremental modifications to address things like the EMV roll-out in the US, rather than larger, wholesale updates.“, when was the last time you saw a large update? You could point to the change from v2.0 to v3.0, but you would only be showing your ignorance of the ‘ROC Reporting Instructions for PCI DSS v2.0’, the incorporation of which accounted for 95% of the difference between the 2 versions (take a look at this if you don’t believe me; PCI DSS v3.0 – Mapping to v2.0_v07NOV13).

But let’s handle each of these ‘changes’ in turn:

  1. Evaluating additional multi-factor – Note the use of the word ‘evaluating’, meaning nothing will actually change for some time. Is multi-factor auth a good idea for all privileged access? Yes, so let’s hope they actually enforce this one properly.
  2. Incorporating some of the Designated Entities Supplemental Validation (DESV) – For ALL service providers, or just the ones to whom the DESV already applies? If the former, great, but the DESV is mostly a paperwork and process requirement, not additional controls. Not necessarily a terrible thing, but it depends on which requirements.
  3.  Clarifying masking criteria – This one stumps me, how do you clarify the exposure of ‘first 6 and last 4’ only?
  4. Migration for SSL and early TLS –  For to new date of 2018 to make ANY sense they should have left the requirement for offering TLS 1.2 by 2016, but allowing backwards compatibility until the later date. The way it’s written, merchants don’t even have to offer v1.2 of TLS until 2018 which is absolute nonsense.

The PCI DSS has always been, and will always be entirely inadequate to protect critical data assets, but frankly, what choice do the card brands have? They are fully aware of the inadequacy of their plastic in the face of current payment innovations, and the only saving grace delaying their rapid decline is the ignorance of the end consumer themselves. Henry Ford is often attributed the best phrase that sums this up perfectly; “If I had asked people what they wanted, they would have said faster horses.” The average consumer simply has no idea what could replace plastic, but when they do, the changes will be incredibly fast, and permanent.

The PCI DSS can never change dramatically, or the multi-billions spent on compliance to date would all be thrown away. Every organisation on the planet who is currently compliant (or reporting as such to be more accurate) would have to spend countless more billions to bring themselves up to the new standard. There is no way the card brands would survive the backlash. They have painted themselves into a compliance corner that cannot protect their 50 year old technology from the current threat landscape.

Yes of course implementing the PCI DSS controls on all forms of data is better than doing nothing, but barely, and can never and will never represent real security.

Is Verizon Really Blaming Merchants for PCI Violations?

While on the one hand, few organisations take information security as seriously as they should, to blame merchants for not maintaining PCI compliance is akin to blaming the doctor for your illness. In non-cash payments the fault lies not with the merchant’s lack of security culture, but with the payment card ecosystem itself.

I understand the motivation behind this article; Maintaining PCI Compliance a Showstopper for Many Retailers, but it shows a spectacular lack of understanding of the real issues.

The branded-card payment technology is broken, pure and simple, and so far no-one in the card-payments arena has done much to fix it. Instead, they have all put the onus, and the cost, onto the end merchant, who then has two choices;

  1. Eat the cost
  2. Pass the cost on to their customer

Guess which happens 9 times out of 10?

But why should the merchant be wholly responsible for the protection of the cardholder data? Are credit cards core to their business? They shouldn’t, and no, are the respective answers; payment for services / goods rendered is core, the means by which they receive payment is ancillary, and in this case then, responsibility for securing the payment type should be on the payment service provider.

50 odd years ago certain card brands came up with an excellent concept; the payment card. Banks jumped all over it and started providing lines of credit through the medium of plastic and the concept exploded. Now credit cards are the de facto, and ubiquitous, form of non-cash payment accepted globally.

So ubiquitous in fact, that few people seem to question the fact that the system is inherently insecure, inefficient, inflexible and massively expensive to maintain. Not for the card brands mind you, but for everyone else. The only ones who cannot recoup their costs is the consumer.

I have no problem paying for the convenience of a non-cash payment mechanism, but as a business owner, I DO object to being the only one paying for security of cardholder data when the technology itself is broken and any innovation away from the current system is stifled until such times as the card brands can catch-up. Which they won’t at the rate they are going.

The card brands clearly want things to continue as they are, as do the issuers and acquirers for obvious reasons. Banks make money from branded cards by charging both annual fees and interest on lines of credit so they have no desire to change things. Large retail, who should have enormous power and influence over payments innovation have, for some reason, completely missed the point. So it’s left to the rest of us to make a difference.

The challenge is that ‘we’ are ignorant and are clearly quite happy to go along with whatever is given to us. If this seems harsh, just look at the above article again. Verizon SHOULD know better than to blame the merchants, but if they don’t, what chance to the rest of us have?

Until such times are the ‘merchants’ learn ask the right questions this type of nonsense will continue, and until we, the ‘consumer’, start demanding REAL alternatives, we have no-one but ourselves to blame.

What’s Next For The PCI Security Standards Council?

I don’t think anyone in the payments arena has any doubt that credit/debit cards, in their current form, will die over time in favour of mobile devices. It’s a natural next step to replace something ubiquitous with something even more ubiquitous.

So where does that leave the SSC, and the card schemes themselves for that matter?

You only have to look at Visa Europe’s website Visa Vision to see that they are moving towards mobile (and other innovations), and articles like The Revolution is Here, do not even mention EMV, and the only reference to plastic is in a future past-tense.

It also begs the question as to why the card schemes are pushing EMV when they themselves see an end to their reign-of-plastic. But the answer is obvious, the cost of fraud over the next 5 – 10 years far outweighs the cost of the transition. The US alone saw $7.1B in credit card fraud in 2013 (according to Business Insider), and I have estimated that the cost of EMV transition in the US is ‘only’ $12B (Why the US Will Not Adopt EMV (Chip & PIN), EMV in the US, a 12 BILLION Dollar Mistake).

So why am I so anti-EMV? Because there are technologies NOW that can replace it, are in more hands, and more widely distributed than cards ever were. Your mobile phones.

So back to my point; what WILL the cards brands and the SSC do once the plastic dies? Clearly the brands have an enormous leg-up on any new player in the cashless game, and have massive amounts of capital to invest in meeting every aspect of this [so-called] disruptive innovation; research on innovation, testing proofs-of-concept, garnering adoption within the finance community, and of course, rolling it out to end users.

Mobile phone companies made a small play, and missed, banks could have done it, and didn’t, and large retail could have had a huge impact, and haven’t. Probably because in these three case – even banks – payments is not a core function. Being PAID is core, making the payment is not, so only the card schemes have payments as their entire reason-to-be, and therefore the most motivation.

OK, so if we assume that the card schemes are going to make a huge play in every cashless payment innovation from this point forward, where does that leave the SSC? Probably in exactly the same place, with only one change in title; From Payment Card Industry Security Standards Council, to Payment Industry Security Standards Council.

Regardless of the form of payment there HAS to be a security standard around the protection of the data. Not that the current standards are anywhere near adequate, even for cardholder data, but the SSC has significant experience adopting and implementing standards globally. From mobile apps, to software PINs, to identity management (for KYC, AML etc.) to crypto-currencies, everyone developing technologies must adhere to a minimum set of protective baselines.

So am I really proposing, after so many less-than-positive blogs related to the PCI DSS and the SSC, that they be a standards body for every form of payment globally? Well, no, I’m not, but I think that if they don’t TRY to be just that (with the card brand’s backing), there is no-where else for them to go.

Despite my voluble criticisms of the card brands and the SSC alike, they ARE well placed to do good. I hope they take the opportunity now, because it won’t come again.

[If you liked this article, please share! Want more like it, subscribe!]