05:45 PM
Connect Directly
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

PCI And The Circle Of Blame

Who's responsible for the security of credit card data? From retailers to auditors to card brands, the first order of business is self preservation--and that costs all of us.

The PCI Data Security Standard was launched in 2006 by private-sector organizations to improve the security of credit card data. But PCI has instead become a massive butt-covering exercise that extends from retailers to auditors to major credit card brands.

Whether data is any safer remains to be seen. Despite mandating a variety of security mechanisms and regular audits, our investigation shows that the Payment Card Industry Data Security Standard, known as PCI DSS or just PCI, can be manipulated so merchants seem compliant without actually making their data stores more secure. And card brands, which are supposed to be driving compliance, have little incentive to rock this boat.

InformationWeek Reports

The standard, which is mandated by major card brands including Visa, MasterCard, American Express, and JPMorgan Chase, requires merchants to implement 12 account-protection mechanisms, including encryption, vulnerability scans, and the use of firewalls and antivirus software. Visa has assumed a lead role in driving the compliance initiative, which took on increased urgency after a string of break-ins that resulted in the exposure of hundreds of millions of credit card accounts. The most infamous breaches occurred at discounter TJX, shoe store chain DSW, and credit card processor Card System Solutions.

Unfortunately, the notion of PCI compliance has become abstracted from actual security. Merchants can game the system to become "compliant" without necessarily improving the safety of card data. For instance, only a fraction of retail stores are physically audited, despite the fact that data thieves regularly target store networks and equipment. A PCI expert we spoke with has reviewed several compliance audits and found them wanting. And the PCI Security Standards Council admits that some auditors aren't as rigorous as others.

This isn't to say that card brands and many merchants aren't serious about security. They are. There's broad consensus that the requirements outlined in PCI represent a sound--some would even say remedial--security architecture. But security is expensive and complex, and merchants operate on razor-thin profit margins. PCI creates a financial incentive to seek the least expensive path to compliance.

At the same time, Visa and other card brands have a vested interest in demonstrating the success of the initiative by touting a broad adoption of the standard, which means they may not look too hard at whether PCI is actually making credit card data more secure.

If a compliant merchant is subsequently breached --and more successful attacks are inevitable--the card brands have created enough ambiguity in the system that they can shuffle blame by saying the merchant failed to properly interpret PCI standards ... even if the merchant passed its audits.

1 of 6
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.