Feature
News
2/20/2008
05:45 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

PCI And The Circle Of Blame

Who's responsible for the security of credit card data? From retailers to auditors to card brands, the first order of business is self preservation--and that costs all of us.

The PCI Data Security Standard was launched in 2006 by private-sector organizations to improve the security of credit card data. But PCI has instead become a massive butt-covering exercise that extends from retailers to auditors to major credit card brands.

Whether data is any safer remains to be seen. Despite mandating a variety of security mechanisms and regular audits, our investigation shows that the Payment Card Industry Data Security Standard, known as PCI DSS or just PCI, can be manipulated so merchants seem compliant without actually making their data stores more secure. And card brands, which are supposed to be driving compliance, have little incentive to rock this boat.

InformationWeek Reports

The standard, which is mandated by major card brands including Visa, MasterCard, American Express, and JPMorgan Chase, requires merchants to implement 12 account-protection mechanisms, including encryption, vulnerability scans, and the use of firewalls and antivirus software. Visa has assumed a lead role in driving the compliance initiative, which took on increased urgency after a string of break-ins that resulted in the exposure of hundreds of millions of credit card accounts. The most infamous breaches occurred at discounter TJX, shoe store chain DSW, and credit card processor Card System Solutions.

Unfortunately, the notion of PCI compliance has become abstracted from actual security. Merchants can game the system to become "compliant" without necessarily improving the safety of card data. For instance, only a fraction of retail stores are physically audited, despite the fact that data thieves regularly target store networks and equipment. A PCI expert we spoke with has reviewed several compliance audits and found them wanting. And the PCI Security Standards Council admits that some auditors aren't as rigorous as others.

This isn't to say that card brands and many merchants aren't serious about security. They are. There's broad consensus that the requirements outlined in PCI represent a sound--some would even say remedial--security architecture. But security is expensive and complex, and merchants operate on razor-thin profit margins. PCI creates a financial incentive to seek the least expensive path to compliance.

At the same time, Visa and other card brands have a vested interest in demonstrating the success of the initiative by touting a broad adoption of the standard, which means they may not look too hard at whether PCI is actually making credit card data more secure.

If a compliant merchant is subsequently breached --and more successful attacks are inevitable--the card brands have created enough ambiguity in the system that they can shuffle blame by saying the merchant failed to properly interpret PCI standards ... even if the merchant passed its audits.

Previous
1 of 6
Next
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.