Software // Information Management
11:46 AM
Connect Directly

PCI Is Meaningless, But We Still Need It

The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing.

The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing.The PCI compliance program is like a Zen koan: it's a proposition that can't be understood rationally. Unlike a koan, however, pondering on PCI won't eventually lead to higher awareness. It will just drive you crazy.

Consider this statement from Visa regarding PCI assessments. Assessments "do not guarantee that those security controls remain in place after the review is complete."

In other words, a company is only compliant with PCI's security standards during the time of review. Once the assessors leave the building, all bets are off. So, PCI wants to enhance the security of payment account data, but it will only validate that enhancement within the limited time period of a review.

I believe PCI was constructed this way for two reasons. First, it absolves the assessors and the card brands of any liability should a compliant company get breached. The issue of liability is critical, because breaches attract lawsuits the way roadkill attracts crows.

At present, PCI allows Visa and the other card brands to impose their will on merchants and card processors without having to assume any of the risk that the standards they impose have weaknesses or flaws, or that merchants and processors are actually following those standards outside the limited time period of an annual review.

Second, the PCI program lets the card brands demonstrate that they are policing the industry, so as to stave off government regulations.

In effect, the card brands take a paternal approach to data security without actually taking any responsibility the way a parent should.

It's like giving a kid a set of rules, and then leaving the kid alone for a year. You check up on the kid every June. If the house is relatively clean and he's had a bath recently and is consuming something other than Fruit Loops and beer, you pat him on the head and say "Good job. See ya next year!"

Then the house burns down. Child Services shows up and says "Hey, what happened?" You say "Well, we told him not to play with matches. It was in his rule book. Not our fault."

If PCI actually reduces the risk of card data theft, that's a bonus for the card brands, but as far as I can see, it's not a major goal in the construction of the PCI program.

That's why I'm really curious to see how the Heartland mess shakes out. What if data was being stolen at the exact time Trustwave Systems, Heartland's assessor, was signing off on compliance?

One, it would be very embarrassing to Trustwave and PCI. Two, it demonstrates that even if a company is doing everything it is supposed to, breaches can still happen.

And this is my major beef with PCI. No security program or practice or technology is invulnerable. Smart, well-run organizations can still get whacked by clever or lucky criminals. We understand that stuff happens.

The main goal of a program like PCI should be to reduce risk. But as it's currently constructed and implemented, any risk reduction that occurs is a second-order effect. PCI's primary goal is to cover the butts of the card brands. That's not fair to the organizations compelled to comply with PCI, and it's not fair to consumers.

Unfortunately, we also are faced with lots and lots of organizations that either don't know how to reduce their risk or don't care to. These organizations require third-party impetus to get their heads out of the sand. PCI provides the stick necessary to get organizations moving, and offers a remedial framework upon which they can build.

So until and unless something better comes along, we're stuck with PCI.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest August 03, 2015
The networking industry agrees that software-defined networking is the way of the future. So where are all the deployments? We take a look at where SDN is being deployed and what's getting in the way of deployments.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Everyone wants a well-educated, successful workforce but just how do you get one? And what, precisely, do you think you can do with it? To answer those and other questions, George Colombo had a conversation with Elliott Masie, head of The MASIE Center, a Saratoga Springs, NY think tank focused on how organizations can support learning and knowledge within the workforce.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.