Software // Information Management
Commentary
1/22/2009
11:46 AM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

PCI Is Meaningless, But We Still Need It

The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing.

The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing.The PCI compliance program is like a Zen koan: it's a proposition that can't be understood rationally. Unlike a koan, however, pondering on PCI won't eventually lead to higher awareness. It will just drive you crazy.

Consider this statement from Visa regarding PCI assessments. Assessments "do not guarantee that those security controls remain in place after the review is complete."

In other words, a company is only compliant with PCI's security standards during the time of review. Once the assessors leave the building, all bets are off. So, PCI wants to enhance the security of payment account data, but it will only validate that enhancement within the limited time period of a review.

I believe PCI was constructed this way for two reasons. First, it absolves the assessors and the card brands of any liability should a compliant company get breached. The issue of liability is critical, because breaches attract lawsuits the way roadkill attracts crows.

At present, PCI allows Visa and the other card brands to impose their will on merchants and card processors without having to assume any of the risk that the standards they impose have weaknesses or flaws, or that merchants and processors are actually following those standards outside the limited time period of an annual review.

Second, the PCI program lets the card brands demonstrate that they are policing the industry, so as to stave off government regulations.

In effect, the card brands take a paternal approach to data security without actually taking any responsibility the way a parent should.

It's like giving a kid a set of rules, and then leaving the kid alone for a year. You check up on the kid every June. If the house is relatively clean and he's had a bath recently and is consuming something other than Fruit Loops and beer, you pat him on the head and say "Good job. See ya next year!"

Then the house burns down. Child Services shows up and says "Hey, what happened?" You say "Well, we told him not to play with matches. It was in his rule book. Not our fault."

If PCI actually reduces the risk of card data theft, that's a bonus for the card brands, but as far as I can see, it's not a major goal in the construction of the PCI program.

That's why I'm really curious to see how the Heartland mess shakes out. What if data was being stolen at the exact time Trustwave Systems, Heartland's assessor, was signing off on compliance?

One, it would be very embarrassing to Trustwave and PCI. Two, it demonstrates that even if a company is doing everything it is supposed to, breaches can still happen.

And this is my major beef with PCI. No security program or practice or technology is invulnerable. Smart, well-run organizations can still get whacked by clever or lucky criminals. We understand that stuff happens.

The main goal of a program like PCI should be to reduce risk. But as it's currently constructed and implemented, any risk reduction that occurs is a second-order effect. PCI's primary goal is to cover the butts of the card brands. That's not fair to the organizations compelled to comply with PCI, and it's not fair to consumers.

Unfortunately, we also are faced with lots and lots of organizations that either don't know how to reduce their risk or don't care to. These organizations require third-party impetus to get their heads out of the sand. PCI provides the stick necessary to get organizations moving, and offers a remedial framework upon which they can build.

So until and unless something better comes along, we're stuck with PCI.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.