PCI Chiefs Defend Standard(s), Plans
It's a gross oversimplification of an utterly staggering technical and social challenge, and he knows it as well as anyone, but it's hard to argue with PCI Security Standards Council General Manager Bob Russo's assertion that when it comes to improving electronic data security and related matters of individual privacy, "something is much better than nothing."
Since the massive, potentially record-breaking security breach at Heartland Data Systems in late January, the Payment Card Industry Security Standards Council and its DSS (Data Security Standard) have been put under a microscope and criticized for foisting on companies an impractical IT security mandate that detractors say does not actually meet its goal of making it harder for companies that handle credit and debit card data to be fleeced similarly to Heartland.
Some highly respected security researchers and practitioners have come out since the Heartland robbery and questioned the viability of the entire DSS effort, perceived as being out of touch with real-world IT environments and insufficient to help organizations avoid exploitation. A handful have gone as far as saying it actually makes the process even harder.
And after all, here's a Tier 1 company that's likely had to push to abide by the technological and process-oriented stipulations required under the PCI Standard as much and as long as any other, and it just got positively hammered.
However, visiting Boston on a media tour organized to share some new elements of the PCI Council's larger plans the week of Feb. 23, Russo and new PCI Security Standards Council Chairman Lib de Veyra -- an executive at and appointee of JCB International Credit Card -- made a lot of credible points. Mostly, because they firmly recognized the reality that no standard is perfect and that DSS as it exists is only a first step in a long evolutionary process.
Not to be misinterpreted, the PCI Council is satisfied with what it's put in place thus far, given the challenge at hand, Russo and de Veyra said.
The parts of DSS that need to be tweaked to address the vast diversity of infrastructure and applications employed by all the retailers, merchants and processors, as well as all the techniques utilized by attackers, will be addressed by taking feedback directly from the very companies that must comply with the standard, the PCI Council representatives said. (And truthfully that has been at the very least a consistent message of the organization all along.)
A number of powerful banking, retail, technology and government players are also involved in the PCI Advisory Board.
And the Heartland incident, as well as those reported at other companies that have been at some time certified as PCI compliant, including TJX Companies and Hannaford Brothers, in no way proves that the standard is clearly lacking in some specific area, they said.
The PCI leaders said in addition to having not yet shared specific details with the Council of exactly how they were individually victimized by fraudsters, the fact that these companies were at one time judged to be in conformity with DSS in no way guarantees that they were at the time they were attacked.
"Just because a company gets a clean bill of health today doesn't mean they can't be infected tomorrow," de Veyra said. "Organizations are making configuration changes and broadening adoption of technologies like wireless all the time; the guidelines in DSS are something that you have to continue to monitor and maintain all the time."
And many of the Council's initiatives, including plans to launch two new standards aimed at improving embedded security features, or "host security modules," built into card data transaction processing hardware, and regulations for UPTs (unattended payment terminals) such as gas pumps and ticketing kiosks, will help push the entire industrywide process forward, they said.
The PCI Security Standards Council will also continue to push DSS overseas, in Europe and APAC specifically, where the guideline has faced some resistance from card handlers. But the effort launched by the world's largest card companies -- American Express, Discover, JCB, MasterCard and VISA - remains undaunted in its pursuit, PCI's chief spokespeople said.
"Addressing the criticism comes down to communication; once we have enough information from companies like Heartland to truly examine what happened, we can understand how it relates to DSS," de Veyra said. "And working with all the companies on our Advisory Board, meeting with them and incorporating their feedback over time, will be the most important aspect of maturing the standards."
Another new element of DSS will be a technological tool, a sort of stripped-down PCI diagnostic application provided by the Council to offer organizations still getting started with the standard a more "prioritized approach to DSS."
The Prioritized Approach tool will help companies track their ability to meet basic milestones of achieving compliance with DSS, the representatives said. The first three steps -- preventing the improper storage of electronic data, securing the network perimeter and securing applications -- have obviously been proven hard to accomplish for many organizations, and some might argue most or even all.
But most importantly, the idea is to promote gradual coalescence of a world where every company affected by the PCI mandate has at least greatly augmented and formalized its approach to, if not its execution of, securing electronic data, the leaders said.
"No standard is ever going to completely stop what we're seeing right now with cyber-crime, but the reaction we've seen to PCI after some of these incidents like Heartland has been absolutely unfair, because we don't even know if they were compliant," Russo said.
In terms of whether incidents like the breaches at Heartland, TJX and Hannaford Brothers have damaged public perceptions of DSS, the industry veteran said, as in any case, there is no shortage of opinions.
"You can sit there and look at it from one side and say, you have this standard but these incidents have still happened, and that proves something isn't working," Russo said. "But what you don't know at the same time is, If we didn't have DSS as it stands in place, how many more of these incidents might we have had?"
I'm sure that there are valid criticisms of various aspects of PCI -- some very smart people have spent time voicing their questions already.
But, I'm curious to know whether they'd agree at the end of the day that something is better than nothing.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.