PCI: The Toothless Security Effort
Written by Evan SchumanMasterCard’s confirmation this week that TJX had not complied with PCI rules at the time of its huge data breach is setting up yawns throughout retail. Nowhere is there better evidence of the lackluster way PCI is trying to improve retail security.
Earlier this week, MasterCard officially (well, sort of officially) confirmed that retail chain TJX was not in compliance with PCI rules at the time of the $16 billion retailer’s infamous January disclosure of a massive data breach.
The significance of this news is not the fact that TJX was not complying with the rules themselves. As former federal prosecutor Mark Rasch said: “It’s hardly surprising that they weren’t PCI-compliant. That’s from the Department of Obviousness.”
Nor is it newsworthy that MasterCard opted to confirm the chain’s PCI-less state, although it is interesting. It might be a hint of the level of anger that many in the industry feel about the way TJX has been handling their crisis, coupled with a generous dose of CYA. In any other situation, it’s truly hard to envision the normally media-shy MasterCard going out of its way to publicly confirm that a retailer was not compliant. Officially, it merely confirmed that TJX’s U.S. credit card transaction processor (technically: acquirer)?Cincinnati, Ohio-based Fifth Third Processing Solutions?had reported to MasterCard was TJX wasn’t PCI compliant.
No, the true newsworthy aspect of this news is how it illustrates the irrelevance of PCI today, when it comes to retail security. To say that PCI has achieved a toothless reputation today is being generous. It’s akin to those homepage declarations that a site has been certified as safe. It only provides comfort to those who don’t think about it very much. PCI has become a Santa Claus entity: it only works for those who really want to believe and who are willing to conveniently ignore any facts that disprove it.
PCI certainly doesn’t have to be toothless. It has provisions for serious financial penalties and for even banning a merchant from accepting credit and/or debit cards. But for it to taken seriously, the credit card industry and retail industry must undergo a radical attitude conversion. Is MasterCard’s comments the first indication of someone trying? A tentative, toe-in-the-water half-hearted try perhaps, but a try nonetheless.
The industry must not only use those fines and penalties but they must do so publicly. Very publicly. We’re talking about a news conference every time a fine is issued and they need to be issued every week. Those announcements must be explicit and specific, detailing for the world what the retailer did?or failed to do?and why. For some retailers, the humiliation and embarrassment associated with such a disclosure might be worse than the penalties and that’s a good thing.
Retailers need a cost-benefit analysis that makes it worthwhile to heavily invest in security. They must constantly see what happens to companies that fail to comply and it’s critical that they must fear those consequences. Today, few retailers have that fear. Is the threat of rescinding a retailer’s ability to accept credit/debit cards a true deterrent if no retailer believes it will ever happen?
The next step is taking a much more strict position with PCI-compliance audits. The fact that the auditors in questions are paid by?and are given instructions by?the retailers being audited is the most textbook conflict-of-interest I’ve seen in quite some time. Why not have the auditors working for the credit card companies or the banks? Why not give the auditors the ability to explore any and all systems, as opposed to just the ones the retailer wants examined? The rules were written assuming that retailers would want to know what was really going on. But what if some key managers with that retailer were deliberately retaining forbidden data, perhaps for a CRM project? Is that Auditor Fox guarding the Retail Chickens?
When the retail and banking industries want to take security seriously, they already have the tools to do so. Until then, please forgive us if we’re yawning at a multi-year-in-the-making data breach (which wasn’t discovered for years). It’s hard to get worked up about a retailer not taking seriously something that the banking and credit firms don’t care about, either.
-Marc
March 12th, 2007 at 3:37 pm
PCI has teeth. It just turns out, they’re dentures, and VISA’s taken them out and lost them under the couch cushions or somewhere.
The article is spot-on regarding PCI’s issues. I think it is interesting that Mastercard was the one to announce that TJX was not in compliance, as VISA created PCI and is the most vocal about anything related to it. Mastercard used to have their own data security requirements, called SDP (Site Data Protection), but VISA was the one to really figure out what needed to be done, do it, and pull everyone else together on it (Amex, Discover, Mastercard). PCI is touted as an industry standard, supported by all the card associations, but it is still very much VISA backing it up, enforcing it and providing new content for the specific requirements.
I can say that OCC audits, carried out by government-employed auditors, are VERY effective.
The good news is that the foundation is there, and it is strong. If you follow the PCI requirements (which anyone can grab here: https://www.pcisecuritystandards.org/tech/), you won’t be unhackable, but you will be very secure — more secure than the average corporation. That is step one. Step two is enforcing it. VISA does enforce the requirements, but I agree if they don’t do so publicly, how is the average consumer supposed to know if PCI is working or not? Technically, VISA and Mastercard aren’t required to announce when someone has been fined, but VISA does maintain this: http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf. If a service provider doesn’t pass PCI, their name comes off this list (in addition to fines, etc…). However, TJX isn’t a service provider, and I don’t know of a list that would show a Merchant’s PCI status.
Personally, I think anyone’s (merchant, service provider, bank) PCI status should be public information, like a restaurant’s health code score. It is as much the consumer’s right to know their health risk as it is to know their financial equivalent as well.