PCI compliance: What it is and why it matters (Q&A)
Bob Russo, general manager of the PCI Security Standards Council.
(Credit: PCI Security Standards Council)If you own a bank account or use credit cards, chances are you've heard the term "PCI compliant." But you probably don't know what it means.
The term is heard more and more frequently these days as data breaches at merchants like TJX, parent of TJMaxx, and payment processors Heartland Payment Systems and RBS WorldPay land millions of card records in the hands of hackers. Criminals are using the data to make purchases and withdraw money from accounts of unsuspecting victims who did nothing wrong; they just owned a card.
It's a huge and growing problem. More than 80 percent of data stolen in breaches is payment card data, according to the 2009 Verizon Business Data Breach Report.
CNET asked Bob Russo, general manager of the PCI Security Standards Council, to explain what is being done to keep criminals from accessing consumer payment card data.
Q: So, what does the PCI Security Standards Council do?
Russo: The council was formed in September 2006 by the five major credit card brands, Visa, MasterCard, American Express, Discover, and JCB [Japanese Credit Bureau]. It was formed because each one of the brands has their own compliance programs and they still do, but they all use this standard as the foundation for their programs. There was a time when you could pick up the phone and call one brand and ask a security question and get one answer and call another brand and ask the same question and get a different answer. They all now use these standards that we manage as the foundation for those compliance questions.
What is the standard exactly?
Russo: It's the PCI, which stands for Payment Card Industry, data security standard. It's a set of 12 specific requirements that cover six different goals. It's very prescriptive. It says not only that you need to be secure but it tells you how to become secure. It's more about security than compliance. The goals are things like build and maintain a secure network, protect card holder data and regularly monitor and test the networks. That's the main standard. We manage three different standards. The first one covers everything from the physical security to logical security.
The second standard is PADSS, Payment Application Data Security Standard. These are for payment applications a merchant would buy off the shelf. For example, if you went to a restaurant and you ordered your meal and the waiter used a touch-screen terminal, that puts the order in the kitchen and it's tied to an ordering database. The application also takes the credit card at the end of the meal. We make sure these applications aren't storing prohibitive data, such as data on the magnetic strip on the card. If they stored that data and someone got a hold of it then they would be able to clone credit cards. There are literally thousands of applications out there and when it's compliant with the standard it gets listed on our Web site.
The last piece we manage is called PTS, PIN Transaction System. Anytime you enter a PIN number, for example, this standard would take effect. It looks at those PIN entry devices so when you go to a large department store and you buy something and you use a debit card they'll hand you a PIN pad and you key in your number. We certify those devices as well as unattended payment terminals, such as those used at gas station [islands], ticket kiosks, and transit systems, like the Boston underground.
There have been a number of big data breaches lately. Were the companies PCI compliant or not in those cases?
Russo: It's been our experience that none of the breaches that occurred have been compliant at the time of the breach. Becoming compliant with the standard is pretty much a snapshot in time. An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance. If there are new patches to come out for the operating system you have to install those. One piece we ask for is that you turn the logging on. Forensics find all the information in the logs so we insist you turn the logging on. Except, if nobody ever looks at these logs and they're sending out alerts, what good is it? It's up to the merchant to make sure they stay in compliance and that they are secure. For each of those [big public] breaches credit card companies looked at the logs [and found] that none of them was compliant at the time of the breach.
But I thought Heartland executives said they were compliant.
Russo: They had that piece of paper that said they were compliant but they weren't. What happened at Heartland was a SQL injection attack [in which an attacker injects commands to a back end database using input fields on a Web site]. That's an old exploit and there are myriad ways to prevent that outlined in the standards. As it turns out they were not complaint at the time of the breach. [Heartland CEO Robert Carr eventually disclosed that the assessors had incorrectly informed the company that it was PCI compliant.]
But even if the merchant is PCI compliant that doesn't necessarily mean the shop is secure, right?
Russo: Exactly. That's why we say it's about security not compliance.
If that's the case, shouldn't the standard be improved so it is more effective?
Russo: That wasn't the case here. We have seen no evidence that if someone were compliant that they would have been breached. The standard is working. You only read about the one or two or four big breaches that happen. You don't hear about the thousands of merchants who aren't getting breached because they are compliant.
If a merchant is found to be not PCI compliant, what are the consequences?
Russo: Ninety percent of consumers don't understand the difference between credit card fraud and identity theft. If they hear that their credit card has been stolen, like at Heartland or TJX, many of them believe their identity is at risk. If that's the case many of your customers won't shop with you anymore because they are afraid you are not protecting their data and someone is going to steal their identity. That's the worst thing that can happen. The biggest problem would be if your customers walk away. There are reputational damages they have to deal with, which nine times out of 10 cannot be measured in terms of dollars.
There are also fines levied by card brands. There are lawsuits coming out of the woodwork when something like this happens, like shareholder lawsuits and class action customer lawsuits. They are paying to issuing banks for reissuing cards. And the government might now get involved. They're looking to find if stolen credit card information is being used to finance terrorism. You've got myriad people on your back if you suffer a breach. You may have FTC involved, and they require 20 years of audits. Every other year you would have to go through a complete audit. It's very expensive to suffer a breach. It's much better to be compliant and secure and not have to worry about this.
How much are the fines?
Russo: The brands set those; we're not responsible for the fines. We just set the standards and they are enforced by the brands and the federal agencies.
What part of the standard is mandatory and what is voluntary?
Russo: It's all mandatory. Nothing is voluntary. The rule is if you store, process, or transmit credit card data you must be compliant with the PCI standards. And that's a global rule.
What can consumers do to protect themselves?
Russo: Consumers need to take a little bit of responsibility now. You can watch your credit card activity online. I can watch all my credit cards online to see what I'm spending, and what my wife and my kids are spending. You really should be monitoring your credit card statements. If you have to, do it when the statement comes in the mail. If you do it online you can do it more often and set up alerts via email. Consumers by and large don't have a lot of liability when it comes to credit cards. A lot of credit cards are zero-liability. You just call the company and say this was not my charge and they won't hold you responsible for it.
Debit cards are treated differently than credit cards, right?
Russo: Debit cards are somewhat different. With a debit card you're actually using your own money coming out of your own checking account. The liability will vary depending on the card and the bank.
What are the biggest challenges for the industry?
Russo: Education is a big issue. Some of the smaller merchants that just come into the business don't really know what their responsibilities are with regard to handling credit cards.
Why do entire databases continue to get stolen?
Russo: All the information is contained in the logs so alerts are being set off to let you know something is going on, and if you're not looking at the logs on a regular basis somebody could be in there for weeks or even months stealing this data and you're not aware of it. There was a big merchant that got breached but they caught it immediately in their logs and they only lost four or five credit cards. So they did suffer a breach, but it was contained to only a few cards.
Is that the biggest problem? Ignoring the logs?
Russo: That's one of the things they're doing. In one case mentioned earlier if they were complaint there would have been no way for somebody to get in and get that data.
So it's a matter of failing to follow standard security policies?
Russo: Yes. They're not following basic security practices.
With the rise of credit card attacks being harvested via browsers, will PCI ever get into the business of certifying that the browser is secure? If you can certify what it takes to secure a Web site, why not the browser?
Russo: We're concerned about where credit card data is being collected and stored, not so much how you can get to see it. My browser does not need to be secure; the server holding the data does [for PCI compliance purposes].
If someone suspects a vendor is violating PCI requirements, how can that be reported?
Russo: Consumers can call the toll-free number on the back of their credit card.
What is your ultimate take-away message for readers?
Russo: Ultimately they need to make sure the merchants they're dealing with are PCI compliant. And if you're a merchant you really have to be careful because consumers are getting smarter and smarter and if they find out you are not protecting their data, credit card data or personal data, they're going to walk away. And that's going to be the downfall of your business.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
%20%7C%20InSecurity%20Complex%20-%20CNET%20News&srcUrl=http://news.cnet.com/8301-27080_3-10448197-245.html){kind=small}
TrustE is a good example: much like the BBB, it's a "feel good" program that is designed to assuage the fears of consumers, with little or no teeth when it comes to sanctioning bad merchants, and the seal itself doesn't prove much of anything.
I would feel better about this organization if they had an army of compliance officers that certified compliance, provided a seal of compliance that was required to be publicly displayed to customers, which would be taken away upon discovering non-compliance.
As it is, these sorts of organizations are almost never inclined to bite the hand that feeds them.
Any business that deals with PCI must follow these rules or be banned from using cards, and will face huge fines if a security breach occurs.
Unlike small government departments with few resources, the PCI members include banks and credit card companies, with lots of money and lawyers to go after anyone who does not comply. And there IS a growing army of officers ready to enforce these rules - it's one of the hot security jobs right now.
A huge problem with the industry are the so called QSAs (Qualified Security Assessors) which perform PCI audits. Companies literally "shop around" for the cheapest, most lenient QSAs so they can "pass" their audits. Many QSAs are simply incompetent, while others take on projects far larger & more complicated then they have resources for.
The end result is you have tons of "PCI compliant" shops with very weak security.
Saying Heartland wasn't compliant because they "weren't reading logs" is a cop out. Saying that PCI audits are just good for "point in time" is laughable. If Heartland didn't have a solid security program which includes periodic log reviews -- and if they weren't able to prove they had a *continuous* compliance program in place -- then they should not have been granted PCI compliance to begin with.
I.e., if Heartland weren't reading their security logs, why didn't their auditor catch this huge problems? I believe Trustwave was Heartland's QSA.
And don't get me started on the ASV program (the people who are supposed to do PCI security scanning)... the whole ASV industry is a sad joke.
Look at Hannaford, which was breached just ONE DAY after passing their PCI audit. Turned out Hannaford was infested with malware which were logging unencrypted track data from POS devices. Something like 300 (!) of Hannaford's systems were compromised and yet they received a PCI pass!
PCI backers say that this not a problem at all because PCI audits are "point of time". The fact that Hannaford was hacked a day later isn't PCI's problem. The fact that Hannaford systems were compromised DURING THE AUDIT PERIOD isn't PCI's problem. What a joke!! If so then PCI DSS is worthless.
It's circular logic. People like you say Hannaford's breach was due to their "lack of" security practices. Yet if Hannaford's security practices were so terrible, why did their QSA gave them a PCI pass just a day before??? Answer that!
Let's face it. PCI today is just checkbox compliance. It has NOTHING to do with security. PCI is there so when a breach happens people can cover their behinds, saying "well yeah we're PCI compliant, and by the way sorry about that 130 million credit card numbers which got stolen".
I'm not a QSA but I am a certified IS auditor, and I have evaluated clients against the PCI DSS standards. I note many QSA auditors do NOT have any recognized auditing credentials.
Large merchants do have IT departments and should be better prepared and read logs; but small merchants? No way! And consumers are totally at the mercy of everyone else. The best we can do is find out there's a problem a month or more later when it shows up on our statements - that's reactionary and too late; it's not preventative. And to expect consumers to monitor their CC card transactions online is nuts. Are we supposed to track that 24x7?
Lastly, consumers actually do care about identity fraud, which Russo seems to ignore. That's because fraudulent CC transactions have liability caps so the banks eat the cost (so they care about this) but identity fraud is a consumer problem so the banks don't care as much.
Are you saying that if a merchant is small enough, they don't have to be responsible with your card data? They can have your credit card number sitting in a text document on their laptop that they leave sitting on the table at the coffee shop while they run into the bathroom? PCI may not be a perfect system, but what it does do is provide a way to hold everyone accountable. If you can't afford to do the job properly, you shouldn't do it at all. It's no different than the health department holding that local diner to the same standard as the global franchise or the 5 star gourmet resteraunt. If the building you live in were to collapse because the builder used substandard materials or burn down because of faulty wiring or flood because of poor plumbing, are you really going to say "It's ok, they couldn't afford to use the right materials"?
You complain about the CC industry passing off responsibility to merchants, but in your very next statement, you do the same thing. You say that you don't have a responsibility to know how your card is being used. The fact is, you aren't totally at the mercy of everyone else. Know who you are giving your card to. Watch your statements, that's what they are there for. You don't have to track it 24/7, but some people never even look at their monthly statements.
As for identity fraud, he's not saying that consumers don't care about identity fraud, he's saying that that isn't their domain. Identity fraud is when someone has enough information to pretend to be you - things like social security numbers, drivers license, personal information, etc. Visa/MasterCard/etc. - they don't have that information. You don't have to give out your social security number to make a purchase. A merchant doesn't have to take your drivers license number to run your card. The only information that gets passed between merchant and processor is your card data, so that's the data that PCI is designed to protect. And having your card data doesn't allow someone to steal your identity, it only allows them to use your credit card.
Sure, everyone has some level of responsibility. If I neglect to look at my statements and a year later wonder why I have a year's worth of fraudulent charges, shame on me. But my point is that the statements made in the article/interview highlights the burden of the merchant and consumer that is, IMHO, not realistic. Let's start with the consumer. Just how often am I supposed to check my online account? Every month? every day? every hour? What level of scrutiny is enough? Why isn't there better security in place such that I don't have to be the policeman for my own card? (the answer is always about cost of implementation). As for small merchants, yes they sure are responsible for making sure they practice safe-cc-transactions. But they are not computer operators and to expect them to be IT gurus is not realistic. Those who have outsourced CC processing (such as a web site processing CC orders) would rely on that 3rd party for whatever scrutiny is needed to view logs. If the notion is confusing to you, you have never been a small business person. The last thing they need to do is be an IT person reading logs. I am not in any way saying that certain people do not have responsibilities while others do. What I am saying is that the responsibility needs to be reasonable. If they are not, it's effectively pointless.
As for your point about a small merchant, I don't care if it's a multi-national company with an IT staff larger than some countries or if it's one person running out of their parents' basement. If you are handling credit card information then you follow the rules. There is no excuse. If you can't do it yourself, then you outsource it to someone who can.
Would you go to a doctor that runs their surgical room in a rat infested warehouse? Someone that has spilled food and garbage strewn over the floor because they're not trained in janitorial services and can't afford to hire a cleaning crew? You can, but you're taking a risk. The same applies here.
If you want to process credit cards on your own, you have to do it in a safe and secure manner. If you don't, then you better be prepared to pay the consequences when something goes wrong. Hackers aren't dumb, they know that while the Hartlands and TJMaxes are big scores, they're also harder to get into and draw more publicity (and thus, more investigation, faster cancellation of cards, and more risk overall). It makes more sense for them to target these small businesses precisely because of this attitude that "I'm too small to worry about this stuff."
Having said that - it is only a piece of the whole security pie. However the logs I review do show that 90% or more of the attack attempts we see do come from outside the United States. Blocking those by source IP address has reduced our attack surface in my opinion.
I realize there are way around it such as proxy sites and the like. However it has done a great deal to make us more secure I feel.
PCI Comp. is just a checklist guys. Please bear that in your mind. They will not give recommendations nor patches nor modify your security system.
Just my thought on this, i'm not an IT expert but i sure do know what to do. :)
- by August 19, 2010 6:31 PM PDT
- PCI Compliance is just a reminder for a certain Company to follow some standards. It has nothing to do with Security. They just been created to let people know that they are secured, but in reality, it isn't. They just simply give you the standards. It's up to the Company on how they implement security until PCI Comp. acknowledge it.
- Like this Reply to this comment
-
(19 Comments)PCI Comp. is just a checklist guys. Please bear that in your mind. They will not give recommendations nor patches nor modify your security system.
Just my thought on this, i'm not an IT expert but i sure do know what to do. :)