The Future of PCI: 4 Questions to AnswerAs PCI Conference Begins, Security Debate Heats up Over Key Issues
It's been an interesting year for the Payment Card Industry Data Security Standard (PCI DSS, or just PCI).
On the other, there is the State of Nevada, which has passed a new law requiring businesses to comply with PCI when collecting or transmitting payment card information.
In the middle, is a debate among payment card companies, banking institutions, merchants, industry groups and even congressional leaders, questioning the merit of the standard and all hinting at the same open question: What is the future of PCI?
PCI stakeholders are gathering this week for the 2009 PCI Security Standards Council Community meeting in Las Vegas, NV. Among the questions sure to be discussed at this conference:
1)What About End-to-End Encryption?
Following the announcement of the Heartland breach, company CEO Robert Carr called for end-to-end encryption efforts and acceptance of that standard by the payments industry. Heartland even has piloted such a program, but critics say this initiative has a long road ahead if it's to become an industry standard. This is likely to be a major topic for discussion this week and in the coming months.
2) Is Chip and PIN Viable?
In the wake of the year's bigger breaches, some PCI critics have called for U.S. adoption of the UK's chip and PIN security standard, which relies on smartcard technology to reduce point-of-purchase fraud. Alas, the solution is not as effective in online card not present (CNP) transactions - one of the fastest growing fraud schemes. Still, given discussion of chip and PIN at a congressional hearing earlier this year, the solution is likely to get significant consideration in the PCI debate.
3) What are PCI's Limits?
Gartner analyst Avivah Litan has been one of the more outspoken PCI critics, arguing that U.S. card issuers and the industry need to strengthen the core of card payment security. "Card fraud is getting out of control in many areas, and bank card fraud detection systems across the globe are struggling to keep up," Litan says.
Following the recent indictment of Albert Gonzalez for the Heartland breach, Litan said Litan asserts it's time for the U.S. card industry "to get on the bandwagon and upgrade payment card system security, and stop pretending that PCI is working."
Litan's statements will fuel the ongoing debate.
4) Where are the Lessons Learned?
The PCI debate has been riddled with contradictory statements. Following the Heartland breach, the company stated publicly that it was PCI-compliant at the time of the hack. But then Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer, countered: "We've never seen anyone who was breached that was PCI compliant."
Network Solutions likewise argues that it was PCI compliant when it was breached. But David Taylor, CISSP and founder of PCI Knowledge Base, says it's a mistake for anyone to equate "compliant" with "impossible to breach."
There is no way that a committee that has to consider what is "reasonable" and "affordable" to its members and the industry as a whole can possibly design a set of standards that can prevent one clever hacker from figuring out a way to break in, then sharing his/her hack with millions via the Internet, Taylor says.
One common refrain in PCI discussions this year has been that PCI compliance represents a point in time - not a permanent state of being. To ensure ongoing compliance, financial services firms and merchants need to engage in a detailed, ongoing review of service providers to better understand what is specifically being done to protect data at rest and in transit.
No doubt, the names Heartland and Network Solutions will come up frequently in the ongoing debate. The key is: What are the lessons learned from these incidents, and how will the payment card industry strengthen its standards?
The answers to those questions will shape the true future of PCI.