Last month’s announcement of Payment Card Industry Data Security Standard 2.0 (PCI-DSS v. 2.0) created a flurry of news reports in the IT media, but in reality changed little about the way that businesses guard sensitive cardholder information on their networks.
Originally PCI-DSS required organizations to implement both operational and technological changes in order to meet compliance. In the case of operational changes, PCI-DSS forced companies to use a formal and consistent processing method with segregation of duties, isolation of data, and the removal of common and default passwords. As for technological changes, PCI DSS mandated that companies secure data by encryption, destroy data after a certain point in time, and protect CVV and AVS card holder identity verification by not storing these values.
For the most part PCI-DSS has proven to be a good idea that has improved the overall security of credit card payment handlers.
However, PCI-DSS has some serious flaws, including a “point in time” audit philosophy that focuses too much on once-yearly security checks. In reality, those on the front lines of payment processing should be implementing continuous auditing to meet PCI-DSS compliance on a constant basis.
Another issue with PCI-DSS concerns the level of threats. PCI-DSS only addresses the lowest level threats that affect most merchants connected to the Internet. However, large institutions with enormous daily financial transactions represent a juicy target for criminals, incentivizing them to develop high level threats (social engineering and technological) that are not anticipated by PCI-DSS.
I also take issue with the credit card industry’s handling of safe-harbor and PCI-DSS. In essence, I believe it is unfair to penalize a merchant for a criminal data breach when the merchant has made a best effort to protect itself and the interests of the credit grantors and processors. Specifically, I point out that Heartland and TJX did not commit crimes but were severely penalized financially for the actions of criminal organizations.
PCI-DSS is a good step, but the US needs a fundamental upgrade to its credit card processing network to put it on an equal footing with what is already implemented in the European Union. The first step is for banks and processors to issue smart cards, PIN generators, and other technological solutions that verify the physical possession of credit cards.
Flaws in the current AVS and CVV system have been apparent for many years, and only a technological upgrade will solve the problem. The current strategy of deferring system-wide upgrades, penalizing merchants for poor security, and forcing PCI-DSS on them as is not a solution; in reality it’s merely a shifting of blame and responsibility.
Don’t get me wrong, PCI-DSS should be implemented. But it does not remove the system’s current Achilles heel of static AVS and CVV information. The European networks faced the same problem before upgrading to secure cards. Today for European merchants PCI-DSS is now longer such a big deal – nor is ATM fraud or credit card theft.
Comment below and let me know what you think.