Is Something Wrong With PCI?

A question being asked in various circles in the wake of the Heartland breach.  An interesting post by Michael Dahn over at the Aegenis Group.  I started to respond and kept going and going and going.   Read his post first and my (somewhat rambling/unpolished ) response is below.

A couple points.

(1)  Faulty Logic. You claim that it is faulty logic to conclude after one company getting hacked that the entire PCI program ineffective.  On the flip side, it is also faulty logic to conclude that the mere existence of a standard means better security.  It really depends on what the standard says, its scope/rigor and how it is applied.  Even for seatbelts, some studies have suggested that the existence of seatbelts may increase the likelihood of reckless driving. It is possible to implement a standard simply to give the impression that something is being done...

(2)  It's the Risk, Stupid.  As you site in your post many individuals considering PCI compliance are only interested in doing "the minimum" to allow them to validate compliance for the year.  The problem is that there is no requirement under PCI that the level of risk posed by a given merchant or processor's operation dictate compliance.  How can the requirements of PCI be the same for a merchant that does 1000 cards a month and a payment processor that does 100 million cards per month?  It only can if the depth/rigor of compliance is higher for the 100 million processor.   You are right, there is a difference between having a firewall (check box!) and having a properly configured firewall and having a program in place to ensure/check that firewalls are properly configured.  Yet, some view the PCI Standard as not making a distinction between these situations - all are "compliant."  And, I contend that that is a problem with the Standard - that concept should be explicitly stated in and made part of PCI.  Not that GLB itself is a great standard, but at least it captures the idea of risk:

(a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.

(3)  The Incentives Are All Wrong. Let me partially take back some of what I said about not taking risk into account.  Merchants and service providers are taking risk into account, the risk that they will lose their ability to process credit cards if they are not PCI compliant.  That is the motivating factor in the PCI game.  With no other real carrot or sticks implemented within the system.  Thus the name of the game is getting an ROC as cheaply as possible.

As long as you can find a QSA to validate, or one of your own IT employees for SAQs, you can continue doing business.  And of course, since there are hundreds of QSAs, meaning tons of competition, companies can leverage that competition to get an easy pass.  QSAs that want to do the right thing get marginalized.  In fact, since the QSAs get critiqued by their customers, those that play ball end up rising to the top of the ladder (another flaw in the system).  But isnt' the QSA assuming the risk if they rubber stamp, you ask?  Go read your contract with the QSA and see how much risk they are actually taking (look at the limitation of liability clause, disclaimer of consequential damages clause and indemnification clauses).  Meanwhile the ROC that is submitted is accepted without question.  We won't even get into the incentives around an in-house security  or IT professional (with perhaps no security training) who is completing a merchant or service provider's SAQ.

So what could change the incentives/motivating factors:  carrots and sticks.  There is no enforcement unless you are not validated.  Nobody checks if you REALLY ARE PCI compliant or whether you ACTUALLY have reduced any risk.  There is no penalty if you are validated unless you suffer a security breach (discussed more below).

What about carrots?  The benefit of validating PCI compliance is the ability to accept payment cards.  That benefit accrues to any company that has validated, whether or not they actually have reduced risk to a reasonable level.  What about "Safe Harbor"?  I don't think it exists.  Many companies I have spoken to are under the impression that if they are PCI compliant they will be immune from fines/penalties and liability.  I challenge anybody to identify a LEGAL RIGHT to immunity or a LEGAL OBLIGATION on anybody to provide a Safe Harbor.   In fact, Safe Harbor is no longer even identified on Visa's website:  VISA Merchant Page. You have to use the Internet Way Back machine to find information on what they used to call "safe harbor":  Old Safe Harbor Reference.

Note the even under the old description of safe harbor, it only excused PCI-complaint merchants from fines.  It did not prevent an Issuing bank from suing a merchant for the cost to replace cards.    So clearly, for merchants that engage in rigorous PCI-compliance there is no carrot that comes their way if they happen to suffer a breach.

Frankly, the lack of proper incentives and motivation around PCI compliance make me wonder about my last sentence in (1) above.

(4)  The Ultimate Stick - Getting Your Pants Sued Off. Yes, high profile breaches and lawsuits can deter bad behavior in the PCI realm.  However, there are a couple issues here as well.  As set forth below it appears that some companies believe that if they validate PCI compliance they are in a Safe Harbor that protects them.  Therefore they (wrongly) may not fear lawsuits.  Secondly, for those that use QSAs, there is a belief that if they are validated PCI compliant and they really aren't, that it will be on the QSA.  Again read your contract with your QSA to see how much liability they are actually taking.  Perhaps more high profile incidents like Hannaford and Heartland will act as a deterrent, but I question how much it is now.  This is especially true because lawyers are often not involved in the PCI compliance process and those security pros that are do not have the experience pr expertise to gauge actual legal risk (unless they have law degrees and have practiced - which is a whole other post).  Therefore, it may not be fully taken into account.

Thoughts?