This is the final post in a three-parter which started with some background on card payments and the PCI DSS, then saw me explain some of the reasons why I love it and now, finally, will deliver some of the more negative aspects of this compliance requirement.
Who is PCI DSS for?
Let's first consider what PCI DSS is designed to protect. The standard is designed to prevent monetary losses from card fraud. Some casual Googling indicates that annual fraud losses in the UK are somewhere around £400 million depending on which report you read. Card detail theft, which is what PCI DSS is most concerned with, represents roughly 30% of that figure, or £120 million. These are pretty big numbers and it's not clear how much of that figure is ever recovered.
The card schemes are one of the biggest losers from this fraud and therefore naturally wanted to do something about it. The inherent problem for the schemes is that other organisations (merchants etc.) have to look after the data that, if compromised, results in fraud losses for them. The schemes needed to get these companies to protect card data. And so PCI DSS was born.
Issue one - Inherent insecurity and multiple custodians
Merchants aim to make money and therefore want to make it as easy as possible for their customers to purchase their goods and services. This overriding aim often takes precedence over security. But insecurity at the merchants’ end is not the only problem. The cards, and the way in which they are used, are also insecure. Card payments are fundamentally vulnerable to fraud because all you need to know in order to make a card payment are the card details. Everyone in the chain is exposed to the card details, from the customer, to the merchant, to the acquirer, to the issuer, to the card scheme. We all know the best way to protect data is give it to the fewest possible custodians and even PCI DSS states you should do that. The schemes can therefore be seen to have designed a product and a method of using that product with inherent insecurities.
The card schemes have merchants over a barrel. The schemes have something merchants want, a payment method almost universally accepted. However in return the merchants have to shoulder the cost and burden of securing this, when it's largely out of their control whether they receive this data in the first place.
Issue two - The card scheme members
Who are the card schemes? It's a membership that is mainly made up of banks and financial institutions. These are the companies whose technology underpins the entire process. At present these are set up to accommodate the payment card system, with all its insecurities. The issuers and acquirers are the ones whose IT platforms and operational processes would have to change to support an alternative more secure payment method. This would be a huge undertaking and there would appear to be little appetite to change things at the moment. It would therefore appear that the schemes have decided that changing the payment system is not a viable route forward.
The schemes have chosen to try and improve the security of the payment system in recent years. They have introduced chip and PIN and 3D Secure but these are bolt-ons to a broken system. They do not solve the fundamental problem of the card number.
Issue three - Cost of implementation
PCI DSS can be costly for a merchant to implement. The PCI SSC charges QSAs €10,000 up front and then €5000 every year, plus around $1000 per year per individual for training, ASVs have to pay $10,000 every year. This cost has to be passed on to the merchants by the QSA or ASV and so the average cost of compliance for even the smallest Level 1 merchant runs into tens of thousands of pounds. Whilst PCI DSS is intended to be about protecting the data and making a difference to fraud, compliance with the standard has become an industry of its own. From the merchant’s point of view there is likely to be little business logic in complying with the standard at such costs when their customers don’t demand it.
Issue four - Vendor influence and the mythical perimeter
PCI DSS, like other compliance programmes, has created a multi-billion pound industry of security vendors selling products to companies who need to be PCI DSS compliant. Anti-virus, IDS and firewalls, for example, are all requirements of the PCI DSS. They are products that vendors sell to companies who are looking to achieve PCI DSS compliance. These products alone will not stop a serious attacker though. The products sold by vendors for PCI DSS compliance are therefore not sufficient on their own to achieve an appropriate level of security.
PCI DSS is exacerbating the misconception that the attackers are only on the outside of your network and the data is "inside". The traditional Internet perimeter is dead, arguably it never actually lived but was conceived by all these firewall and IDS vendors because it sounds good right? They're out there, the only way in is through the firewall. "Monitor the traffic with our IDS and you're secure."
However, what happens when your sysadmin browses the web from your domain controller and all of a sudden you've got an infection in the middle of your network, on your DC, running as SYSTEM with access to all of your sensitive data?
PCI DSS is full of good advice. Companies should have an information security management system, should have senior management buy-in, should have a clear policy on what is and isn't allowed and should document the way that things should and shouldn't be done. Employees should be expected to know how to interact with their systems and they should be trained to recognise old and new threats. They are the first and last line of defence.
But, companies should not be doing all of this just to protect card data. Companies should be taking all these steps to protect their own data and assets. Find out what makes your company money and focus your efforts into looking after it. Prioritise that and build solutions which encompass your external compliance requirements too.
If you don't know where to start with putting in defences, PCI DSS could help you get an idea but there isn't a one size fits all security standard. Every company is different and that is where you need to put some effort in. If you decide to get external help make sure they actually take time to listen to you and focus on your organisation's individual needs, not just selling you the same old "security-in-a-box solutions" that won’t stop a serious attacker.