PCI security rules may require reinforcements

Critics carp that the standard isn't protecting credit and debit card data. And chief proponent Visa is working on new technologies that would go beyond PCI's current controls.

The PCI standard, long touted as one of the private sector's strongest attempts to regulate itself on IT security, is increasingly being slammed by critics who claim that the rules aren't doing enough to protect credit and debit card data.

And amid all the complaints, Visa Inc. — the standard's biggest proponent — is working one-on-one with banks and retailers to test new security measures that go beyond the controls currently mandated by PCI.

What it all adds up to is a new sense of uncertainty about the future of the specification, which is formally known as the Payment Card Industry Data Security Standard, or PCI DSS. Created by Visa and other credit card companies, the PCI rules will have been in effect for four years as of June 30. But with breaches of card data continuing and questions about the standard's effectiveness on the rise, PCI DSS is showing signs of coming apart at the seams.

Criticism of the standard isn't new. But since the recent disclosures of breaches by payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc., PCI DSS has been hit with some of its most forceful denunciations thus far.

For instance, at a March 31 hearing held in the U.S. House of Representatives, Rep. Yvette Clarke (D-N.Y.) said that PCI DSS simply isn't sufficient for protecting cardholder data. The security rules aren't "worthless," said Clarke, who chairs a subcommittee that focuses on cybersecurity among other topics. But, she added, "I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure."

As an example, Clarke pointed to the data breach disclosed early last year by Hannaford Bros. Co. The grocery store chain was certified as PCI-compliant by a third-party assessor in February 2008 — one day after it was informed of the system intrusions that had begun two months earlier.

Similarly, RBS WorldPay and Heartland both received PCI certifications last year prior to the breaches that they disclosed in December and January, respectively. Visa dropped the two companies from its list of PCI-compliant service providers last month and is requiring them to be recertified, although it has said merchants can continue to do business with them in the meantime.

Michael Jones, CIO at arts and crafts retailer Michaels Stores Inc., said at the House hearing that the PCI rules appear to have been developed "from the perspective of the card companies, rather than from that of those who are expected to follow them." As a result, he contended, the requirements don't necessarily help to protect data.

Jones added that he "would like nothing better" than to not have to store any card numbers in the systems at Michaels. But retailers are forced by card-issuing banks to keep that data in case of disputed transactions, he said. And then, when a breach occurs, "we are the ones who are demonized," Jones noted.

Standard Defense

Visa officials and other PCI supporters continue to insist that the standard is an effective tool for mitigating threats to card data — when it's implemented properly.

At the hearing, Bob Russo, general manager of the PCI Security Standards Council, which oversees PCI DSS, repeated previous contentions that all of the companies breached thus far weren't actually complying with the standard when the breaches occurred, even if they had been certified as PCI-compliant beforehand.

A compliance certification represents only "a snapshot in time," Russo said. "Effective compliance is a full-length film where the organization is compliant in each and every frame."

Ellen Richey, Visa's chief enterprise risk officer, made the same point at the company's Global Security Summit in Washington earlier last month. "The fact is, [the Heartland breach] never should have happened," Richey told attendees, while claiming that such incidents are obscuring the "substantial progress" being made on the card security front.

Although what happened at Heartland "is unfortunate, it does not make me question the tools we have at our disposal," Richey said. She added that rumblings being heard about the PCI standard's possible demise are "dangerous" to the ongoing efforts to ensure that card data is protected.

However, Richey also acknowledged that the time has come for security controls that go beyond the ones now included in PCI. Visa itself is looking at new ways to improve data security, she said, pointing to a pair of pilot projects being conducted separately with Fifth Third Bancorp and retailer OfficeMax Inc.

In the first instance, Fifth Third is testing the use of magnetic-stripe technology to create unique digital fingerprints for each card. Dan Roeber, vice president and manager of merchant PCI compliance at the bank, said it has distributed about 1,000 new card readers to retailers that haven't been told about the pilot project. The readers use data from the magnetic stripe on the back of cards to create a "DNA picture," which is matched against baseline information during the transaction authorization process, Roeber added during a panel discussion at the Visa conference.

"Even if somebody gets into a database and makes fraudulent cards, the DNS fingerprints are not going to match," Roeber said. And there are no security key management issues with the technology being tested by the bank, he said, describing that as an advantage over the use of end-to-end encryption to protect data.

Roeber is among those citing some issues with PCI. The standard has "lots of moving parts," which can make complying a challenge, he said. He also suggested that the credit card companies should give merchants more flexibility to implement the controls based on the specific risks they face.

The pilot at OfficeMax involves a challenge-and-response technique being used to help authorize card transactions. The retailer is asking shoppers for information such as their ZIP codes, the last four digits of their phone numbers or their three-digit area codes. The responses are then matched against previously submitted answers, said William Van Orman, OfficeMax's treasurer.

The company has rolled out the new procedures at about 1,000 stores in Illinois, Indiana and Florida, Van Orman said, adding that changes to the point-of-sale systems at those locations were required. After an initial six-month trial, the pilot has been extended by four months at Visa's request. "Overall, we think it's a successful project," Van Orman said.

Richey said that while the techniques being tested at OfficeMax and Fifth Third Bancorp aren't yet ready for broad usage, they're the kind of approaches that could be used to make stolen card data useless at the point of sale. She also detailed efforts by Visa to develop new fraud-fighting tools for consumers, including a transaction alert service that can send real-time notices of purchase activity to mobile devices. The service, which currently can be used by Chase cardholders with Android-based smartphones, is scheduled to be made available to all card issuers later this year.

In addition, Richey said Visa isn't opposed to the idea of eventually adopting the same kind of chip technologies that are part of the chip-and-PIN security approaches used in Europe. Chip-based cards are considered to be more secure than ones with magnetic stripes because they can assign card-verification values on the fly when transactions are being authorized, instead of using a constant code for each card.

Moving fully to a chip-and-PIN system, in which cardholders must enter their personal identification numbers for every transaction, would require major upgrades to the payment system infrastructure in the U.S. Banks and credit card companies haven't shown a willingness to invest in that thus far.

But at the House hearing, Clarke blasted the payment card industry for continuing to rely on what she described as "1950s-era" payment systems. And she called for it to make the necessary investments to install more-secure technologies than what PCI prescribes. "The bottom line," Clarke said, "is that we have to do more, and we have to do it now."

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon