There are, in essence, two ways that you can make it more difficult for criminals to use stolen cardholder data (card numbers, expiry dates billing addresses and the like). You can make it harder to steal cardholder data (the PCI-DSS route) or you can make it harder to use the stolen data by doing away with magnetic stripes in card-present (CP) transactions and one-factor card-not-present (CNP) transactions. In a world without the internet and mobile phones, the latter prescription would seem theoretical. Hence there was no choice for the industry in that world but to try and lock down cardholder data in all the places where it is stored. This led to the creation of the Payment Card Industry Data Security Standards. Let us put to one side what those standards actually are, because this isn’t relevant to the conversation.
Now, it is no secret that some people think that PCI has proven an expensive way to reduce fraud, if indeed it has. I would like to see some publicly-available statistics from a reputable source on this topic – pointers anyone? I don’t think I was breaking ranks or telling tales out of school when I mentioned that it might be time for a check point around the topic and perhaps some strategic refocusing. I stress this is not a new opinion. These, to give a specific example, are not my words.
“PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority. It has and will continue to stifle innovation by its often nonsensical rule making.”[From StorefrontBacktalk » Blog Archive » Federal Reserve Listens To Security Vendor CEO Rip Into PCI]
On which topic, I was interested to see that my enjoyable and stimulating micro-debate with Jeremy King, the European Director of the PCI Security Standards Council, at the recent Westminister e-Forum on Mobile Wallets has attracted some attention. Jeremy got annoyed with me for saying that no-one cares much about card fraud. OK, I might have been exaggerating a bit. But come on – card fraud in the UK is a couple of hundred million quid, which is statistically not much different from zero, largely because of the money spent on EMV and 3D-Secure (3DS). I was arguing that that the costs of PCI-DSS are too high and that we (ie, the payment industry) should be looking for better solutions. For example: I don’t want my debit card to work in magnetic stripe ATMs or for CNP use and if it was blocked for these transactions then it wouldn’t matter is criminal gangs got hold of the card number and expiry date. Please, please, please Barclays — I couldn’t care less about the picture on my card, but I don’t want a stripe, I don’t want embossing, I don’t want my PAN printed on the card, I don’t want a signature strip and I don’t want my name, sort code and bank account number shown in the front of the card. And why can’t my credit card issuers just drop me a text when my cards are used outside of the UK. Or, for that matter, outside of England. Or, for that matter, at a merchant that I haven’t been to in the last year. Or whatever – surely that would be cheaper than phoning me up in the USA or writing off the chargebacks. I wasn’t arguing for this as a long-term solution either. t think that the industry should move from CP/CNP (EMV/3DS) to an identity-based “something present’ (SP) solution, but that’s an aside. Back to the debate.
Jeremy King, European director of the PCI Security Standards Council defended the standard, claiming that the average cost per record of cardholder data lost in the UK is £79 per record. If a company suffered a breach of 50,000 records – which is relatively small – it would therefore cost them £4 million. By comparison, the cost of PCI DSS is somewhere between $3 million and $4 million, depending on the size of the company.[From PCI DSS: is the cure worse than the disease? | ITworld]
So a company is spending say $4m to avoid a potential loss of £4m? Surely it would make more sense, as one of the audience members pointed out during question time, for the company to just buy insurance instead? I don’t get it. As the representative of the British Retail Consortium pointed out, large retailers might finding themselves spending £50m on this but if they get hacked then they’ll still get fined. (Note that US retailers have started to file lawsuits around the rules and the fines.) It may well be worth it, but I haven’t yet seen the evidence that can help us to determine the right level of expenditure. Apart from anything else, despite the money spent on PCI-DSS in the UK, there were a third more data breaches in 2012 than there were in 2011.
Now, I accept that finding statistical evidence around this is difficult. For one thing, it is very difficult to attach any specific frauds to any specific breaches. It may well be that cardholder data stolen from Sony was used to create counterfeit magnetic stripe cards used in US ATMs, but how do prove it? How do you know that the specific card number was stolen from Sony or from somewhere else? Or that if the fraudsters hadn’t got the numbers from Sony they would have abandoned their criminal activities and not attempted to get the numbers elsewhere. This is a complex topic, well beyond the scope of this blog.
Often they risk confusing correlation with causality – ignoring the fact that, for any observed change in fraud levels, there may be explanations other than the breach at issue.[From Analyzing Causation, Damages in Data Breaches, causation analysis in data breach matters, damages analysis in data breach matters, the role of statistics in data breach matters]
Some big acquirers are working hard to try and reduce the costs and complexity of compliance. Barclaycard, for example, have their new Risk Reduction Programme, which attempts to shift towards sliding scales that more closely link the expenditure to the likely risks. As an aside, when I interviewed Neira Jones (the head of security at Barclaycard, who incidentally made an excellent presentation about all this in January) for a podcast recently she made a very good point about all of this: much of what is required by PCI-DSS is required for any sound information security strategy so the incremental costs of PCI-DSS over “normal” security measures ought to be limited. Perhaps one of the reasons why the costs are high is that the security baseline in many organisations is just not good enough.
Anyway, the bottom line is this. Even if new approaches from the acquirers do help to reduce PCI compliance costs, and even if those costs were reducing data breaches, it still might be time for the payments industry to make safer, more secure products so that it doesn’t matter if teenage hackers can get into the Xbox network or not, because they can’t use the credentials that they steal. There’s an obvious way to do this, which is to switch to 2FA+ solutions that demand tamper-resistant hardware. Preferably solutions that are part of a generalised identity and authentication infrastructure, not something constructed solely for payments. Now, if only consumers had a portable device of some kind that contained some kind of smart chip together with some communications channels and perhaps a simple keyboard and screen…
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
One of the things that make PCI expensive to implement is that at the end of the day you have to be able to decrypt data to send it to the acquirer/card schemes in the clear, so you have to have a means of doing this and controls around how it is done (which is not cheap). If the risk equation above really made sense card acquirers/ schemes would not accept data in the clear as the risk/libability using the Maths above would be astronomic. They do – they have not and do not intend to modify the way they receive clearing files and probably site compensating controls – the big PCI get out of jail free card. Spending money on security will always improve security, but I wholehartedly agree that the bang per buck on PCI is woeful – which is obvious from the huge costs that have been incured and the lack of impact to overall card fraud figures. Chip and PIN had and impact .The PCI benefits are theoretical and have not been measured objectively.
PCI compliance is only expensive if you either; (a) have done nothing in the past to secure your cardholder data, or (b) are just plain stupid in how you approach it.
Most of the merchants I encounter fall into the (a) category in that they have POS systems from the late 1990s (remember Y2K?) and have not updated their infrastructure since they went to an IP network around the same time. Merchants live on thin margins and upgrading hardware and software every three to five years is just not affordable, even for the largest merchants. These merchants have no choice but to spend a lot of money to get PCI compliant.
However, I do encounter the occasional merchants that are in the (b) category. Typically they are in this situation because their IT personnel tried to find a “silver bullet” solution and bought every PCI compliance “widget” they could find in a vain attempt to get an easy way out. Had they put together a plan, it might have cost them a fraction of what they spent and still do not have a solution. They will continue to spend money like a drunken sailor until someone finally stops it and gets a plan put in place.