Chris Skinner has a blog entry that asks the question, “Why does the card securities council not care about card security?” What concerns me is the title of the article as it again implies that the PCI standards do nothing to secure cardholder data. As a result, I thought I would take a shot at answering this question.
Mr. Skinner points to a number of technologies that he feels the PCI SSC is ignoring as potential solutions to securing cardholder data. These solutions include tokenization, end-to-end encryption (E2EE) and Chip & PIN (EMV). I recently posted a blog entry on all of these technologies, so I will not go into all of these here. The bottom line on all of these is that, individually, they do not solve the security problems we face. However, used in conjunction, they will create a much more formidable barrier to breaches. I can tell you that the Council is not ignoring these technologies; they are only doing proper research to ensure that whatever guidance they issue is not flawed resulting in a recall or wholesale rewriting of a standard. Want to lose credibility? Issue a standard that you have to later heavily modify or replace. Do I have to remind everyone about Wired Equivalent Privacy (WEP)?
Then we have the dynamics of the card brands. Just because Visa writes a whitepaper on some technology does not mean that the other four card brands have bought into Visa’s analysis. Visa may be the 800 pound gorilla of the card brands, but as anyone in business knows, the 800 pound gorilla does not always get its way regardless of how boisterous or how much chest pounding it may do. A prime example of this was in the late 1970s when IBM (then the 800 pound technology gorilla) tried to force System Network Architecture (SNA) down the International Organization for Standardization’s throat as the Open Systems Interconnect (OSI) model. What happened was that the rest of the technology companies in the world banded together and created the OSI seven-layer model that we have today. While it has a lot in common with SNA, it also has numerous differences. The bottom line is that there are certain dynamics between the card brands that will preclude the Council from always following Visa’s lead, regardless of whether Visa’s analysis is right.
How about the cost of any change? Merchants do not live on thick margins. Most are lucky to retain 1% to 4% of total sales as their profit margin. If you are Wal-Mart or Target, margins can be huge numerically, but still not enough to fund the kind of wholesale changes Mr. Skinner is suggesting. Unfortunately, most merchants are nowhere near the size of Wal-Mart, so they need to be even more judicial with their expenditures. As a result, any change that requires a significant investment is going to be tough for any merchant to swallow and will take time to get rolled out. After all, we are in the midst of a recession, so there is even higher sensitivity to expenditures that do not enhance the bottom line.
But for a number of merchants, the cost is not so much theirs to bear as much as it is their merchant bank’s cost. That is because a lot of merchant banks provide the entire cardholder processing environment to their merchants. As a result, the bank will have to absorb the cost and possibly increase fees should new terminals or software be necessary. Banks are not necessarily doing well either, so they too are avoiding any expenditures that are not going to positively influence the bottom line. Since security is an intangible, banks are going to be very reluctant to spend on cardholder infrastructure that does not drive up revenue. After all, in the United States and United Kingdom, the banks were bailed out by the government and are now being watched very closely by the various regulators and the regulators are holding the purse strings. Unless the regulators come on board, there will be no expenditure on what they will consider a frivolous expense on new terminals or software.
All of these parties are intimately involved in the PCI Security Standards Council as stakeholders. All of the card brands and a number of larger financial institutions are on the Council’s board and various work groups. Given the economic environment and the predisposition of these parties, is it any wonder why the Council appears to not be moving forward?
Not to mention that the changes Mr. Skinner is suggesting do not eliminate the problem of security breaches, they just shift the risks. Granted the risks get reduced, but by how much is anyone’s guess. But in the end, there are still going to be risks. As I always like to remind people, security is not perfect. Yet that seems to be what the card brands and Council seem to want people to believe. That if everyone followed the PCI standards, breaches would not occur and that is simply not true. Breaches would still occur, they just would not necessarily occur every week releasing thousands or millions of accounts. It would be more like a release every month of tens or hundreds of accounts.
I too would like to live in a perfect world. But the real world is always far from perfect. Decisions get made only when the wheel is so squeaky that it needs to be replaced. We can rant and rave all we want, but we will only get action when we can either show (i) a measurable business benefit, such as an increase in profit or improved efficiency, or (ii) someone else is doing it and they now have a competitive advantage. Unfortunately, I see neither of these conditions satisfied at this time nor any time in the near future. As long as the status quo remains, no one is going to move.
In the end, the PCI SSC does care about security. It is the politics that slow things down and those politics are not going to go away any time soon. That is the harsh reality of business and security.
UPDATE: Forrester Research has published a great white paper titled ‘How To Market Security To Gain Influence And Secure Budget’ that explains how to avoid the common mistakes that most security people commit and, as a result, why security professionals do not get the resources that they need to get the job done.