After another spate of articles and speeches about the PCI DSS and why it is worthless, I thought it might be a good idea to explain why the PCI standards came to exist.
In 1999, Visa USA began to work on what became the Customer Information Security Program or CISP. The first official version of the CISP was issued in the summer of 2003 with Visa asking select merchants to comply with the CISP as soon as they could. The original impetus for the CISP was a response to increasing chargebacks that were the result of the fraudulent use of credit card accounts. An analysis of these chargebacks had started to paint a picture of merchant employees that were increasingly using their access to point of sale (POS) and accounting systems to obtain credit card numbers and then using those numbers to commit fraud.
As development on the CISP progressed, Visa USA also started to see increasing instances where an e-Commerce site had been compromised and the credit card information stored on the site had been taken by an attacker and then was fraudulently used. The reason these compromises had resulted in cardholder data being exposed was that application developers had used the same software design models for e-Commerce as those that were used by traditional POS. This resulted in cardholder data being stored in databases that faced the Internet.
A year or so after the start of Visa USA’s efforts, MasterCard International began development of the Site Data Protection (SDP) standard. Unlike the CISP, the SDP focused specifically on the security of e-Commerce sites. MasterCard had monitored the rising fraud rate related to the compromising of e-Commerce sites. Like Visa USA’s analysis, MasterCard’s analysis of the problem pointed to the fact that most e-Commerce sites were storing cardholder data in databases that faced the Internet and were not very well protected from compromise. As a result, MasterCard approached the problem with the SDP which specified a basic level of information and network security for e-Commerce Web sites.
As work progressed on the CISP and further statistics on security issues were gathered, Visa USA began to recognize that the on-line payment applications themselves were the biggest problem related to the compromising of cardholder data. As a result, Visa USA developed the Payment Application Best Practices (PABP) standard. The PABP was published in late 2004 with Visa USA encouraging software vendors to use it as a benchmark for securing their software.
It has been suggested that the PCI standards were only developed to minimize the losses to the card brands and banks and do nothing for merchants. However, the PCI standards were meant to protect everyone in the transaction process. When a breach occurs, the first thing people remember is the name of the card brand(s) involved, the second name is likely the merchant or service provider and the third name is the franchisee if that is the case. The card brands, service providers and franchisers discovered that their reputations were highly at risk, even though it was typically the franchisee merchant that actually created the problem. Regardless of who caused the breach, the card brands further discovered that what people really remembered from breaches were the card brands’ names and everything else was forgotten. As a result, the card brands became determined to protect their brand names and reputations.
There was another recent suggestion that the PCI DSS was not needed because market forces would resolve the security issues inherent in the conducting of credit card transactions. The first problem with that idea is that most merchants and service providers are unconvinced that they are responsible for securing cardholder data, even after they might have suffered a breach. They believe that it is the card brands’ problem to secure cardholder data because the card brands are the ones that generate the cards. Unfortunately, the security of cardholder data is mostly outside of the control of the card brands, therefore the merchants and service providers need to be responsible for securing cardholder data as well. The second problem with that idea is that for every security “expert”, there are a corresponding number of security baselines. No one agrees on security, because everyone’s view is from their own perspective and the threats that they see or perceive. As a result, some organizations have very strong and strict security (e.g., banks for example), while others have only marginal security. The problem with this approach is that security is only as good as the weakest link in the chain. So those organizations that have weak security practices become targets against the entire process chain. As a result, in our interconnected world, that puts those organizations with strong security at risk if they are partners to those organizations that have weak security. As a result, the card brands recognized that a single standard baseline was needed just to provide a basis for a consistent foundation on which to build additional security.
So, that is how we got where we are today. Hopefully with this perspective you can now understand why the standards exist and their use in providing basic, essential security for cardholder data.
PCI Guru 
I’d say that the weakest link in the security of protecting cardholder data is the clear text card data encoded on the magnetic stripe of the card.
Good post. I feel that our main problem in encouraging a positive response to PCI by merchants, ISO’s, PSP’s and so on, is two-fold. One being that many banking institutions where I most often work, Africa and Asia for example, are required only to audit themselves as compliant as opposed to being certified by a 3rd party, and this often leads to internal compromises and ‘dust-under-the-carpet’ policies, whilst the second is that PCI DSS is still seen as a card association ‘thing’, and lets face it, they have never been cheap or at times well organized across the world in terms of implementation and compliance, CISP’s initial launch being a prime example.
The thing is PCI DSS is an excellent way for companies to ensure their systems, processes and procedures are robust and resilient, and it does not take much to convince them of this in my experience. However, have them check the cost of the whole certification and they quickly change their opinion and willingness to comply. On average QSA’s remain expensive in terms of fees and as they are ongoing, it often puts merchants and payment gateways off initiating such a certification process. Not to mention the perceived cost after an initial scan and or audit to fix the problems within. No consideration is taken for the longer view, where the risk of a breach could be much costlier, and sadly like insurance, clients often call only after such a breach has occurred.
Great post. I think you are giving financial institutions(banks, credit unions,etc) too much credit. Based on what I have observed, banks are no different than any other merchant or service provider. You have some that take it very seriously and others that that hire third parties to drop a transaction switch and ATMs at the branches and various locations and really have no idea the risk they have assumed. A significant reason for this is that banks consider all transactions flowing through their ATMs as cards they have issued(typically identified as an “on us” transaction”. Therefore, they reasonably believe that the risk is acceptable. One interesting aspect of PCI is that it focuses exclusively on service providers and merchants, banks are typically the enforcers and do not consider PCI applicable to themselves(Note: there are a few exceptions here!). Also, if you have had the pleasure of discussing Merchant PCI compliance with acquiring financial institutions, you will find that a lot of regional financial institutions do not understand their obligations related to PCI. They are simply looking for a merchant vulnerability scan and in rare cases an SAQ(which they may review but ultimately do not understand).
Another interesting point here is that there are specific threats to banks that PCI simply does not take into account. I will never forget a discussion I had a few years ago with a bank VP regarding PCI. I was informing her of recent breach activity and the importance of PCI. Her response to me was that is great but I am dealing with phishing attacks and skimming which are creating an immediate financial impact and are not addressed by PCI. To her, phishing and skimming represented significantly greater risks than the threat of an external or internal compromise because these attacks were frequent and successful.
Financial institutions such as banks, thrifts and credit unions had nothing to do with the development of the PCI standards. The PCI standards were originally developed by the card brands and then turned over to the PCI SSC when it was formed.
Most small and mid-sized financial institutions outsource their ATM networks to service providers or large financial institutions. However, right now small and mid-sized financial institutions that run their own ATM networks are getting pushed pretty hard by their ATM interchange networks such as NYCE and Plus to get a PCI Reports On Compliance.
But financial institutions have another risk. While most small and mid-sized financial institutions have outsourced the management and issuance of credit and debit cards, debit cards still require that the financial institution to store the debit card PAN in their systems so that they can authorize transactions against the account balance. These financial instutions have also either outsourced their applications or they are running a package in-house. So these financial institutions are relying on their software vendors and/or outsourcers to provide their security solution for protecting their debit card PANs.
It’s not surprising regarding the response you got from your community bank VP. Their biggest threat right now is phishing and skimming. Because of regulatory requirements and years of security strengthening, financial institutions are nothing like their merchant and service provider counterparts. Securing their stored PANs is the least of their problems. The card brands are not going after the financial institutions for exactly the same reason, the risk is with the merchants and service providers. That’s not to say that the financial institutions will not eventually get asked to prove their compliance, but that is likely a ways off.