On May 23, 2016 the National Retail Federation (NRF) issued a scathing indictment of the card brands, the PCI SSC and the PCI standards, in particular the PCI DSS. But what is truly amazing is the irony and collective amnesia expressed by this document.
The first thing that got to me was the hutzpah of the writer of this document. Hutzpah is humorously defined as “a child who kills their parents and then throws themselves on the mercy of the court because they are an orphan.”
In this case, the writer has totally missed the whole reason why the PCI standards exist. It was because of the NRF’s memberships’ short sidedness and refusal to secure their eCommerce Web sites and point of sale (POS) systems that we have the PCI standards. If merchants had just done the right thing more than 15 years ago and secured their systems that deal with cardholder data (CHD), the PCI standards would likely have never come into existence. Yet here we have the NRF going after the very thing they helped to create because they do not like it. Talk about having your cake and eating it too.
The next thing that caught my eye was the NRF’s version of history regarding PCI. Since I have been around the attempts to secure card data since 2002, I found the NRF’s version of events interesting if not missing a lot of facts. In the NRF’s version of history, history starts in 2003. However this should not surprise anyone for this lack of memory as it was the NRF’s own members that are the reason the Visa Customer Information Security Program (CISP) came into existence. Heaven forbid the NRF should admit that fact.
To correct the record, the Visa CISP actually dates back to the very late 1990s. Visa was concerned about the growing use of eCommerce and the security of using payment cards to buy goods and service through eCommerce. Breaches were a new thing, but Visa was concerned that they would become a big thing. The Visa CISP was codified around late 2001 to early 2002 and was published out to a limited number of consulting firms around the summer of 2002. By that time, merchants using the new eCommerce approach to selling their goods and services were being breached in record numbers and customer payment information was being lost in what seemed like an almost every day occurrence. The good news was that eCommerce was in its infancy and the Target or Home Depot type of huge breaches were still a ways off in the future. The bad news was that, as things were going, banks would be replacing payment cards every week.
The next piece I found interesting was this.
“Around 2003, Visa approached NRF with a proposal to impose Visa’s proprietary data security system (“Cardholder Information Security Program” or “CISP”) on brick-and-mortar retailers for in-store transactions.”
The first reason this statement is interesting is because none of the other card brands had an information security program officially published as of 2003. MasterCard’s Site Data Protection (SDP) program would be the only one published in the fall of 2003 but it was not really rolled out until early 2004. American Express and Discover would not come out with their programs until early and late 2004 respectively.
The second thing that I found interesting is the “brick and mortar” comment. Brick and mortar retail had always been included in the Visa CISP. But because of all of the eCommerce breaches going on, Visa chose to focus the CISP assessments on eCommerce (does “risk-based approach” ring a bell with anyone?). We see this selective amnesia with banks as well when it comes to PCI. The risk when the Visa CISP first came out was predominately with merchants with eCommerce sites. Banks were also under the CISP scope, but since they were heavily regulated in the US and their security was examined at least annually, Visa and the other card brands did not see them as the huge risk. As a result, banks were not really assessed until only recently.
“NRF members balked at Visa’s plan largely because of concerns that the other card networks (e.g., MasterCard, JCB International) would also attempt to unilaterally impose their own—possibly different and conflicting—security standards on retailers.”
Given the way the merchant agreements are written (and have been written since the 1960s), the card brands through the acquiring banks can unilaterally implement whatever rules and regulations they want on the merchants. I find it disingenuous to be calling out your displeasure with the rules and regulations when your legal counsel and management already agreed to those rules and regulations. But to paraphrase a famous US Presidential candidate, “I voted for the agreement before I voted against it.”
That said, by the end of 2004 the remaining card brands had also introduced their security programs. American Express and Discover were the first to recognize that multiple programs were not a good idea and told merchants that they would accept the Visa CISP assessment in lieu of their own assessment programs. As of early 2005, American Express and Discover agreed to accept a Visa CISP review as proof of compliance with their security programs.
Even more interesting in this discussion is that MasterCard’s Site Data Protection (SDP) security program was focused entirely on eCommerce (hence the word “site” in the title), not brick and mortar. So where the writer of the NRF paper got the idea that every program impacted brick and mortar I do not know.
But then there is the underlying message of this paper. The NRF is essentially arguing to get rid of the PCI standards all together. But the NRF makes no argument as to what they would do to replace the PCI standards. Oh, that is right, I forgot, merchants do not need to be policed. If we have followed that line of thinking, then we would have the NRF complaining about the over regulation of the government in this area.
Speaking of which. This paper seems to imply a mistaken belief that the FTC investigation into the PCI standards will result in the removal of the PCI standards. I am not sure how the writer of the NRF paper seems to think that will happen. In all my years of dealing with the government, the last thing that happens as the result of an investigation of this sort is not the removal of regulations, it is with the imposition of additional regulations and even more intrusive oversight. If the NRF thinks the PCI SSC and the card brands were a pain, wait until the government starts going through their members.
As with the FTC, the NRF is actually late to the party. The vast majority of the NRF’s large members such as Walmart, Target, Home Depot and the like have all implemented or are implementing either end-to-end encryption (E2EE) or point-to-point encryption (P2PE) solutions with tokenization. The data is therefore encrypted at the point of interaction (POI) and can never be seen by the POS solution. Any data returned is tokenized so that the POS and other solutions do not have CHD. That means that the days of the large merchant data breach are almost behind us. As a result, the only PCI scope the NRF’s members will have is the POI at their checkout counters. Talk about scope reduction, but that does not seem to matter to the NRF.
But this is an era of piling on and I am sure that has a lot to do with this NRF white paper and the vitriol it spews. The NRF felt the need to vent and vent they did. Unfortunately, their argument lacks any sort of basis in fact to make their point.