First the National Retail Federation (NRF), then bloggers. Organizations and people are piling on the PCI SSC and standards all because of the United States Federal Trade Commission’s (FTC) fact finding project. Seems like PCI is now a bad three letter word. But with the changes that have been implemented or will soon be implemented, I am starting to wonder about the relevance of the PCI DSS. So I thought I would explore these topics and explain what has lead me to that conclusion.
Ever since the FTC announced there little fact finding mission, I have consistently said that the FTC is late to the party.
Why do I think the FTC is late?
The FTC’s fact finding efforts are I am sure in response to the Target, Michael’s, Home Depot, etc. data breaches which resulted in tens of millions of payment card accounts being exposed and potentially used for fraudulent purposes. Remember, they are a governmental body, so taking action can take a bit of time, in this case at least three years and longer than most people would have desired. But they eventually got around to it. While this fact finding effort is a valid way to get up to speed on a problem, the trouble is that the threat landscape has changed since those notorious breaches and the FTC got its act together.
What in the threat landscape has changed?
The vast majority of mid-sized and large retailers have or are in the process of implementing point-to-point encryption (P2PE) or end-to-end encryption (E2EE) and tokenization solutions to minimize their PCI scope to only the point of interaction (POI) otherwise known as the card terminal. As a result, the threat of large scale breaches at these merchants is or soon will be in the next 12 to 18 months (based on my knowledge of a large number of such efforts) near zero. The reason being is that these merchants’ point of sale (POS) and other systems will no longer have access to cardholder data (CHD) or sensitive authentication data (SAD).
How can the threat be near zero?
The threat with P2PE/E2EE and tokenization limits scope to only the POI and is very, very low because of how the POI must be implemented to work with P2PE/E2EE and/or tokenization. I am not going to discuss in detail the security features of these solutions so as not to tip the hand of those organizations implementing them. Let me just say that there is a lot of information required that must be loaded into the POI in order to swap out terminals. Even then, there are additional controls involving the registration of the device by the merchant and/or service provider that preclude terminal swaps without generating some form of alerts.
The one threat that still does remain is the use of an overlay for skimming cards. But that risk varies from POI vendor to POI vendor and even by POI model within a vendor. And it is not like vendors have not taken notice of the overlay problem. Vendors have gotten a clue and are changing the design of their POI to make them as difficult as possible to use an overlay. I have a client that went with a POI that has various angles, long swipe tracks, LED lights and other features that would make an overlay very expensive to engineer but also very difficult to appear seamless to customers and clerks. Over time I expect to see all POI manufacturers adopt strategies to minimize the ability to use overlays.
The result of all of this is that merchants are no longer the risk (if they even present a risk) they were two or more years ago.
So who or what does that leave at risk?
ECommerce Web sites are still a huge problem. EMV as it exists today does nothing to stem the problem of online fraud. Even if a merchant has outsourced eCommerce, they still have to manage that environment as well as deal with the chargebacks and disputes that come from eCommerce card transactions. I have heard rumors of solutions that are coming to address eCommerce, but I have yet to see any formal announcements of those solutions. So for the foreseeable future, eCommerce will still be in-scope for some amount of PCI assessment. So merchants with an eCommerce presence will likely still have to address some form of PCI assessment for that environment.
Any merchant that has not gotten on the P2PE/E2EE and tokenization bandwagon. All merchants should be getting POI that encrypt and/or tokenize at the swipe or dip of a customer’s card. Adopting such solutions will leave the merchant with only having to comply with requirements in 9.9 and 12. I know for some merchants that will mean an investment, but the payoff is extremely reduced PCI scope and effectively taking almost all of the risk out of card payments.
The organizations that end up with a huge target on their backs are any service providers, transaction processors, issuers or financial institutions that have CHD and/or SAD stored in their files and/or databases. An unfortunate fact of life is that transaction processors, issuers and financial institutions are always going to have to have some amount of CHD/SAD in their files and databases because of the nature of their business. It is these organizations where the full on (i.e., Report On Compliance or ROC) PCI DSS assessment will never go away.
For merchants that have moved to P2PE/E2EE/tokens, I could see a move to an annual self-verification that those solutions are still implemented and functioning as designed. I could additionally see that, every three years or so, the card brands requiring an independent assessment by a QSA/ISA that the controls for P2PE/E2EE/token solutions are still in place and functioning correctly. The reason for independent verification is that changes get made and those changes might affect the environment making it less secure. For merchants not using P2PE/E2EE/tokens, I would think the current SAQs and ROC will remain in place with an annual assessment required.
Will other PCI standards be marginalized or disappear?
The PA-DSS will never leave us. Software developers need to develop secure code and those service providers, transaction processors, issuers and financial institutions that store CHD/SAD need applications that do that securely, so there is a built in constituency for the PA-DSS. ECommerce solutions are also still going to need PA-DSS validation. But regardless of whether P2PE/E2EE and tokenization are implemented, any application potentially dealing with CHD/SAD will need to be assessed under PA-DSS to ensure that any CHD stored is stored securely and is erased securely. Then there are the unknowns of the future. You never know what might come along in the future, so there is always a possibility that some solution might need to securely store CHD or other payment related information. The bottom line is that I find it very hard to believe that the PA-DSS could ever be dropped.
The PTS standard will also not disappear because those POI need to be validated to handle CHD/SAD securely and work properly regardless of P2PE/E2EE solutions. The PTS is the only standard that is a card brand requirement, not a PCI DSS requirement. It is the card brands that demand merchants use only PTS validated POI and I do not see that requirement going away when the POI is going to become the remaining target at merchants.
The ASV standard will not go anywhere as there will still be eCommerce solutions that will require vulnerability scanning. Most merchants will implement eCommerce solutions that minimize their PCI scope using a redirect or iFrame. Although I can see it coming that even using those solutions will still require the merchant’s eCommerce site, now deemed as out of scope, to be scanned for vulnerabilities. The reason is that the invocation point of the redirect or iFrame is at risk of modification by an attacker.
One standard I do believe that will eventually go away is P2PE. The reason is that there is very little to gain with a P2PE versus an E2EE solution. Both solutions are essentially the same, the only additional work required for E2EE is documenting that E2EE has been implemented appropriately and submitting that documentation to the client’s acquiring bank and getting the bank to agree to the PCI scope reduction. As a result, I believe that the P2PE standard will slowly and quietly disappear into the night as the cost of going through the assessment process along with the Council filling fees just cannot be justified by a lot of influential vendors such as Verifone and First Data.
There is my rationale for where I think things are hopefully headed. Only time will tell if the rest of the world sees things the same way.