The PCI SSC vs the US Congress

Penetration Testing Experts


The general manager of the PCI SSC, Bob Russo, and CTO Troy Leach were recently invited to present to the US Congress, on the subcommittee “Protecting Consumer Information: Can Data Breaches be Prevented?”. Their statements can be found here:

Whilst the statements did a good job at supporting the PCI SSC and its ongoing work, they did not answer the poignant question – Can Data Breaches be Prevented?

I picked up on a few statements in these statements as follows:

* The PCI Standards are the best line of defense against the criminals seeking to steal payment card data.

That scares me.  Is a once a year assessment, that's open to interpretation, really the best line of defence?  The best line of defence is to reduce the attack footprint – getting rid of card data, eliminate insecure payment handling processes and don't attempt to solve broken business functions by tying them up with the bit of string known as PCI DSS.  I know PCI DSS Compliance is supposed to be continual and perpetual, but 10 years on, companies still treat it as a once a year exercise.  If someone could tell me why they think companies are all of a sudden going to change, then please let me know.

* Consumers should take comfort from the fact that a great number of the organizations they do business with have joined the PCI SSC to collaborate in the effort to better protect their payment card data.

As it stands, 282 merchants have signed up as participating organisations.  It is doubtful that many of these are actually PCI DSS Compliant due to their size and intricate nature of payment processing.  They've joined the PCI SSC as they've got challenges, and need help in solving them.  Large merchants are not representative of the whole merchant population at all – they're a snowflake sitting on the tip of an iceberg.  I'd disagree this is a “great number” and thus that the PCI SSC is only really listening to the direct needs of larger merchants, rather than putting together simple to understand controls that all merchants can adopt.

The  PCI SSC Participating Communities are made up of:

  • 282 Merchants
  • 15 Associations
  • 60 Financial Institutions
  • 150 “Other” entities (mostly vendors)
  • 61 POS providers
  • 112 payment processors

Furthermore,there are around 500 or so consulting/services companies:

  • 324 QSA Companies
  • 120 ASV Companies
  • 695 listed PTS compliant PEDs
  • 3 QIRs

I'd guess at around 1,000 ISAs, plus PCIPs too.

Without a doubt, PCI SSC membership is heavily weighted towards companies that have a commercial interest in PCI Standards.  The tens of millions of smaller merchants don't get a say.  Whilst adding up the numbers and all the various associated fees if the above programmes, I'd estimate the PCI SSC turn over at least $20m a year.

Community?  No. It's a trade association at best, and the majority of members that join are in it to stay ahead of the competition.

* Global adoption of EMV chip is necessary and important. Indeed, when EMV chip technology does become broadly deployed in the US marketplace and fraud migrates to less secure transaction environments, PCI Standards will remain critical.

EMV is one way to solve card present fraud, but given the sheer size of the global market, it's going to take at least 6 years to roll it out globally, plus the support (and financial support) of card schemes, banks and retailers worldwide that have to pay for it.  Plus it's apparent they still have to do PCI DSS thereafter, so is it really an attractive proposition?  The PCI SSC insinuate that EMV chip technology WILL become broadly deployed in the US, and rightly point out that criminals will just move elsewhere.  But what about the gap in between now and when EMV is fully implemented ? What's going to happen is that whilst EMV is being rolled out, criminals will focus on those that don't have it.  With increased focus on non-EMV merchants, there are going to be a hell of a lot more PED breaches over the next several years whilst EMV sorts it self out.

* There are very clear ways in which the government can help improve the payment data security environment. For example, by championing stronger law enforcement efforts worldwide, particularly due to the global nature of these threats, and by encouraging stiff penalties for crimes of this kind to act as a deterrent.

So the PCI SSC think that the US government can encourage stiff penalties for any global infringement of payment card security?  The last person the US government tried to extradite from the UK on cyber crime charges was Gary McKinnon – 15 years on, and he's still here.  Good luck when it comes to indicting criminals based in Russia and China, whom in local statute are most likely not to be classed as criminals.  Will stiff penalties really deter cyber criminals, or just push them further underground?  Best strategy is to look at reducing the rewards – make card holder data worthless and criminals will no longer want to steal it.

One might be able to learn from the efforts of the private industry in the UK trying to persuade the UK government to take cyber security seriously – it's taking a long time, and so far the best we've ended up with is a radio campaign (Cyber Streetwise) and a cyber security department that has most of its funds diverted to hunt down criminals that use computers for nefarious purposes – e.g. drugs, money laundering, child porn, rather than trying to hunt down criminals that are attacking companies and stealing their data.

* The PCI SSC recently launched a program, the Qualified Integrator and Reseller program (QIR) to provide a pool of personnel able to help small businesses ensure high quality and secure installation of their payment systems.

Well done.  There are three QIR companies signed up so far, globally.  That's one signed up every 6 months since the programme was “recently” launched in August 2012.

* Passwords

There's only so much you can do about default passwords, and this requirement has been with us for 14 years, since Visa CISP and MasterCard SDP.  I'm not sure how the standard can improve any more in relation to telling companies NOT to use default passwords, but again if there wasn't anything worth stealing, this wouldn't be a problem.  I think the industry has got to appreciate that forcing a standard down someone's throat doesn't solve the problem of default passwords.  14 years on, people still use them, or are simply unaware that they're in use.  Who puts the default passwords there?  Generally vendors or service provers.  So whom would be best placed to solve this problem?  Perhaps if vendors and service providers issued unique “default” passwords for equipment we wouldn't be in this mess.  Even if the password was the serial number on the back of the box, this would be an infinite improvement.  I'm a strong believer in corporate social responsibility – is churning out millions of boxes with a username CISCO and password CISCO really a good idea?  Even a humble 0.0001% of a certain company's turnover would give a $10m spend to help fix this problem. Bring them up in front of Congress and watch them squeal instead…

* Can Data Breaches be Prevented?

OK, I've given the council enough of a bash, and really want to draw focus on preventing data breaches.  Noting that the PCI SSC is poorly represented by merchants and end users, it's still a valuable forum.  More importantly, it's a forum of all the card schemes, service providers, vendors and financial institutions that can make a heavy assault in the ongoing battle against payment card fraud.  I'll close with a single question:

Why not start building solutions with PCI DSS controls “built-in”, and stop relying on merchants to implement PCI DSS as they clearly don't have the resource and capability to do so?

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top