Over the last several weeks, my colleagues and I have reviewed the state of PCI compliance in recognition of the upcoming 10-year anniversary of the PCI Security Standards Council.
See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB
We've asked experts in the U.S. Europe, India and Australia to offer their opinions about the efficacy of the PCI Data Security Standard and whether it will still be needed 10 years from now (see PCI DSS: The Asian Journey to Compliance). We've also spoken with experts on the PCI Council, too, including General Manager Stephen Orfei, Chief Security Officer Troy Leach and International Director Jeremy King. And the over-arching message has been the same - PCI may not be perfect, but its widespread adoption has dramatically improved card security. And the need for PCI is not going away anytime soon.
It's easy to look at the payments landscape and see only the flaws, the security lapses and the breaches. Even with EMV chip deployment taking hold in the U.S. and in other parts of the world, important security issues remain (see Alleged EMV Flaw Stirs Debate). Payment card data is going to be vulnerable for quite some time - at least until the magnetic stripe is completely replaced with the chip, whether on a card or within a mobile device.
But if we step back a bit and get some perspective, we have to appreciate how far payments security has come.
Plenty of Progress
Think back to 10 years ago, when hackers, including Albert Gonzalez - one of the masterminds behind the attacks against retailers TJX, Hannaford Brothers and 7-Eleven and payments processor Heartland Payment Systems - were breaking through network firewalls with relative ease to steal credit and debit numbers.
Those attacks opened our eyes to just how insecure security practices surrounding payment card transactions actually were.
Beyond storing card data in the clear, weak perimeter security had made it relatively easy for hackers to infiltrate networks and systems to exfiltrate card data at rest and in transit.
Today, we would never consider a firewall, on its own, sufficient network protection. And anyone storing card data without encrypting it would be slapped with a huge fine from the card brands for blatant disregard for complying with PCI security requirements.
"Ten years ago, people weren't doing anything," Bob Russo, the former general manager of the PCI Security Standards Council, says of inadequate security measures. "A breach opens everybody's eyes. But you have to keep reminding them."
PCI expert Anton Chuvakin, a research director at the consultancy Gartner, says most merchants today understand that PCI compliance is a baseline for security. Ten years ago, that was not the case.
"PCI has been a major positive," he says. "Compare 2007 to 2016. A lot of blatantly idiotic insecurities have been 'PCI-ed out,' making it safer for everybody. Has PCI 'fixed' everything? No, of course not. But nothing can 'fix' crime."
The Long-Term Impact
The breaches we've seen over the last decade have become increasingly more sophisticated. But our breach response strategies have become more sophisticated, too, in part because of widespread acceptance and adoption of PCI DSS, says Jeffrey Man, security advocate at Tenable Network Security.
"When I first started with PCI back in 2004, unencrypted cardholder data (including sensitive authentication data) was everywhere," Man says. "One of my first clients was one of the major payment processors. There was pretty much no encryption available back then, at least for databases, so millions of records were being stored unencrypted and compensating controls were relied upon to protect that data. But there were also stored caches and flat files of transaction data on the POS systems, routers, switches, file servers - just about any place you could think of to look for cardholder data back then you could find it."
Reflecting back on the early days of the council, Russo says its members initially believed they could create a standard, work for about five years to ensure it was adopted, and then card security would no longer be a major issue.
"We thought everything would be secure by then," he says. "We thought EMV was going to be the panacea; and we thought PCI might go away. Now we know that is not the case. Will PCI have to evolve? Yes. But I think PCI and EMV will come closer and closer together. In 10 years, they may not call it PCI. But there will be some form of PCI security 10 years from now."
We also now know that PCI compliance is not a one-time goal, but an ongoing process, Man says.
"The payment industry is changing quickly, with new payment methods, mobile payments, EMV and tokenization," Man says. "All of these will change the landscape significantly. But what will not change is the effort of hackers to steal data and commit fraud. The technology is evolving, but the fundamentals of sound data, information and cybersecurity do not change. The challenge of security is due diligence and a certain amount of paranoia. No company is compliant (or secure) if they focus on an annual compliance assessment and overly rely on automated tools and security solutions to provide the necessary level of security. There is no substitute for trained personnel that know the network, the data flows, what's 'normal' and can more likely and quickly detect the abnormalities that are the indicators of compromise."
The Biggest Challenge
PCI has been criticized and challenged, but it's finally evolving into a set of standards to ensure basic card security. The biggest challenge, however, continues to be global adoption, especially among smaller merchants who find the PCI DSS to be quite complex.
Last month, the PCI Council addressed this issue in a compliance resource guide designed for small to mid-sized merchants (see Can Banks Help Small Merchants with PCI?). The resource aims to simplify the compliance process for merchants by helping them identify the requirements that are most critical.
Taking the complexity out of PCI DSS compliance is a huge first step. Also important is educating merchants about why the basic security measures outlined in PCI DSS and other standards are so critical.
Today, most merchants, regardless of their size, finally recognize the need for security. And that's huge progress from where we were 10 years ago.
So, is PCI working? Yes. But its impact will continue to evolve.