Is PCI-DSS Still Viable?Emerging Technologies May Overshadow PCI Compliance
News coverage of last week's payments security event hosted by the Federal Reserve Bank of Kansas City focused on comments by Jerome Powell, a member of the Federal Reserve System's board of governors. He encouraged banks to consider going beyond using only signatures to authenticate card transactions as the U.S. makes its move to EMV.
But the far more significant news from the show, which I attended, involved concerns raised by merchants and payments professionals about the viability and necessity of the PCI Data Security Standard, the payment card standard that's been in effect since 2006.
End-to-end encryption is the only way to truly secure card data.
A number of attendees and expert speakers suggested the PCI-DSS will soon outlive its usefulness. One merchant lobbyist told me she believed that the standard's days are numbered.
Why do some feel the PCI-DSS may soon prove to be unnecessary? Because as merchants, processors and banks make more investments in emerging technologies - such as EMV and tokenization, which devalue and/or eliminate card data from payments transactions - they greatly limit their need for PCI-DSS compliance by reducing the footprint where card data is located on their networks.
That reduction of so-called "scope" is something the PCI Security Standards Council, which oversees the development, management, education, and awareness of PCI security standards, supports as well.
But some attendees at last week's event suggest that it's not just about limiting scope, but, rather, removing card data altogether from a payments transaction.That, they say, will eventually eliminate the need for PCI-DSS compliance.
Nevertheless, several presenters at last week's event told me that the PCI-DSS is likely here to stay. That's because It will be years before clear-text card data is largely removed from transaction processing. And once security standards like the PCI-DSS are put in place, they rarely are eliminated.
Problems with Compliance Verification
One problem that the industry will have to address, however, is how PCI-DSS compliance is verified. Two presenters at last week's event raised serious concerns that PCI-certified QSAs, better known as a qualified security assessors, do not all evaluate companies for compliance in consistent and satisfactory ways.
Bob Carr, CEO of processor Heartland Payment Systems, contended during a payments security panel, which I moderated, that the company's PCI compliance at the time of its massive breach proved to be relatively meaningless.
You'll recall that back in 2008, Heartland was one of the first companies to suffer a major malware-related card breach.
Heartland had been certified PCI compliant just before its breach. But it became clear during the post-breach investigation that the QSA had done a poor job of gauging Heartland's overall network security when the processor was deemed PCI compliant, Carr said.
In fact, Carr said one of Heartland's servers was not ever reviewed or assessed by the QSA - which ultimately left an open window to Heartland's network for hackers to exploit (see Inside the TJX/Heartland Investigations).
"End-to-end encryption is the only way to truly secure card data," Carr said. "I don't understand why the industry has not moved in this direction. We decided after our breach just to move in this direction on our own."
Mark Carney, a QSA with security and forensics firm FireMon, who worked on the investigations into Wyndham Hotels and Resorts' 2009 breaches, acknowledges that not all QSAs are well-qualified.
The push for massive adoption of the PCI-DSS in the U.S. between 2007 and 2012, Carney said, resulted in the need to certify a number of QSAs who didn't have as much training and payments and security expertise as they should have.
Clearly, the process for certification of PCI-DSS compliance is not fool-proof.
So What's Ahead?
Will the PCI-DSS still be a relevant standard after the rollout of EMV, or will the cost of compliance, coupled with the challenges the industry faces in verifying compliance, be the standard's downfall?
Certainly, the roles of the PCI-DSS and the PCI Council are evolving. While EMV, for instance, is not part of PCI-DSS requirements, the PCI Council has taken steps to offer recommendations about how EMV can complement PCI data security standards.
But I'd like to know what you think. How do you envision the role of PCI changing over the next few years?