Is PCI DSS Useless?
There seems to be much debate ongoing these days regarding the effectiveness of PCI DSS. There have been several high profile cases such as Heartland and RBS WorldPay where these companies had PCI DSS certification, yet still suffered card data breaches.
Some commentators are of the opinion that the standard is flawed, useless, merely a paper exercise to tick boxes which has everything to do with gaining a certificate and little to do with security.
A generally accepted truth is that nothing you do, no certification or technology or person will ever make you 100% secure; but there is plenty of things that if you don’t do will definitely leave you insecure
Just let that sink in
Nothing you can do will make anything totally secure. But doing nothing will guarantee it is insecure.
So let’s agree to proceed on the assumption that nothing we do will ever guarantee that card data won’t be compromised. The intention of standards like PCI DSS is to minimize the likelihood of card data being compromised. It also serves to provide a consistent benchmark and a minimum level of security offered between card transacting businesses. Note I say it is a minimum level of security. PCI DSS is just the beginning of having a robust security model, not the end.
Has PCI DSS worked?
Based on the assumption above, that is the wrong question to be asking. Rather, we should be trying to measure the effectiveness of PCI DSS in direct relation to the number of card details compromised.
OK then, how effective has PCI DSS been?
Ultimately, the security around cardholder data is to prevent unauthorised persons gaining access to the details and gong on to commit fraud.
Trustwave conducted an analysis of 443 cases of cardholder data compromise since 2001. The results show a decline in cardholder data being stolen or compromised whilst stored on company systems.
This downturn can be directly attributed to PCI DSS requirement 3 which mandates the protection of stored cardholder details
So PCI DSS is good then?
Well, not quite. Although it has proven to be effective in convincing companies to encrypt their data in storage, the Trustwave report showed an increase in theft of cardholder data in transit, even though requirement 4 of PCI DSS stipulates the encryption of cardholder data across open, public networks.
Is PCI DSS requirement 4 inadequate?
Although requirement 4 mandates the encryption of data across open, public networks, it is probably an area which needs more clarification. Attacking the data in transit is clearly becoming a favoured approach for criminals, therefore more controls need to be implemented in order to protect the data.
What other attack trends have been noticed?
There have been more instances cropping up where malware has been used to capture data. Malware has also been reported to have been installed onto ATM machines in order to gain control over them. So where banks have traditionally thought ATM networks to be isolated and secure, hence probably a bit relaxed about their anti-virus / malware applications; they should take a long hard look at their approach. This is an area where requirement 5 could be bolstered.
But academic research shows fraudsters can do so much more
Ultimately, fraudsters are after monetary gain in the easiest way possible. This means they won’t necessarily exploit all available vulnerabilities if an easier one exists. So although academics demonstrate that there are weaknesses in PCI DSS or indeed in the actual cards themselves, they probably won’t be exploited until such a time that the easier to exploit vulnerabilities are closed.
If all technical avenues are closed off, fraudsters may revert to older and cruder methods to obtain card details, such as using Lebanese loops to capture physical cards. So a bit like a game of chess, one has to try and second guess what the fraudsters will do next.
In conclusion, PCI DSS is actually quite a good standard. It has proven to be effective in ensuring organisations take greater care of stored cardholder data. However, this success has pushed fraudsters into attacking card details in transit and also by utilising more sophisticated malware.
Like any security standard, it needs to continually evolve to face emerging threats.
Ultimately, organisations cannot simply implement a standard like PCI DSS and become complacent. It is the responsibility of companies to ensure they take all the necessary steps to protect their and their customers’ data. Total security is something no standard can ever provide.