PCI And Schrodinger's Cat

The inherent paradox of the Payment Card Industry's compliance program to protect credit card data makes PCI a futile exercise. Let's try something else.PCI compliance is like Schrodinger's Cat. Is an organization compliant with PCI? Until you open the box to find out -- that is, until you assess the organization -- an organization exists in both a compliant and noncompliant state.

Here's the problem with this paradox. PCI essentially aims at the lazy and the willfully ignorant. It tries to force companies to adopt processes and behaviors that the council has determined will reduce the risk of card data theft. That's great, but anyone who's raised kids knows that enforcing a behavior requires constant monitoring and correction.

As the PCI program is currently structured, a PCI DSS assessment is only a snapshot of an organization's processes and controls. That snapshot is only taken once a year. So an organization that is deemed to be compliant is only compliant at the time of the assessment. After the assessors leave, all bets are off.

That's silly, because it means the lazy and the willfully ignorant can run a sloppy operation 11 months out of the year, and then tidy up for the assessors. That's not an effective program for protecting card data.

The problem is that constant monitoring and enforcement would be obscenely expensive. As much as Visa and the other card brands can push merchants, they know they can't force this cost on them.

And so the only value of PCI is to the card brands, which can use it as a shield against federal regulation. I'm not saying federal regulation would be a better alternative, but the current structure of PCI program is disingenuous. It's not about security. It's about an industry covering its ass.

Here's an alternative proposal.

Just as companies automatically enroll employees in 401(k) plans, let's auto-enroll merchants in PCI compliance. Then give merchants the option of un-enrolling or opting out. By opting out, organizations would no longer be subject to PCI mandates or assessments. They would be free to protect card data in whatever ways they think are best.

Organizations that opt out should be subject to significantly greater fines and penalties, such as paying higher transaction fees, if a breach occurs. Ideally, the fines and penalties would be structured so as to be greater than the costs of deploying a vigorous risk management program.

This fee structure is important. Companies that believe the costs of a breach will be lower than the cost of a risk management program may be willing to skimp on protecting card data. The fee structure has to dissuade them from this course of action.

The card brands could insist that organizations that opt out have top executives sign off that they understand they have a duty to protect card-holder data, that they believe their controls and process are sufficient to protect that data, and that by opting out they understand they risk paying substantially larger fines in the case of a breach.

Another option might be to require companies that opt out to provide to the PCI Council and/or card brands a detailed response to the 12 PCI requirements to show how they are protecting card data. Then if a breach occurs, the organization and the card brands can go back and see where and how the security processes failed.

Organizations that opt out would still be subject to a forensic investigation run by the card brands in the case of a breach.

Why is this approach useful?

1) It's already partly in place. Some Level 1 merchants already get to self-assess. (Level 1 merchants process 6 million or more credit card transactions annually.) That's ridiculous. There's no point in third-party mandates if you don't have a third party confirm an organization meets those mandates. Every organization should have to submit to third-party assessments, or every organization should have the right to opt out.

2) Compliance doesn't equal security. The problem with compliance programs is that the intent of the program often become abstracted from efforts to comply. The intent of PCI is to protect cardholder data. But companies often focus their efforts on checking the boxes without making significant changes to their operations, controls, and processes. The lazy and the willfully ignorant are probably going to get breached with or without PCI.

3) It still provides a framework for those that need it. Lots of organizations don't have the expertise to develop a sensible risk management practice. The PCI Security Standards Council has drawn up a useful blueprint. If companies want to follow it, good for them.

However, it doesn't make sense to apply this blueprint to every organization in the country. Different business requirements and processes require different controls. Organizations should have the flexibility to manage their risks in different ways.

I'd love to get feedback on this idea. Am I crazy? Am I on to something? Fill out the comment box below or drop me a line at [email protected].