PCI And Schrodinger's Cat - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
2/25/2009
11:47 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

PCI And Schrodinger's Cat

The inherent paradox of the Payment Card Industry's compliance program to protect credit card data makes PCI a futile exercise. Let's try something else.

The inherent paradox of the Payment Card Industry's compliance program to protect credit card data makes PCI a futile exercise. Let's try something else.PCI compliance is like Schrodinger's Cat. Is an organization compliant with PCI? Until you open the box to find out -- that is, until you assess the organization -- an organization exists in both a compliant and noncompliant state.

Here's the problem with this paradox. PCI essentially aims at the lazy and the willfully ignorant. It tries to force companies to adopt processes and behaviors that the council has determined will reduce the risk of card data theft. That's great, but anyone who's raised kids knows that enforcing a behavior requires constant monitoring and correction.

As the PCI program is currently structured, a PCI DSS assessment is only a snapshot of an organization's processes and controls. That snapshot is only taken once a year. So an organization that is deemed to be compliant is only compliant at the time of the assessment. After the assessors leave, all bets are off.

That's silly, because it means the lazy and the willfully ignorant can run a sloppy operation 11 months out of the year, and then tidy up for the assessors. That's not an effective program for protecting card data.

The problem is that constant monitoring and enforcement would be obscenely expensive. As much as Visa and the other card brands can push merchants, they know they can't force this cost on them.

And so the only value of PCI is to the card brands, which can use it as a shield against federal regulation. I'm not saying federal regulation would be a better alternative, but the current structure of PCI program is disingenuous. It's not about security. It's about an industry covering its ass.

Here's an alternative proposal.

Just as companies automatically enroll employees in 401(k) plans, let's auto-enroll merchants in PCI compliance. Then give merchants the option of un-enrolling or opting out. By opting out, organizations would no longer be subject to PCI mandates or assessments. They would be free to protect card data in whatever ways they think are best.

Organizations that opt out should be subject to significantly greater fines and penalties, such as paying higher transaction fees, if a breach occurs. Ideally, the fines and penalties would be structured so as to be greater than the costs of deploying a vigorous risk management program.

This fee structure is important. Companies that believe the costs of a breach will be lower than the cost of a risk management program may be willing to skimp on protecting card data. The fee structure has to dissuade them from this course of action.

The card brands could insist that organizations that opt out have top executives sign off that they understand they have a duty to protect card-holder data, that they believe their controls and process are sufficient to protect that data, and that by opting out they understand they risk paying substantially larger fines in the case of a breach.

Another option might be to require companies that opt out to provide to the PCI Council and/or card brands a detailed response to the 12 PCI requirements to show how they are protecting card data. Then if a breach occurs, the organization and the card brands can go back and see where and how the security processes failed.

Organizations that opt out would still be subject to a forensic investigation run by the card brands in the case of a breach.

Why is this approach useful?

1) It's already partly in place. Some Level 1 merchants already get to self-assess. (Level 1 merchants process 6 million or more credit card transactions annually.) That's ridiculous. There's no point in third-party mandates if you don't have a third party confirm an organization meets those mandates. Every organization should have to submit to third-party assessments, or every organization should have the right to opt out.

2) Compliance doesn't equal security. The problem with compliance programs is that the intent of the program often become abstracted from efforts to comply. The intent of PCI is to protect cardholder data. But companies often focus their efforts on checking the boxes without making significant changes to their operations, controls, and processes. The lazy and the willfully ignorant are probably going to get breached with or without PCI.

3) It still provides a framework for those that need it. Lots of organizations don't have the expertise to develop a sensible risk management practice. The PCI Security Standards Council has drawn up a useful blueprint. If companies want to follow it, good for them.

However, it doesn't make sense to apply this blueprint to every organization in the country. Different business requirements and processes require different controls. Organizations should have the flexibility to manage their risks in different ways.

I'd love to get feedback on this idea. Am I crazy? Am I on to something? Fill out the comment box below or drop me a line at [email protected].

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Commentary
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
News
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll