Many people debate the efficacy, effectiveness, and overall utility of the Payment Card Industry Data Security Standard (PCI DSS).  Some people involved in this debate suffer from a bounded rationality, wherein their rationality is bounded by the few articles they read online, their perspective as a merchant, or their view as an information security professional.

I’d like to outline the good, the bad, and the ugly about the PCI DSS.  I do this not to condemn or defend any one party but instead to raise the level of conversation and debate beyond some of the fallacy ridden discussions we have been having up until now.

The Good

One thing that people do not realize is that the Payment Card Industry is unlike any other.  The reason we all talk about it is because it is more of a “horizontal” than it is a “vertical” industry.  Instead of talking about the banking & finance, agriculture, or even retail industry we are talking about just about every company that utilizes credit cards in some way.  It is the case that regulatory compliance has driven the dollars behind information security since 2001, and the greatest motivator in the past few years has been the PCI DSS.  If we like it or not, this standard has been the carrot (and stick) necessary to making companies care about securing your payment card data.

Until the PCI DSS was created (and the CISP/SDP before it) there was little to no standardized way for acquiring banks to measure the risk present in their merchant population. Sure, they could have reviewed varying security reports but none of these went to the heart of the risk matter by eliminating the retention of sensitive authentication data.  In fact, it was not until the PCI mandates for not storing such data that we saw real change in the payments industry.

Thought the original PCI DSS compliance deadlines were September 30, 2004, it was not until the Visa Compliance Acceleration Program (CAP) in 2007 that substantial movement occurred.  The CAP program provided the motivation necessary to make merchants validate they were not retaining sensitive authentication data.

Information security writer and reporter, George V Hulme, gets it and says,I still contend, PCI DSS has done much to raise merchant security from the dismal state it was in — to the better state it is in today.”  Things are certainly getting better.

The PCI DSS has given acquiring banks, merchants and service providers a method of measuring their exposure to electronic and paper data compromise, the most important of which is keeping hackers from accessing the payment card data.  This is something that no other security standard specifically calls out.  (There exist many other information security programs but none define industry terms such as “sensitive authentication data” or “cardholder data”.)

So where would we be without the specific PCI mandate to eliminate sensitive authentication data and protect the remaining cardholder data?  Well, I argue we would have even more data breaches than we see today.  In the most recent (3.31.09) Visa Inc statistics, we see that within the U.S. all of the top two merchant levels have either validated compliance or are in the process of remediation.  This is a big change from even 3-4 years ago where many merchants had only begun to protect their payment card data.

Additionally, there has been significant work done to help the medium and smaller merchant levels.  Visa spearheaded the PA-DSS program, formerly the PABP, in an effort to provide secure payment applications to merchants who may not otherwise care about security or compliance.  If we follow the 80/20 rule, it is easy to imagine that 80% of the small (Level 4) merchants use the top 20% of payment applications/terminals.  If the industry can verify these payment terminals are secure they can help reduce the risk of data loss for 80% of the small merchant market.

The Bad

The PCI SSC has put in place a structured 2-year cycle for updating and improving the PCI standards.  These changes hope to move the standard in the direction of protecting data compromises based on evolving attack and threat patterns.  In the move from v1.1 to v1.2 we saw the addition of Requirement 6.6 in direct response to the rise in the number of web application attacks.  These are very positive moves, but I would not say everything is roses.

The PCI DSS references the need for a “risk based” approach but it is buried deep in Requirement 12.1.2, which states, “[security policies must] include an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment.”  I like that it is here, but I think this sentence should be the overarching measure by which all requirements are addressed.

There have been many positives moves in this direction.  In April 2008, Bank of America released a document titled Beyond Minimum Compliance: PCI Risk Management.  Though not a risk management framework, this document outlined some Top 10 PCI Best Practices that included: becoming compliant, using secure payment applications, reducing the scope of data, validate compliance, and maintain a state of security throughout the year.  In 2009, the PCI Security Standards Council released a Prioritized Approach to Pursue PCI DSS Compliance.  This takes the PCI SAP and prioritizes each requirement based on, what I assume is, that which may prevent the exposure of payment card data to the greatest number of attacks.

The executive summary of the PCI Security Audit Procedures (SAP) should clearly state the need for a risk management methodology and approach.  Moreover, it should designate a call for action that companies create and maintain a capability and maturity model (CMM) to track their progress in reducing risk.

I’ve found that one of the major roadblocks to compliance adoption is the confusion about to what degree each requirement should be implemented.  These fears could be lessened if the risk management dialogue happened at the beginning of the standard.  Similar approaches have been seen in COBIT and even the ISO27001 (with the ISO27005 framework) to name a few.

The Ugly

What I find ugly about the industry is the continual flame wars that erupt around the standard itself.  I find that many, if not all of these, have to do with the improper implementation of the standard, or the lack of a deeper insight to the industry and the history of regulatory compliance.

Anyone who has worked in a cross section of regulatory compliance arenas can tell you that there is a major difference between government regulated industries and self-regulated industries.  With the exception of NAR’s REALTOR® Secure Program, I don’t know any other industry self-regulation that exists other than the PCI DSS.  (Branden Williams, Alex Hutton and David Mortman remind me of the HiTRUST program for the health care industry.)  This is a welcome anomaly in the world of government mandates.  Those who think PCI DSS is hard to comply with may not have dealt with GLBA or SOX.  With the GLB Act, if the Fed gives you a low rating (higher number) on your bank, they don’t fine you, they just shut you down.  The payments industry is trying to enable commerce in a more secure way than it was done before.

A favorite topic of Dan Geer is that of punctuated equilibrium.  The historical context of punctuated equilibrium has shown that without incremental action, a buildup of force can result in great reactionary action.  The simplest example of this is that of a volcano or earthquake.  In public policy and the payments industry this buildup has been noted several times.  We can see this historically where the government has intervened after the industry itself could not properly self-regulate.  The Great Depression gave rise to the Securities and Exchange Commission (SEC), the once poor food standards gave rise to the Food and Drug Administration (FDA), and we are now asking if the lack of personal data privacy will give way to a government managed compliance standard.  I argue that self-regulation with continual improvement will make faster strides towards data protection than will omnibus legislation.

People complain that the 2-year life cycle of the PCI DSS is too slow, but they must not be that familiar with the 4-year life cycle for other government mandates.  Also, changing a standard any faster would cause merchants’ heads to spin!  Though the payments industry is trying to self-regulate, this never seems to be enough for some people.

The “ugly” side of the industry is that which everyone becomes a pundit, spinning the story to meet their specific pain.  People say that PCI DSS is all about “risk transference” which is a flat out fallacy of belief.  The truth is that Issuing banks have always picked up the tab for fraud, and have long been able to recover that money from merchants via the various card brand issuer reimbursement programs (i.e. Visa ADCR).  The only thing the PCI DSS ever did was give acquiring banks (and all organizations handling payment card data) a measure against which to protect the payment card data.

This angry snarl of punditry is really the sad conclusion to our state of affairs.  I fully support those who wish to improve the industry but many times people feel that change should be revolutionary and not evolutionary.  They are quick to call your baby ugly and then tell you how to parent your child.  Everyone has their own input, and I just wish people would be more constructive with their comments, feedback, and advice.  We are listening!  I am listening!

As a final note, I’d like to remind the implementers of the PCI standards (merchants and service providers) to take responsibility for their own actions.  The PCI DSS should not be used as a stand alone tool.  Companies need to wrap the DSS in a comprehensive risk management program that is measured through time by a proper capability and maturity model.  Only by staying vigilant and continuously reevaluating our current security posture can we properly protect against the ever changing attack vectors that confront us.

Additional Reading

I also highly recommend PCI Shrugged: Debunking Criticisms of PCI DSS.  Please suggest others in the comments.