Chaordic Mind

In a recent blog posting Dave Hogan, CIO of the National Retail Federation (NRF), reiterated his dogmatic stance that “PCI is little more than an elaborate patch”.  This is something he stated in a recent Congressional subcommittee meeting.

The best accounts of this testimony are by Branden Williams and Anton Chuvakin.  I highly recommend reading both of their blog posts, which deconstruct the testimony and point out flaws and fallacies in many of the statements.

Now, I want to agree with Dave, but much like conspiracy theorists he goes a little too far.  Is PCI enough to secure companies against every data compromise ever imaginable? Certainly not.  Does it raise the bar for the entire industry and make it harder for hackers to compromise payment-card data? Most certainly, and this can be shown by the increase in sophistication of attacks each year.

So, I want to agree with Dave until he makes statements like the following one during the Congressional subcommittee meeting:

What is ironic in this scenario is that the credit card companies’ rules require merchants to store, for extended periods, credit card data [PAN] that many retailers do not want to keep.

I am shocked he was not reprimanded for this one, but then again he said the same thing a few years back on 60 Minutes and few people blinked an eye.  This statement is 100% false.  The card brand operating rules and regulations have long since enabled chargebacks without the full credit card number (or PAN.)  This is further verified by Anton and Branden in their blogs mentioned above.  Walt had to restrain himself from throwing objects at his TV when he saw the 60 Minutes episode.

Dave continues in the next sentence by saying:

To many NRF members, it appears that the credit card companies are less interested in substantially improving their product and procedures than they are with reallocating their fraud costs.

Come again? The credit card companies that dominate the industry, Visa and MasterCard, are not liable for fraudulent transactions.  Do you know who is? The merchants who accept the stolen or fraudulent cards, by means of lost merchandise or goods.  In this sentence Dave is blaming the card brands for trying to reduce payment-card data loss, which in turn reduces other merchants fraud losses, many of which are members of the NRF … his employer.

Again, I want to agree with Dave when he says that we should remove the data and never store it in the first place.  <APPLAUSE>  In fact, many companies have been saying this for a long time, including: TrustCommerce, ProPay, Shift4, MerchantLink, EPX, PPI, BrainTree, Network Merchants, MagTek, Semtek, HomeATM, VeriFone, and CyberSource to name a few!

But are we to blindly accept that one-size-fits-all business models?  The benefits of many of these end-to-end encryption systems come with limitations on how the data can be used.  Internal business process must be re-engineered and some many no longer be possible since only scrambled or encrypted data will be present.

Companies must weigh the pros and cons of any security technologies before running head first into any “solution”.  I am an advocate of end-to-end encryption along with many other information security protection measures (many are listed in the PCI DSS), but we must implement each to the degree that they facilitate and support the business.

We also, need to read deeper into the mantra being told to us by experts.  We need to question the authority of others and examine the problem from all sides for ourselves.  It’s never an easy process but the more educated each of us are of both external security measures and internal business processes, the better we will be able to offer real guidance to our companies.

And that is job security you can bank on!