The PCI (Payment Card Industry) security standard has largely been a failure when you consider its initial purpose and history. Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment card networks and their acquiring banks but it didn’t stop their breaches.
The payment card industry failed to face up to major security problems when there was still time to do something back in 2005 after the first major card breach at Card Systems International, when 40 million cards were compromised. At that time, the card issuing banks and the card networks (Visa, Mastercard) came up with the PCI security standard as their answer for stronger card security, when Congress took them to the mat during congressional hearings.
Visa, MasterCard and the banks they represent thought that with PCI they could enforce adequate security at retailers and payment processors, while letting them bear major security burdens and costs. This was much easier and less costly for the U.S. banks, who are the last major holdouts in the world to upgrade to much more secure EMV Chip cards. None of them wanted to pay for those costly chip upgrades unitl now, when it’s almost too late.
If anyone was looking at the situation clearly back in 2005, they would have been able to forecast the trajectory we are now on – which is more and more devastating card breaches (ala TJX, Heartland Payment Systems) executed by more organized crime rings who know how to cash out the cards very quickly. A happy ending to this trajectory is far from sight. Indeed, why should the criminals stop when arrests are so far and few between, and when they typically enjoy immunity in their Eastern European countries of residence?
Clearly, PCI compliance is not working very well – despite billions of dollars spent by merchants and card processors in efforts to achieve it. For example, the standard hasn’t kept up with the latest attack vectors and retailers can’t be expected to know more than the security vendors do about detecting new forms of malware that evades conventional measures prescribed by PCI.
My understanding of the malware used in the latest round of breaches against Target and other retailers (allegedly there are many more that have not been announced) is that it attached itself in memory to the POS software (as opposed to being a memory scraping program as reported by others) and just captured the data as it went through the POS application. Like a worm, it had propogated itself to all the POS terminals throughout Target before attaching to the POS application. It aggregated the stolen data on a central Target server, and then double encrypted the data on the way out of the company so that the retailer IDS systems couldn’t detect it.
None of the conventional anti-malware applications on the market today look for this sort of program. And one question still not answered is how did it get inside the retailer network in the first place? Some security folks I spoke with said it got past POS whitelisting techniques used at retailers they work with – meaning perhaps somehow the supply chain was corrupted and the malware was attached to a routine POS software update.
Nothing I know of in the PCI standard could have caught this stuff. So I think it’s flat out wrong to blame this all on Target or on any of the other breached entities. The card issuing banks and the card networks (Visa. MasterCard, Amex, Discover) share responsibility for not doing more to prevent the debacles that have predictably occurred over the past nine years, when the big breaches first began.
At the least, they should have upgraded the payment systems infrastructure to support end (retailer) to end (issuer) encryption for card data much like PINs are managed today. They should have also started migrating to stronger cardholder authentication (ala EMV Chip cards) so that the magnetic stripe on the back of our cards can finally be eliminated.
While not perfect, these standardized measures would have gone a long way to preventing card data breaches. Instead the industry just keeps expecting retailers to patch a faulty and antiquated payment system via PCI compliance.
Of course, Visa, MasterCard and the qualified security assessors who perform the PCI audits have all covered themselves legally. That’s one area where they’ve been proactive. The assessor contracts that retailers and processors sign state that the assessor has no liability in the case of a breach. Further, when PCI first came out, Visa and MasterCard used to give merchants “safe harbor” from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach. When I asked Visa to explain, they told me “well the merchant must not have really been PCI compliant if they got breached. And perhaps they didn’t give their assessor all the information they needed to properly audit their systems.”
The banks and the card networks incorrectly assumed they could keep relying on the retailers and payment processors to lock down the payment system. That was shortsighted thinking that has unfortunately caught up with them as customer service costs mount and consumer confidence is shaken.
As for the merchants – they are still basically toast and not in an enviable position.